Compliance Rules Law Regulation Policy Business Technology Concept

More regulation, but should Brits care? NIS, DORA, and TIBER

BySteve Chambers

I attended an El Reg webinar on cybersecurity regulation this morning. Here’s a distilled insight.

BTW. If you think the cybersecurity folk are sceptical, and British cybersecurity folks are more sceptical, then how sceptical do you think El Reg-reading British cybersecurity folk are?

The webinar started off at 60,000ft, then started to come into land, and soon the Brits were sending up anti-aircraft fire with some good questions. In the end, there were 4 things we need to do whether it’s the law or not.

El Reg did a great job: the host (efficient and professional) and the presenter (SANS Principal Instructor Chris Dale)was brave to present EU regulations to El Reg-reading British cybersecurity folks!

Table Of Contents
show

The author assumes no responsibility or liability for any errors or omissions in the content of this site. The information contained in this site is provided on an “as is” basis with no guarantees of completeness, accuracy, usefulness or timeliness… the author does accept responsibility for the quality of the jokes/humour, but doesn’t care what you think 🙂

While the Americans still curse the British for ITIL, us Brits are now cursing the EU for ever more regulation (but where’s the innovation?).

Are these regulations legally enforceable in the UK?

Should we give a damn, or not? Well, it’s a classic… like GDPR, when one big bloc does it, then even if you are not subject to their laws or rules then the next two things tend to happen:

  1. If you want to do business with that bloc, you have to play by their rules.
  2. You own bloc (UK) will likely create similar regulations, almost like NIS2-adjacent.

Well, it’s more complicated than that, isn’t it?

NIS2 in the UK

For example, NIS1 came into UK law on the 10th May 2018 and was transposed into UK legislation through the NIS Regulations 2018. 

The NIS regulation required in-scope entities (Operators of Essential Services (OES) and Relevant Digital Service Providers (DSPs)) to abide by the requirements set, and required an annual compliance self-assessment against the requirements of the NIS Directive, which was then submitted to the relevant Competent Authority.

In the UK, organisations are to be guided by the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF), but are not required to be assessed against it. This is just the start of the rabbit hole.

DORA in the UK

More focused on financial organizations, The Digital Operational Resilience Act (DORA) is a new European framework that focuses on embedding a more robust and resilient approach to delivering digital capabilities for financial entities.

The framework shifts the focus from guaranteeing firms’ financial soundness to also ensuring they can maintain resilient operations through severe operational disruption caused by cyber security and information and communication technology (ICT) issues.

Are you a financial org?

  • credit institutions,
  • payment institutions,
  • account information service providers,
  • electronic money institutions,
  • investment firms,
  • insurance companies,
  • crypto-asset service providers,
  • exchanges and clearing houses,
  • alternative fund managers,
  • pension,
  • credit rating agencies….

DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU, as well as the ICT infrastructure supporting them from outside the EU.

If you are an EU-facing UK bank, investment firm, fintech company or financial entity of more or less any kind (read a complete list of impacted business types here) or your business offers critical ICT services to EU financial entities, DORA compliance is probably going to be a top priority in 2024

TIBER-EU in the UK

The European Central Bank defines TIBER-EU as: a European framework for threat intelligence-based ethical red-teaming. It provides comprehensive guidance on how authorities, entities, and threat intelligence and red-team providers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks.

In the UK, the near-equivalent from the banking authorities is CBEST from CREST.

4 practical implications of these regulations

Even if it’s not The Law, these practical techniques are pretty much basic cybersecurity practices anyway. So, even if you don’t “do it because you’re told to”, you should probably “do it because it’s the right thing”.

1. Cybersecurity training

Sometimes known as User Security Posture Management (USPM — boy, does the cybersecurity biz love acronyms!), this is the stuff to put the meatbags on the front line of defence. Stop replying to phishing emails. Stop leaving your session logged on. All that stuff.

2. Penetration testing

One of the frameworks mandates “basic” pentesting every year, and “advanced” every three years. I haven’t found a definition of “basic” or “advanced”, but who’s *not* doing pentesting? There’s a bazillion ways to do this. 

Might write a piece on that later…

3. Software supply chain

We know the Advanced Persistent Threat nation-state bad actors love this. But lazy ingesting of applications, especially in build processes, is a known weak link.

Companies like JFrog and their ilk have some solutions for this, but again it’s also people and their practices. I wonder how many companies have a formal “Securing the software supply chain” policy, process, and all of that?

I’ve worked on this stuff in the US with SJULTRA, looking to find some UK-brethren or sistren to do the same — is it you?

  • SJULTRA’s Secure Software Supply Chain archives

4. 24-hour disclosure and 72-hour action

You gotta fess up to the authorities within 24-hours of noticing a breach, and over the next few days you need an action plan. Failure = Fines.

Where can you get help?

A lot of this stuff is high-level “consulting” and “law/regulation” stuff, and much of it from the EU. So what is a Brit to do?

People and Companies in UK

If you don’t have your own immediate network, your best bet is to search LinkedIn for one of the directives, and then filter the search to location = UK.

If you are someone that is “into” this, we’d love to hear from you and add you and/or your company to our new directory that’s going to launch in Oct.

Resources

Steve Chambers

Similar Posts