The Malta Independent 25 May 2024, Saturday
View E-Paper

Dancing to the NIS2 tune

George M Mangion Sunday, 7 April 2024, 09:00 Last update: about 3 months ago

Technical innovation can be harnessed for social good, but can just as readily serve for nefarious ends. This is truer of cybercrime than of perhaps any other crime area.

Observe how cybercriminals are also getting more aggressive. That's why the EU is beefing up its directives to fight cybercrime on all fronts. NIS2 and Dora are some of the latest legislative efforts launched as part of the EU's comprehensive approach to digital transformation. Are we surprised following the frequent cyberattacks from Asia and Russia that the EU is reacting?


Cybercrime is a growing problem for countries, in most of which internet infrastructure is well developed and payment systems are online. These attacks don't solely focus on financial data; rather, they target data more broadly, which is a prime objective for cybercriminals. The number and frequency of data breaches are on the rise, and this in turn is leading to more cases of fraud and extortion. Fraud schemes are perpetrated with the intention of defrauding victims of their assets using false and deceitful pretexts or with the use of cyberattack techniques. This results in the voluntary or involuntary transfer of personal or business information, money or goods to criminals. From ATM attacks and account takeovers to skimming and shimming, the wide availability of crime-as-a-service has made this criminal activity more accessible. Criminals show great versatility and adaptability in adjusting their modi operandi and modelling their narratives around socio-economic trends as well as current crises, taking advantage of emergency situations to create charity scams.

Malware or malicious software infiltrates and gains control over a computer system or a mobile device to steal valuable information or damage data. There are many types of malware and they can complement each other when performing an attack.

Ransomware stops users from accessing their devices and demands that they pay a ransom through certain online payment methods to regain access. A variant, police ransomware uses law enforcement symbols to lend authority to the ransom message. These threats are fast-evolving and unfamiliar, with many companies being caught on the back foot when dealing with the risk. For the insurance industry, working with clients to help them tackle these challenges is vital to ensure businesses operate in as safe an environment as possible.

Despite the complex risk landscape, many business leaders in Malta are still feel confident about their chances in the event of a cyber incident. Almost three-quarters (74%) said they were "very prepared" or "moderately prepared" for such an attack - although this is down from 80% last year. The way industry insiders perceive threats does not always correlate with the actual threat landscape, and indeed there are still some strong threats facing businesses. One of the most prominent is the risk of ransomware attacks, which are on the rise.

Cybercrime knows no boundaries. Cybercriminals are constantly coming up with new ways to profit from their crimes at the expense of citizens, businesses and governments, across national borders and jurisdictions. Police forces around the world thus encounter similar cybercrimes and similar criminal targets, and that calls for a coordinated, international approach to the problem.

Surveys show that the most vulnerable country to cybercrime in the EU is Malta, with a 41% ranking, followed by Greece, Romania and Slovakia. Latvia is 14th and Lithuania sixth most vulnerable to cybercrime in the EU. Recently, two suspects were arrested in Malta and Nigeria in the framework of the operation. The suspects are accused of selling the malware and supporting cybercriminals who used the malware for malicious purposes.

Europol provided analytical support to the investigation which led to the operation involving Australia, Canada, Croatia, Finland, Germany, Malta, the Netherlands, Nigeria, Romania and the United States. These countries provided valuable assistance securing the servers hosting the Warzone Rat infrastructure.

The EU is now rapidly enhancing cybersecurity, operational resilience and the secure sharing and handling of data across all sectors, including the financial and gaming industries. So the business community is faced with questions about new regulations. NIS2 strengthens security requirements for critical sectors, including energy, transport, health and digital infrastructure. It aims to improve national cybersecurity capabilities, enhance EU-level collaboration and increase information sharing and reporting requirements.

Is it too late for the EU to start building its fortress and locking its drawbridge. Not really; the NIS2 Directive, officially titled the Directive on measures for a high common level of cybersecurity, represents an enhancement of the initial Network and Information Systems (NIS) Directive. The latter was the inaugural EU-wide legislation concerning cybersecurity. The original NIS Directive aimed to improve the cybersecurity of network and information systems across the EU, with a particular focus on critical sectors and digital service providers. The exact last date for country implementation would depend on the official date the NIS2 Directive entered into force. Given the typical transposition period, Malta would have until approximately early 2024 to complete this process, depending on the formal adoption date. Both the EU and national authorities provide guidance, best practices and resources to help organisations understand and implement the necessary measures to comply with the directive.

One might inquire: why isn't there any financial assistance? Such aid could alleviate the costs linked with compliance by providing clear frameworks and guidance. Specific guidance from the Maltese government regarding the implementation of the Digital Operational Resilience Act (Dora) and the NIS2 Directive would typically be provided by the Malta Financial Services Authority (MFSA).

As the top regulator for financial services, the MFSA would play a key role in guiding financial institutions through the implementation of Dora. This could include issuing circulars, consultations, guidance documents and frameworks to ensure that entities understand their responsibilities under Dora. One can never underestimate ICT risk management, reporting and third-party risk. The Malta Digital Innovation Authority with a primary focus on fostering digital innovation and technology arrangements, may also be expected to contribute to broader digital operational resilience efforts. Next is the Office of the Information and Data Protection Commissioner (IDPC).

Although its primary focus is data protection, the IDPC may also be involved in aspects of Dora and NIS2 that touch on data security and privacy.

Finally, the Malta Communications Authority, which oversees electronic communications and postal sectors might also have a role, especially in aspects related to the NIS2 Directive, which covers digital infrastructure.


George M. Mangion is a senior partner at PKF Malta

  • don't miss