What Happened

The European Union Agency for Cybersecurity (ENISA) has introduced a new regulation aimed at addressing gaps in cybersecurity practices across organizations. This regulation, titled the Cybersecurity Program Evaluation Directive (CPED), was announced on September 15, 2023, at ENISA's annual cybersecurity event in Brussels. The regulation mandates that organizations within the EU develop a comprehensive program-level validation approach to cybersecurity rather than relying solely on tool-level evaluations.

CPED responds to the increasing complexity of cyber threats and the inadequacy of current, tool-focused cybersecurity measures. This directive comes after several high-profile breaches that showed significant gaps in the integration of cybersecurity tools with overarching organizational strategies. Public sector entities, critical infrastructure operators, and large enterprises within the EU must comply.

Technical Details

The CPED requires organizations to create and maintain a cybersecurity program that must be regularly evaluated against a set of standardized criteria. Unlike traditional evaluations that focus on specific tools or technologies, this program-level approach assesses the overall effectiveness, integration, and adaptability of cybersecurity measures within the organizational context.

The directive specifies that organizations must perform a comprehensive assessment of their cybersecurity programs at least annually. This evaluation must include threat modeling and risk assessments that identify potential vulnerabilities and their implications in alignment with the ISO/IEC 27005 standard. The regulation promotes the use of automated tools for regular pentesting but emphasizes that these should be part of a broader evaluative framework rather than standalone assessments.

Organizations are encouraged to align their compliance efforts with existing frameworks such as the NIST Cybersecurity Framework (CSF) and the Cybersecurity Capability Maturity Model (C2M2). The CPED stipulates that these assessments must be documented, and failure to address identified gaps could result in non-compliance penalties.

Impact

This regulation affects a vast number of organizations operating within the EU, particularly those in sectors deemed essential for the functioning of society and the economy. With cyber threats becoming increasingly sophisticated, the need for a holistic cybersecurity approach has become more prominent. The regulation aims to close gaps that have been exploited in recent breaches, such as those involving ransomware attacks on critical infrastructure.

Potential non-compliance could have significant consequences, including monetary fines and increased scrutiny from regulatory bodies. Organizations that fail to develop and maintain the required cybersecurity program risk not only regulatory penalties but also reputational damage and increased vulnerability to cyber threats.

What To Do

  • Assess Current Cybersecurity Posture: Conduct a thorough review of existing security measures and evaluate them against comprehensive program-level criteria.
  • Develop a Cybersecurity Program: Integrate existing security tools and technologies into a cohesive, organization-wide cybersecurity strategy.
  • Perform Regular Evaluations: Implement regular threat modeling and risk assessments as part of a continuous improvement process.
  • Align with Standards: Ensure compliance with established standards such as ISO/IEC 27005, NIST CSF, and C2M2.
  • Document Everything: Maintain detailed records of assessments, identified gaps, and remediation steps as required by the CPED.

Organizations must act promptly to align their cybersecurity strategies with the new regulation. A proactive approach to integrating program-level validation into existing cybersecurity practices can mitigate risks and ensure compliance, thereby strengthening their overall security posture.

Related: