The Column – Cyber Security Week
This week I’m going to get technical, but in Italy, perhaps, we are experiencing a historic transition. NIS 2, the European directive that updates the common cybersecurity framework for essential and important subjects (there are around 25 thousand in Italy), is slowly unfolding its effects. In particular, it brought a very concrete topic to the center of the scene: the security of the supply chain and, therefore, the relationship between the obliged entities and their relevant suppliers. Now let’s imagine the scene. On the one hand there are thousands of NIS subjects who, as diligent as pupils on the first day of school, prepare their questionnaire for the relevant provider. On the other hand, in addition to hundreds of thousands of SMEs, there are always the same few large suppliers: telco, energy, some other indispensable hub without which the operational capacity of the organization is eliminated in a few minutes. The result is easy to predict: a forest of almost identical forms, a hail of requests, a documentary liturgy that risks producing more paper than control. However, NIS 2 was not created to organize a regulatory printing press. The directive asks essential and important subjects to also govern the security of the supply chain, therefore to look at the direct suppliers, the services received, the specific vulnerabilities, the quality of the products and the supplier’s cyber security practices. In the Italian context, ACN, our Cyber Security Agency, has made this issue very concrete, asking us to consider relevant suppliers and dedicating a specific section to them in the FAQs of its website. So far everything is linear. The point, however, is that for some categories of suppliers, relevance is not an investigative surprise, but a structural fact. Telcos fall into ICT provision, they are usually the premise, and very often also into non-fungibility. Electricity is evidently non-fungible. Then the first misunderstanding to avoid arises. It is one thing to identify a relevant supplier, it is another thing to obtain guarantees that the risk is truly managed. In systemic non-fungible suppliers the problem is not “discovering” the relevance, as if a regulatory treasure hunt were needed, but understanding how to manage it. Forcing thousands of NIS subjects to repeat the same investigation on essentially identical suppliers means transforming a fact of reality into a serial administrative practice. It is a decisive difference, because real security begins when we stop confusing the census with risk management.
Then there is the issue of systemic efficiency. NIS 2 aims to raise the common level of cyber security, not to multiply unnecessary friction. There are also useful ones that slow down the error, make the risk visible, force you to ask the right questions. However, sending thousands of almost overlapping questionnaires to the same infrastructure providers is not useful. This is traffic that leads to document congestion. It is the classic case in which compliance, rather than protecting, consumes organizational oxygen. Then, when the national perimeter exceeds twenty thousand organisations, with over five thousand essential subjects, the idea of everyone opening their own small investigation desk towards the same telcos or the same utilities is more like a traffic jam on the ring road than a security strategy.
Furthermore, the pure bilateral relationship suffers from an almost obvious weakness. The individual NIS customer often has neither the contractual strength nor the technical visibility to obtain deep, homogeneous and comparable evidence from a large telco or large utility. If the system is based only on scattered initiatives, the quality of the assurance collected will depend on the luck, negotiating weight and patience of the individual. In other words, you end up with a map of the supply chain made up of uneven pieces: here a declaration, there a table, elsewhere an audit or, even worse, something little more than a well-written brochure. It is the compliance of Chinese shadows: clear silhouettes, non-existent substance.
For this reason, for systemic non-fungible suppliers, the solution most consistent with the rationale of NIS 2 seems to be another: a standardized, reusable, proportionate and common assurance model, a uniform dashboard of minimum and verifiable evidence. Service perimeter, continuity and escalation, incident management, essential security measures, critical dependencies, relevant subcontractors, independent attestations, periodic updates: enough to allow a plurality of NIS entities to demonstrate that the risk is known and governed. It would be a common language instead of thousands of contractual dialects. This would help not only customers, but also supervision, because what is uniform compares better, and therefore is governed better. Ultimately the point is simple. When a supplier is systemic, its relevance does not have to be demonstrated and is not governed with documentary bricolage, but with verifiable standards, proportions and responsibility. It would be about making an effort to ensure that we practice adult safety with a few fewer questionnaires and a few more good practices. Now it’s a matter of understanding whose turn it is… I have an idea.
