EU High-level Cyber Threat and Risk Taxonomy Overview

This comprehensive high-level taxonomy explores various risks EU policy makers have considered in their recent legislative work. Each section details associated threats, legislative requirements, and practical measures and standards to address these risks effectively.

Brief Introduction

NIS2 Directive

The NIS2 Directive aims to achieve a high common level of cybersecurity across the European Union by expanding the scope of cybersecurity rules to new sectors and entities. It mandates that essential and important entities implement appropriate technical, operational, and organizational measures to manage risks to the security of network and information systems. Additionally, it requires incident reporting to relevant national authorities and ensures continuous operation and resilience of critical infrastructures.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act aims to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms. It sets uniform requirements for the security of network and information systems, ensuring that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. DORA mandates regular risk assessments, robust incident response plans, and compliance of third-party ICT service providers with stringent cybersecurity standards.

Critical Entities Resilience Directive (CER)

The Critical Entities Resilience Directive focuses on enhancing the resilience of critical infrastructure sectors against a range of threats, including natural hazards, terrorism, and insider threats. It requires Member States to adopt national strategies for enhancing the resilience of critical entities, conduct regular risk assessments, and implement resilience-enhancing measures. CER also mandates cooperation with national authorities and other critical entities to improve overall sector resilience.

Cyber Resilience Act (CRA)

The Cyber Resilience Act aims to safeguard consumers and businesses by ensuring that products with digital elements meet high cybersecurity standards throughout their lifecycle. It addresses the inadequate level of cybersecurity in many products and the inability of consumers to determine which products are cybersecure. CRA mandates vulnerability assessments, timely updates and patches, and harmonized rules for bringing products with digital components to market, ensuring cybersecurity throughout the product lifecycle.

General Data Protection Regulation 2 (GDPR2)

The General Data Protection Regulation 2 builds upon the original GDPR framework to further enhance the protection of personal data within the European Union. It introduces stricter data protection measures, including more stringent requirements for data processing, reporting obligations, and higher penalties for non-compliance. GDPR2 aims to ensure that personal data is processed transparently, securely, and with respect for individuals' privacy rights.

Network and Information Systems (NIS) Risks

Malware and Ransomware Attacks        

Legislative Requirements:

NIS2 and DORA requirements are aimed at managing risks from malware and ransomware by enforcing technical and organizational measures and regular assessments.

• NIS2: Implement appropriate technical and organizational measures to manage risks.
• DORA: Conduct regular risk assessments and implement robust incident response plans.

Measures and Standards:

• Use of anti-malware software and intrusion detection systems.
• Regular vulnerability scanning and penetration testing.
• Implementation of multi-factor authentication (MFA).

Phishing and Social Engineering        

Legislative Requirements:

NIS2 and CER focus on resilience and operational continuity, which are critical in mitigating risks from phishing and social engineering.

• NIS2: Ensure continuous operation and resilience of critical infrastructures.
• CER: Develop and implement resilience-enhancing measures.

Measures and Standards:

• Employee training and awareness programs.
• Email filtering and anti-phishing technologies.
• Incident response playbooks for social engineering attacks.

Denial of Service (DoS) Attacks        

Legislative Requirements:

NIS2's incident reporting and DORA's third-party compliance requirements are relevant for managing DoS attacks.

• NIS2: Report significant incidents to the relevant national authorities.
• DORA: Ensure that third-party ICT service providers comply with stringent cybersecurity standards.

Measures and Standards:

• Implementation of DoS mitigation services and technologies.
• Network traffic monitoring and anomaly detection.
• Collaboration with ISPs for traffic filtering.

Data Security Risks

Data Breaches        

Legislative Requirements:

NIS2, CRA, and GDPR2 focus on data protection and security, aligning with mitigating data breach risks.

• NIS2: Implement appropriate and proportionate measures to protect data.
• CRA: Ensure products with digital elements meet high cybersecurity standards throughout their lifecycle.
• GDPR2: Ensure the protection of personal data through stringent data protection measures and reporting obligations.

Measures and Standards:

• Encryption of sensitive data both at rest and in transit.
• Regular security audits and compliance checks.
• Access control and identity management systems.

Data Loss        

Legislative Requirements:

CER, NIS2, and GDPR2's focus on risk assessments and incident reporting are aimed at preventing data loss.

• CER: Conduct regular risk assessments and update resilience strategies accordingly.
• NIS2: Develop incident reporting mechanisms.
• GDPR2: Implement data protection measures to prevent loss of personal data.

Measures and Standards:

• Implementation of data backup and recovery solutions.
• Use of data loss prevention (DLP) technologies.
• Regular testing of data recovery procedures.

Data Integrity        

Legislative Requirements:

CRA, DORA, and GDPR2's requirements for vulnerability assessments and resilience testing address data integrity risks.

• CRA: Conduct vulnerability assessments and provide timely updates and patches.
• DORA: Regular testing of digital operational resilience.
• GDPR2: Ensure the accuracy and integrity of personal data.

Measures and Standards:

• Use of checksums and hashing for data integrity verification.
• Implementation of version control systems.
• Regular integrity checks and audits.

Physical Security Risks aka Facility Security

Unauthorized Access        

Legislative Requirements:

CER and NIS2's emphasis on physical security measures are appropriate for managing unauthorized access threats.

• CER: Enhance physical security measures to protect critical infrastructure.
• NIS2: Implement measures to manage risks posed to physical environments.

Measures and Standards:

• Use of access control systems and biometric authentication.
• Installation of surveillance cameras and monitoring systems.
• Physical barriers and security personnel.

Theft and Vandalism        

Legislative Requirements:

CER's resilience plans and NIS2's governance requirements are relevant for addressing theft and vandalism.

• CER: Develop comprehensive resilience plans, including physical security.
• NIS2: Ensure top management is engaged in cybersecurity governance.

Measures and Standards:

• Secure storage of critical assets.
• Implementation of theft detection and alarm systems.
• Regular security patrols and inspections.

Natural Disasters        

Legislative Requirements:

CER and NIS2's risk assessments and resilience measures are aimed at mitigating natural disaster risks.

• CER: Conduct regular risk assessments considering natural risks.
• NIS2: Implement resilience measures to ensure continuous operation.

Measures and Standards:

• Disaster recovery planning and business continuity management.
• Structural reinforcement of facilities.
• Redundant power supplies and emergency response plans.

Personnel Security Risks

Insider Threats        

Legislative Requirements:

NIS2 and CER's focus on governance and mitigation measures are relevant for managing insider threats.

• NIS2: Engage top management in cybersecurity governance and awareness.
• CER: Implement measures to mitigate risks from insider threats.

Measures and Standards:

• Background checks and vetting of employees.
• Implementation of user activity monitoring and logging.
• Regular training on security policies and procedures.

Employee Safety        

Legislative Requirements:

CER and NIS2's requirements for employee safety measures are appropriate for addressing personnel security risks.

• CER: Ensure the physical safety of employees through comprehensive security measures.
• NIS2: Develop and maintain effective practices to protect employees.

Measures and Standards:

• Emergency evacuation plans and drills.
• Provision of personal protective equipment (PPE).
• Health and safety training programs.

Operational Resilience Risks, aka Business Continuity

Operational Disruptions        

Legislative Requirements:

NIS2 and CER's focus on continuity and resilience plans are relevant for managing operational disruptions.

• NIS2: Ensure continuous operation and resilience of critical infrastructures.
• CER: Develop and implement business continuity plans.

Measures and Standards:

• Business continuity planning (BCP) and disaster recovery (DR) plans.
• Regular testing and updating of BCP and DR plans.
• Implementation of redundant systems and failover mechanisms.

Supply Chain Disruptions        

Legislative Requirements:

DORA and CER's requirements for third-party compliance and collaboration are aimed at managing supply chain disruptions.

• DORA: Ensure third-party ICT service providers comply with cybersecurity standards.
• CER: Collaborate with national authorities and other critical entities to enhance sector resilience.

Measures and Standards:

• Supplier risk assessments and audits.
• Implementation of supply chain security measures.
• Development of contingency plans for supply chain disruptions.

System Failures        

Legislative Requirements:

NIS2 and DORA's focus on risk management and resilience testing are relevant for addressing system failures.

• NIS2: Implement measures to manage risks posed to network and information systems.
• DORA: Conduct regular operational resilience testing.

Measures and Standards:

• Regular maintenance and testing of critical systems.
• Implementation of system redundancy and failover mechanisms.
• Continuous monitoring and performance testing.

Incident Response Risks

Incident Detection and Response        

Legislative Requirements:

NIS2 and DORA's requirements for incident reporting and response plans are appropriate for managing incident detection and response.

• NIS2: Establish incident reporting and response mechanisms.
• DORA: Implement robust incident response plans.

Measures and Standards:

• Incident response teams and playbooks.
• Use of Security Information and Event Management (SIEM) systems.
• Regular incident response drills and exercises.

Crisis Management        

Legislative Requirements:

CER and NIS2's focus on crisis management strategies and preparedness are relevant for addressing crisis management risks.

• CER: Develop and implement crisis management strategies.
• NIS2: Ensure top management is prepared for crisis management.

Measures and Standards:

• Crisis management plans and communication strategies.
• Training and awareness programs for crisis management.
• Coordination with external agencies and stakeholders.

Regulatory Compliance Risks

Non-Compliance Penalties        

Legislative Requirements:

NIS2, CRA, and GDPR2's requirements for compliance and standards are aimed at avoiding non-compliance penalties.

• NIS2: Comply with reporting and security requirements to avoid penalties.
• CRA: Ensure products meet cybersecurity standards to avoid sanctions.
• GDPR2: Ensure compliance with data protection regulations to avoid fines.

Measures and Standards:

• Regular compliance audits and assessments.
• Implementation of compliance management systems.
• Continuous monitoring of regulatory changes and updates.

Audit and Reporting Requirements        

Legislative Requirements:

NIS2, DORA, and GDPR2's focus on maintaining records and conducting audits are relevant for addressing audit and reporting requirements.

• NIS2: Maintain and provide records of compliance activities.
• DORA: Conduct regular audits and provide necessary documentation.
• GDPR2: Maintain detailed records of data processing activities and report data breaches.

Measures and Standards:

• Documentation of security policies and procedures.
• Implementation of audit trails and logging mechanisms.
• Regular reporting to regulatory authorities.

Third-Party Compliance Risks

Vendor and Supplier Risks        

Legislative Requirements:

DORA and CER's requirements for third-party compliance and collaboration are aimed at managing vendor and supplier risks.

• DORA: Ensure third-party ICT service providers comply with cybersecurity standards.
• CER: Collaborate with third parties to enhance overall resilience.

Measures and Standards:

• Vendor risk assessments and due diligence.
• Implementation of third-party security requirements in contracts.
• Continuous monitoring of third-party compliance.

Contractual Obligations        

Legislative Requirements:

NIS2 and DORA's focus on contractual agreements and compliance monitoring are relevant for addressing contractual obligations.

• NIS2: Ensure contractual agreements include cybersecurity requirements.
• DORA: Monitor compliance with contractual cybersecurity obligations.

Measures and Standards:

• Inclusion of cybersecurity clauses in contracts.
• Regular reviews and updates of contractual agreements.
• Enforcement of contractual compliance through audits and assessments.

Product and Technology Risks

Vulnerability Exploitation        

Legislative Requirements:

CRA and NIS2's requirements for vulnerability assessments and protection measures are aimed at mitigating vulnerability exploitation.

• CRA: Conduct vulnerability assessments and provide timely updates.
• NIS2: Implement measures to protect against exploitation of vulnerabilities.

Measures and Standards:

• Regular vulnerability scanning and patch management.
• Implementation of secure coding practices.
• Continuous monitoring for new vulnerabilities

Patch Management        

Legislative Requirements:

CRA and DORA's focus on timely updates and patch management are relevant for addressing patch management risks.

• CRA: Ensure timely updates and patches for products with digital elements.
• DORA: Regularly update and patch systems to maintain security.

Measures and Standards:

• Automated patch management systems.
• Regular patch testing and deployment.
• Documentation and tracking of patching activities.

Outdated Technology        

Legislative Requirements:

NIS2 and CRA's requirements for technological adaptation and maintenance are aimed at mitigating risks from outdated technology.

NIS2: Ensure continuous adaptation to new technological advancements.

CRA: Maintain up-to-date technology to meet cybersecurity standards.

Measures and Standards:

• Technology lifecycle management.
• Regular technology assessments and upgrades.
• Implementation of decommissioning plans for outdated systems.

Innovation and Adaptation        

Legislative Requirements:

NIS2 and CRA's focus on innovation and adaptation are relevant for addressing risks from technological advancements.

• NIS2: Engage in continuous innovation to address emerging threats.
• CRA: Adapt to new technological advancements to maintain security.

Measures and Standards:

• Investment in research and development.
• Participation in industry forums and standards bodies.
• Continuous improvement of security practices and technologies.

Data Privacy Risks

Unauthorized Data Access        

Legislative Requirements:

GDPR2's requirements for data protection measures are appropriate for managing unauthorized data access threats.

• GDPR2: Implement measures to protect personal data from unauthorized access.

Measures and Standards:

• Encryption and access controls.
• Regular audits and monitoring.
• Incident response plans for data breaches.

Data Misuse        

Legislative Requirements:

GDPR2's requirements for data protection principles are relevant for addressing data misuse.

• GDPR2: Ensure compliance with data protection principles and prevent misuse of personal data.

Measures and Standards:

• Data minimization and purpose limitation.
• Regular training and awareness programs.
• Implementation of data protection impact assessments (DPIAs).

Non-Compliance with Data Subject Rights        

Legislative Requirements:

GDPR2's requirements for data subject rights are appropriate for managing non-compliance risks.

• GDPR2: Ensure compliance with data subject rights, including access, rectification, and erasure.

Measures and Standards:

• Procedures for handling data subject requests.
• Regular reviews and updates of data protection policies.
• Implementation of mechanisms to ensure data subject rights are respected.