Objectives
The CYSSDE (Cybersecurity Deployment Preparedness Support, Capacity and Capabilities) project is a European initiative coordinated by LSEC, aiming to enhance cybersecurity resilience among Essential Service Operators and SMEs affected by NIS2 regulations. It addresses the prevalent vulnerabilities within these organizations and the insufficient capacity for self-improvement in cybersecurity.
Supporting Member States
Organizing open calls to boost the cybersecurity maturity and resilience of Essential Service Operators and SMEs.
Developing Methodologies
Creating methods, scenarios, and use cases to inform NIS2 requirements.
Penetration Testing Support
Collaborating with at least 23 penetration testing organizations to conduct a minimum of 230 assessments for Essential Services Operators and SMEs.
Identifying Capabilities
Documenting assessment capabilities across the EU to facilitate better access and visibility, helping direct demand and reduce capacity gaps.
The project highlights the need for integrated approaches to address the complexities of modern critical infrastructures, acknowledging the rise in cyber-physical attacks and the limitations of treating cyber and physical security separately. Ultimately, CYSSDE aims to improve resilience through continuous vulnerability assessments and tailored support for various organizations under NIS2 regulations.
Framework
Regulatory Framework – NIS2 Directive
The NIS2 Directive aims to enhance cybersecurity across the European Union. It differentiates between essential entities and important entities based on their economic and societal roles and the sectors they operate in 13.
Essential entities are organizations in high-critical sectors vital to societal and economic functioning. Disruptions in these sectors could lead to significant consequences. The NIS2 Directive identifies the following sectors as essential:
Energy (electricity, oil, gas)
Transport (air, rail, water, road)
Banking and financial market infrastructures
Health (hospitals, healthcare providers)
Drinking water supply and distribution
Digital infrastructure (internet exchange points, DNS service providers, cloud computing)
Public administration
Important Entities
Energy (electricity, oil, gas)
Transport (air, rail, water, road)
Banking and financial market infrastructures
Health (hospitals, healthcare providers)
Digital infrastructure (internet exchange points, DNS service providers, cloud computing)
Important entities, while still crucial, are considered to have a less immediate impact compared to essential entities. Disruptions in these sectors might not result in severe consequences. Important sectors under the NIS2 Directive include:
Postal and courier services
Waste management
Manufacture, production ,and distribution of chemicals
Food production and distribution
Digital service providers (online marketplaces, search engines,social networks)
These entities are also required to implement cybersecurity measures and report incidents, although the requirements are generally less stringent than for essential entities.
Key differences
Impact Level
Essential entities have a higher potential impact from disruptions than important entities.
Regulatory Oversight
Essential entities face more rigorous oversight and inspections.
Obligations
Both categories must implement security measures and report incidents, but essential entities have more stringent requirements.
In summary, the NIS2 Directive categorizes entities based on their significance to societal and economic functions, with essential entities facing stricter regulations compared to important entities.
This page was created using insights from the report CYSSDE D2.1 Methodologies Pentesting
To read the full report, please use the link below.