Understanding EU Compliance Mandates
Compliance, compliant, security, secure? In theory, the mandates that govern the industries we work in and work with give guidance and define frameworks that aim to put guardrails in place around the applicable forms of security – cyber or otherwise.
This can give rise to differing views, a dichotomy on interpretation – or at least discussion point on the application of the details of the mandate. We’ve probably all heard the term “tick-box-exercise” when referring to compliance, either as a way not to treat it, or as a throw-away, tongue-in-cheek comment by long-suffering professionals who have worked to implement the various compliance mandates that apply to their relevant industry or region.
I have a personal view, shaped through some of the above experiences and from working closely with organisations and individuals that have spent significant time poring over compliance frameworks. Often what I have found is that practical application of compliance is made easier, more straightforward, and less complex by working in “the spirit” of the mandate rather than the dryer, technical details. Of course, the details are more or less important depending on the compliance type, but often it is important to try and look through the text to get to the “meaning” of a given control. Intent behind the rule, and what that means for an increase or an improvement in security, is my preferred way to handle this.
At its core, and in reference to my earlier comment, compliance really is there to provide a baseline level of security, or a general improvement in posture, and the ability to check this posture reliably.
As a caveat to this – there are differences in the specific detail that given mandates express. For example, PCI DSS provides specific details on logging and file-monitoring, whereas the NIS Directive (which is EU specific) offers a far broader guidance and more variation on a local, per-country level.
Similarly, my experience with the interpretation of an auditor or auditing body can often match this – in that a good auditor will look more at intent and efficacy than only the technical detail. This, of course, is directly related to how specific the mandate is (as above), and this is only my own direct experience.
You may be asking yourself, where does Illumio fit in? The common thread between our business and the governing bodies mentioned above is that all share a common goal of protecting high-value assets and data. All of the compliance mandates we see governing data, cybersecurity practices, and, in some critical infrastructure, have common reasoning at their core. Protecting data, or the systems that handle and transfer this data – be it credit card information, Personally Identifiable Information (PII), payment records, asset data, or the controlling systems for these and others, is at the core of every compliance mandate. That said, this protection always has an aspect of separation or microsegmentation involved. The goal: limiting the attack surface, the blast radius of a compromise, or going for a full Zero Trust model of access and connectivity to keep the critical systems and data away from the lower priority/less critical areas in some form.
To that end, this blog series will focus on cutting through the details of differing compliance areas, with – critically – a counterpoint to each blog post from an experienced, external professional in that area. This helps with color to my own commentary, but also allows for some specific detail on the differing way in which each mandate might be interpreted and audited on a government or third-party level (including input from auditors themselves.)
Thanks ahead of time to those contributing!
We'll primarily focus on EU/European-specific compliance mandates, as these can differ significantly from those for the United States. As such, I won't be covering in detail mandates such as HIPAA, NIST, and Sarbanes-Oxley. I'll also leave the PCI DSS side of things alone, as we have significant information on PCI compliance here at Illumio already.
With that, the areas covered in this series will be grouped into a few similar governing areas:
Critical infrastructure – NIS Directive, LPM
This blog post will cover the relatively new NIS Directive (Network and Information Systems Directive) as it applies to EU countries. This is an interesting mandate due to its broad remit, relation to GDPR, and its relatively open and local interpretation. This post will also include detail on the more open nature of the NIS Directive; guidance rather than mandated controls, which ties to the earlier points in this post around the intent of the compliance and its implementation.
Also related, and feeding into the creation of the NIS Directive, is the French Critical Information Infrastructure Protection law (LPM) – a more mature critical infrastructure-specific mandate with some interesting controls.
Finance/Payments – SWIFT, ECB SIPS
Here, we’ll cover the financial mandates, SWIFT, which is one of the first that the Illumio platform was used to protect, and the EU-specific ECB SIPS (European Central Bank – Systematically Important Payment Systems) compliance guidance.
Data handling – ISO 27001, GDPR
In this post, we’ll discuss data governance and control, protection of PII and the hosting systems. This is another area with a broad range of potential implications and interpretations. GDPR, for example, being tangentially connected to the more specific cybersecurity standards, while also being closely coupled to the NIS Directive.
I look forward to sharing insight and expertise from compliance specialists and explaining how Illumio can help any organization reach its compliance goals.