Objectives

The CYSSDE (Cybersecurity Deployment Preparedness Support, Capacity and Capabilities) project is a European initiative coordinated by LSEC, aiming to enhance cybersecurity resilience among Essential Service Operators and SMEs affected by NIS2 regulations. It addresses the prevalent vulnerabilities within these organizations and the insufficient capacity for self-improvement in cybersecurity.

Supporting Member States

Organizing open calls to boost the cybersecurity maturity and resilience of Essential Service Operators and SMEs.

Developing Methodologies

Creating methods, scenarios, and use cases to inform NIS2 requirements.


Penetration Testing Support

Collaborating with at least 23 penetration testing organizations to conduct a minimum of 230 assessments for Essential Services Operators and SMEs.

Identifying Capabilities

Documenting assessment capabilities across the EU to facilitate better access and visibility, helping direct demand and reduce capacity gaps.


The project highlights the need for integrated approaches to address the complexities of modern critical infrastructures, acknowledging the rise in cyber-physical attacks and the limitations of treating cyber and physical security separately. Ultimately, CYSSDE aims to improve resilience through continuous vulnerability assessments and tailored support for various organizations under NIS2 regulations.

Framework

Regulatory Framework – NIS2 Directive

The NIS2 Directive aims to enhance cybersecurity across the European Union. It differentiates between essential entities and important entities based on their economic and societal roles and the sectors they operate in 13.

Essential entities are organizations in high-critical sectors vital to societal and economic functioning. Disruptions in these sectors could lead to significant consequences. The NIS2 Directive identifies the following sectors as essential:

Energy (electricity, oil, gas)

Transport (air, rail, water, road)

Banking and financial market infrastructures

Health (hospitals, healthcare providers)

Drinking water supply and distribution

Digital infrastructure (internet exchange points, DNS service providers, cloud computing)

Public administration

Important Entities

Energy (electricity, oil, gas)

Transport (air, rail, water, road)

Banking and financial market infrastructures

Health (hospitals, healthcare providers)

Digital infrastructure (internet exchange points, DNS service providers, cloud computing)

Important entities, while still crucial, are considered to have a less immediate impact compared to essential entities. Disruptions in these sectors might not result in severe consequences. Important sectors under the NIS2 Directive include:

Postal and courier services

Waste management

Manufacture, production ,and distribution of chemicals

Food production and distribution

Digital service providers (online marketplaces, search engines,social networks)

These entities are also required to implement cybersecurity measures and report incidents, although the requirements are generally less stringent than for essential entities.

Key differences

Impact Level

Essential entities have a higher potential impact from disruptions than important entities.


Regulatory Oversight

Essential entities face more rigorous oversight and inspections.


Obligations

Both categories must implement security measures and report incidents, but essential entities have more stringent requirements.


In summary, the NIS2 Directive categorizes entities based on their significance to societal and economic functions, with essential entities facing stricter regulations compared to important entities.

This page was created using insights from the report CYSSDE D2.1 Methodologies Pentesting

To read the full report, please use the link below.