Cybersecurity expert reviewing information security regulations in a data center.
Juan Luis García Lead of Cybersecurity Business Development
Posted on 10 of March of 2025 .

Compliance with minimum standards. Let's not cheat the solitaire

A key aspect of addressing compliance with the new information security regulations being put in place by legislators is the need to implement measures that limit the potential cybersecurity risks faced by organisations. One of the possible mechanisms is to align to a consolidated security framework or standard. In the case of Spain, this can be done through the National Security Scheme, which proposes a comprehensive version of cybersecurity. The objective of the standards is for entities to demonstrate the implementation of measures that limit cyber-security risks to organisations.

But those of us who have been doing this for some time also know that when an organisation decides to comply with ENS or ISO 27001 certification, the scope is determined by the organisation itself. This implies that while there are elements that apply to the whole entity, or are expected to apply, other measures are specific to providing particular services or handling particular information. 

What does this entail? For sometimes a subterfuge is sought for "simple compliance". Simply complying as part of a formality to obtain a stamp certainly does not add what is necessary to organisational reality. It will not, however, be the first or the last TIME that you get to a meeting with an organisation where they say "I want to get this off in the shortest possible time, so let's go for the easy stuff". Of course this is possible, but then the goal of compliance is far from the essential inspiration of the rule.

The NIS 2 Directive should be understood as a commitment to the greater

This is where we say be careful what you do when it comes to compliance. The aforementioned certifications can be done in something very specific and often far from the core business. So it is clear that these organisations do not go for certification convinced of the need. If not because it is a requirement on the part of their client or as a mechanism to be able to apply for a public administration tender. And, although more recently, we are beginning to see in some specifications that not only a certain level is required, but also that the object of the service is included as such in the applicability of the standard for the entity, this is not yet a very widespread practice.


The NIS 2 Directive is to be understood as a "big bet". To the essential service. It is not the inspiration for entities to simply have a piece of paper that says they are compliant. They really want them to deliver. That the application is real in what is really the subject of the organisation's main function, whether it is the services it provides or the information it handles.

Besides, lies have very short legs. Implementing a half-hearted ISMS has shown total inconsistency in the face of the first serious cyber incident. It certainly goes hand in hand with maturity, but when something is half-finished, you can see both in the management and in the security that it has actually been implemented. And it will not be valid, when third parties or authorities come to account for the situation, to say that I have one or the other certification. They will need to actually demonstrate the security that exists. And logically, what takes time to do, especially in a tense situation such as that caused by a cyber incident, becomes impossible without a solid foundation in place. And this is not just about technology. It is also about responsibilities, processes, people, ... It is something that involves the whole organisation and as such it has to be demonstrated.

The text of the draft bill itself, which will transpose the NIS 2, includes the need to demonstrate compliance with regard to the implementation of cybersecurity risk management measures. "Essential and important entities shall demonstrate compliance with the obligations referred to in this Article. In the case of essential entities, compliance shall be evidenced by obtaining and maintaining a certificate of compliance. Relevant entities may choose between the above-mentioned certification or a self-assessment of the security posture. The essential or important entities that are expressly included in the scope of application of Royal Decree 311/2022, of 3 May, shall comply with the provisions of this decree regarding Certification of Conformity with the National Security Scheme". And within the rigidity established by a law of its scope, certain margins of movement are offered. For example, the preliminary draft, in its article 15 (j) on the application of general measures, establishes for the implementation of multi-factor authentication, a phrase that hopefully will not end up being twisted "where appropriate". Ambiguity? No! Just some flexibility. 

It is more or less clear to all of us when a double factor is necessary and when it is not. We only need to understand what an adversary does, and this will lead us to the reasons for implementing a multi-factor authentication system. If not, then a good risk analysis should tell you. And if it does not, perhaps it is not the right risk analysis.

If anyone in cybersecurity, and there may be some left, is still unclear as to why two-factor authentication should be used, then they have buried their head in the sand like an ostrich for the years 2020 and 2021 in particular. How many attacks resulted from stolen corporate passwords on personal computers, when people had no other means of doing business while confined? Unfortunately, it is still today one of the entry mechanisms used by various cybercrime groups. The evolution of recent years and the situations that have arisen have left a deep mark which, of course, has been reflected in the different regulations that have appeared in recent years and are still to come.

Those entities that have already worked their way towards ENS certification at a high level will find it easier to demonstrate compliance with NIS 2. Also those that are ISO 27001 certified. However, in this case a certain GAP will have to be covered, as the technical measures do not have to be fully aligned to NIS 2. For those who have not travelled this path, it will be a little more complex, but it is not impossible, if there is the will. But please let us not cheat ourselves, looking for shortcuts that really lead nowhere.
 

Blog

< Go back