Brice Legay, Senior Manager, Cybersecurity Consulting at PwC Luxembourg, and Aline Moyret, Practice Manager, Governance, Risk & Compliance at DEEP by POST Group discussed those topics at "The importance of safeguarding your data," an event organised by LuxTrust, DEEP by POST Group, and Thales and hosted by POST Luxembourg in its new headquarters on 14 November 2024.

The need for data agility while maintaining data security

Organisations are increasingly prioritising data agility, driven by the growing adoption of technology and collaborative components of modern workplace (e.g. generative AI tools). This shift is fuelled by the need for the business to take advantage of their data more efficiently. However, companies should balance the need for data agility and innovation with data security, Brice Legay says.

While ensuring data agility, he identified the following challenges organisation are facing: protecting data from cyberattacks, complying with regulation and avoiding over-reliance on a single ICT critical provider and maintaining data sovereignty.

Key EU regulations: DORA, NIS 2, and GDPR

When it comes to data security regulations in the European Union (EU), there are many laws, but three stand out, according to Brice Legay:

  • DORA (Digital Operational Resilience Act): DORA aims to enhance the digital resilience and security of financial entities.
  • NIS 2 (Network and Information Systems Directive 2): This updated directive will replace the original NIS and is not yet fully transposed into Luxembourg law. It aims to improve the resilience and incident response capacities for critical entities in 11 sectors, such as energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food.
  • GDPR (General Data Protection Regulation): Perhaps the most well-known of the data-security laws, GDPR focuses on safeguarding the personal data of EU citizens.

Despite differences in their scope, all three regulations cover common points when it comes to data security: ICT risk management, data identification and protection (including data encryption), third-party provider management and exit strategies for ICT services.

GDPR specifically covers personal data residency requirements while DORA include provisions to ensure businesses do not become overly reliant on a single service provider, which can introduce significant risks.

Practical advice

Brice Legay offers three pieces of advice to organisations:

  1. Implement ICT Risk Management to identify adequate security measures to protect data in line with data criticality and regulations.
  2. Implement security measures controls such as data classification, encryption and key management, multi-vendor strategy.
  3. Assess the impact of relying on non-EU ICT service providers with internal data sovereignty strategy, leveraging organisation’s data classification.

A risk-based approach to data protection

“There is no one-size-fits-all solution,” cautions Aline Moyret. “You need to analyse your organisation’s specific context and adopt a risk-based approach.” This means identifying the data you need to protect, assessing its value, and determining how to safeguard it while balancing agility with the required level of control.

Aline Moyret says that defining risk appetite is a must, as this will influence the approach to data security. Different types of data require different levels of protection, and regulations offer a foundation, but it is up to each organisation to tailor their approach.

Data protection is not just about encryption but also involves access control, security operations, asset management, and security testing — all of which should be aligned with international standards such as ISO 27001. The key is to design security controls that are flexible enough to handle a variety of environments, allowing businesses to maintain both security and operational agility.

Other best practices

Aline Moyret also highlights the importance of encryption key management. She advises organisations to align their cryptographic controls with business needs, ensuring segregation of duties, secure storage, and a proper key rotation process. Many companies, she notes, have experienced downtimes due to expired or outdated certificates, underscoring the need for robust backup, archiving, and secure destruction practices.

To maintain control, Moyret recommends organisations to design encryption key management process and procedures in a way to be able to handle diverse environments. One tool that can help in this area is Key Management as a Service. According to DEEP’s experience with clients, this service is becoming essential as managing encryption keys across heterogeneous environments remains a significant challenge.

Aline Moyret concludes with the importance to conduct regular risk assessments to identify critical assets, assess security needs, and evaluate potential threats. It is crucial to weigh the need for agility and cost efficiency against risks.

Discover the other key takeaways shared during the event here and here.