Interview with LG magazine, translation by itrust consulting. Are local authorities prepared to tackle the challenges of cybersecurity and the NIS2 Directive? How should they handle it? An interview with Lynn Pinto, DPO; Camar Houssein, SECaaS Manager; and Carlo Harpes, Managing Director of itrust consulting s.à r.l. and Chair of the (Luxembourg) Security Standards Committee. How have public authorities been preparing for this new challenge? Carlo: The text of the NIS2 Directive has been published since 2022; Luxembourg has opted for a transposition that is as simple and minimalist as possible; all entities involved in public procurement are covered; they will be required to manage cybersecurity risks, report their dependencies and security status as well as the outcome of their risk assessment to ILR. In addition, they must report incidents and, if necessary, will receive instructions from ILR on how to manage risks. Minister Léon Gloden encouraged them to take this challenge seriously and not to wait for the law to come into force before preparing. The day after the vote, each entity must have an approved risk analysis demonstrating that it has found the right balance between investing in security measures and accepting residual risks; they must regularly submit improvement plans to ILR too. What remains to be done by the organizations? Camar: We agree with ILR that the NIS2 Directive requires nothing more than a designated security officer. However, it imposes a human resources security policy, a (formalized) access and asset management – that is to say, an inventory, with classification and assignment of responsibilities for these assets – and, most challenging of all, a risk assessment and management process that takes into account current norms, which are virtually unknown in the sector. We can easily train someone to assess risks, but such assessment remains uncertain, even for an expert. My manager always says that conducting a risk analysis is an art rather than a science, as this process must produce well-reasoned and ‘reproducible’ results. Do organizations that are already GDPR-compliant have a head start? Lynn: Clearly yes, and yet we still come across organizations that are badly prepared: with no record of processing activities, or incomplete ones; with no privacy notice easily available to data subjects; despite the law having been in force for seven years and the CNPD having hired over 60 officials to monitor and provide guidance. Recently, we have again come across municipal secretaries… Read more »

itrust consulting in collaboration with CyFORT launched its Standards Distribution Initiative, aimed at providing standards file and other helpful files in Excel format. These files are designed for seamless integration with popular open-source tools like Ariana and OpenAriana, OpenTrick. The initiative enables organizations to easily generate policies, conduct risk assessments, perform audits, and more, all while leveraging the power and flexibility of open-source solutions. By offering standards in a standardized Excel format, itrust consulting simplifies the process of aligning with international standards and enhances the effectiveness of risk management and compliance activities. This initiative supports a wide range of applications, ensuring that businesses can efficiently manage their ISO-related tasks using the tools they know and trust. Click for downloading free to use excel files Click here for submitting a webform to request ISO/IEC standards file by license holders