Regulatory map in CYBERCOMPLIANCE
Today, almost all companies are immersed in the digital world. But what many don't know is that with each step in this direction, responsibilities, regulatory obligations, and risks accumulate. This is where the digital age comes into play. Cybercompliance, a concept that unites two worlds that until now were considered opposites: law and technology. An example of this is the NIS 2 Directive, which was scheduled to come into force in our country in just a few days, following the mandatory Spanish transposition.
However, although its entry into force was planned for the October 18, 2024The complexity of the matter will lead to a significant delay in the transposition, given that we do not even have the draft of the regulation less than a month before the scheduled date.
This Directive represents the new European regulation requiring key sectors such as energy, healthcare, and transportation to guarantee the security of their information systems. What does this mean? It's not just about protecting data, as the GDPR regulated, for example, but also about ensuring essential services, such as the energy supply in hospitals, the continuity and security of nuclear power plant systems, or the technological infrastructure of an insurance company. And be careful, because the sanctions for those who fail to comply with these regulations will be significant, in line with the trend generated by the GDPR itself.
This is where the normative maps They are revealed as essential. These maps are a sort of outline of obligations applicable to a specific organization with respect to the obligations attributed by all regulations, on information security or related, and within whose scope said organization falls. We are talking, therefore, about NIS 2, but also about ENS, DORA, the EBA guidelines, GDPR, SOX, LSSI-CE, or the recently approved Artificial Intelligence Regulation. Complemented by the standards that organizations have "voluntarily" decided to implement and that, from that moment on, feed their cybercompliance map, such as ISO 27001, ISO 27701, NIST, SOC 2 Type 2, etc.
All of these ingredients constitute the starting point for any organization to configure its information security framework, which will be completely different for each one and must include all the obligations and controls applicable to it based on the previous list.
This means that, in terms of operational and cost efficiency, the best possible approach involves identifying the regulations applicable to the organization, continuing to map the specific obligations and the synergies and commonalities of those obligations, and establishing a strategy to address the entity's compliance with this regulatory map, whose obligations relate to the technological controls that the organization must have.
Who is responsible for creating this map and its subsequent implementation? Lawyers or engineers?
Probably the most reasonable conclusion is that a hybrid profile would be required, capable of understanding and working with regulations, as well as with information systems and their controls, but do such profiles exist? The reality we find is that these two profiles rarely speak the same language. The more technical profiles are reluctant to understand concepts such as compliance level, common administrative procedures in the sanctioning area of the administrations responsible for monitoring compliance with these obligations, or the scope of application of the regulation. In contrast, the more legal profiles rarely understand concepts such as network segmentation, the operation of a SOC/SIEM, or asset protection through EDR. In short, a new profile is emerging that organizations need: highly technological lawyers or highly legal-minded technicians, who will be the only ones capable of tackling a challenge of the magnitude we face, and which is currently far from sufficient.
Do you want to be that person? Let's talk about cybercompliance.
