NIS 2.0: “more sectors concerned about network security”

Sheila Becker is head of network and information systems’ security (NISS) at ILR and vice-president of Women Cyber Force  (Photo : Andrés Lejona/archives)

Sheila Becker is head of network and information systems’ security (NISS) at ILR and vice-president of Women Cyber Force  (Photo : Andrés Lejona/archives)

Sheila Becker’s first stint with ILR was in the telecom sector. She joined the institute after graduating with a PhD in computer sciences through the University of Luxembourg and the University of Lorraine. 

But back then, she hoped to do more in cybersecurity, and so in 2016 she decided to take another job--this time heading the cyberdefence team in the Luxembourg armed forces, shortly after which she was seconded to the directorate of defence. 

“It was a really important time for me, the work at the armed forces,” Becker tells Delano. “I learned a lot about the cyberdefence domain, cybersecurity issues we’re facing.”

Harmonisation among EU member states

As part of the EU’s cybersecurity strategy, the EU network and information security (NIS) directive was adopted in 2016. In addition to outlining minimum national capabilities, the directive aimed to foster cross-border collaboration as well as the national supervision of critical sectors.

“The NIS directive is the EU's approach to harmonise, or at least get a minimum security level, among the essential sectors...like electricity, energy, overall drinking water,” Becker explains. “Everything is getting more digitalised, and when you have a lot of digitalisation, of course, there are a lot of threats you haven’t thought about before.”

In 2019, as the directive was being transposed into Luxembourg law, Becker was therefore asked to return to ILR, the point of contact for Luxembourg on NIS, and the competent authority for all sectors except the financial sector. There she heads the cybersecurity team which she says for now is “a small team, but slowly getting more people because it’s a very relevant topic, and it’s important to work together with the operators to get into a common standard or level of cybersecurity.”

A fast-moving field 

Becker says cybersecurity field appeals to her in part because of the challenges: the domain is a rapidly changing one, developing constantly and also requires prioritisation. “You cannot be 100 percent secure, that’s something you have to face, so you have to see which elements of a system need the most protection, which are most essential,” she explains. “Something which is really interesting for me is to work in these sectors, and to feel like I’m helping the country to be better prepared.”

She’ll certainly have her work cut out for her in the near future. The Commission in March adopted a proposal for NIS 2.0; once agreed, member states will need to transpose it within 18 months.

“The digital transformation of society (intensified by the covid-19 crisis) has expanded the threat landscape and is bringing about new challenges which require adapted and innovative responses,” the Commission states about the NIS2 directive. 

It adds its concerns about disruptions having the potential to “have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the whole internal market,” even if a disruption is at the outset just confined to one sector or entity. 

Becker’s scope could therefore potentially change. “NIS2 brings a lot of different obligations to the operators but also the competent authorities, so with these [and other] regulatory objectives you have to keep pace with things, but also the development of the sectors,” Becker says. “With NIS2 the list is getting bigger, so there will be more sectors in the objective of the directive... more sectors [are] concerned about network security and information security.”

It was through her work on NIS that Becker was brought into talks for the Women Cyber Force, where she serves as a vice-president. “It’s a very good initiative,” Becker says. “Overall, the issue is that there isn’t enough workforce in IT or cybersecurity. If you want to resolve this issue, one good way to go ahead is to get more women on board.”

She believes more women could open themselves up to the cyber or IT field as a career change, and that not all positions require high technical expertise. “If you don’t feel comfortable working that technical, you can still be part of the cyber team. You need people at every level.”