Call for SCION DAY 2025 Sponsors is now open Sponsor SCION DAY 2025
Search
Talk to us
Search
START TYPING AND PRESS ENTER TO SEARCH
Join us
Talk to us

How SCION enables compliance with EU cybersecurity legislation for critical infrastructures

by | Mar 10, 2025 | Blog

SCION EU cybersecurity compliance
Home > Blog > SCION and the quantum threat: A secure path forward
12 March 2025

How SCION enables compliance with EU cybersecurity legislation for critical infrastructures

Share this post

In an era where cyber threats are growing in sophistication and scale, the European Union has taken significant steps to increase cyber resilience, especially across critical infrastructures.

With the introduction of key legislation such as NIS2, DORA, GDPR, and the EU Cybersecurity Act, the EU is setting a high bar for cybersecurity and operational resilience. These regulations aim to protect critical infrastructures, ensure data privacy, and mitigate the risks of cyberattacks on vital sectors. However, compliance with these stringent requirements poses a significant challenge for organizations.

We will explore the role SCION can play in this context and how it offers a robust solution for organizations to meet EU regulatory demands by enhancing their cybersecurity strategy.

The EU Cybersecurity landscape: Key legislation and directives

The EU has introduced a comprehensive framework of cybersecurity legislation to safeguard critical infrastructures. While none of them explicitly mention routing security, all of them focus on ensuring resilience, security, and data protection across critical sectors.

Here’s a breakdown of the key regulations:

Regulation Mission Impacted Sectors Requirements Penalties
NIS2 Directive (2022/2555) All entities must be prepared to address a wide range of threats to ensure protection and resilience. Financial, healthcare, energy, transport, water management, and more. Regular risk assessments, security controls, monitoring, incident response plans, reporting breaches. Up to €10 million or 2% of global turnover.
Digital Operational Resilience Act (DORA) (2022/2554) Ensure operational resilience beyond financial buffers, withstand and recover from ICT disruptions. Financial sector including banks, insurance companies, payment institutions, etc. Risk management frameworks, resilience testing, managing third-party risks, reporting incidents. Up to €10 million or 2% of global turnover.
GDPR (2016/679) Protect personal data of individuals in the EU. All businesses handling personal data. Security measures, DPIAs, report breaches within 72 hours. Up to €20 million or 4% of global turnover.
EU Cybersecurity Act (2019/881) EU-wide cybersecurity certification framework for ICT products, services, and processes. IT systems and networks across the EU. Voluntary certification for IT products, services, and processes. N/A

The missing link between EU regulations and the global Internet

NIS2, DORA, GDPR, and the EU Cybersecurity Act do not explicitly mention the global Internet routing system, nor mandate any particular security requirements in that regard.

And yet, all of these regulations enforce cybersecurity and cyber resilience, which are intrinsically linked to the way digital communications are exchanged.

Critical infrastructures today heavily rely on the Internet for their digital communications. And, as we know, today’s Internet has a massive attack surface with limitless attack vectors that bad actors can exploit to infiltrate networks, steal data, or cause service disruptions.

To overcome these challenges, many critical infrastructures rely on costly and inflexible private lines, often depending on a single connectivity provider. This approach opens up other issues for critical infrastructures such as creating single points of failure in case of a cyber attack or outages at the ISP level.

Especially for critical infrastructure where there are many entities interconnected to each other (think airports, power plants, etc.), the most convenient solution is more often than not the Internet.

However, this technology is inherently based on unverified trust between networks and lack of path control over the route data takes from point A to point B. This makes it susceptible to cybersecurity and data sovereignty risks, ultimately leading to non-compliance to the EU regulations for critical infrastructure.

Let’s look at the issues more closely: 

1. Cybersecurity Risks, Outages, and Service Disruptions for Critical Systems

Critical infrastructure operating on the Internet is susceptible to various types of attacks, including:

  • Route hijacking: Malicious actors can redirect traffic to intercept or manipulate data.
  • Route leaks: Accidental misconfigurations can cause traffic to take unintended paths.
  • IP spoofing: Packets are sent out with forged (or spoofed) IP source addresses.
  • Man in the middle attacks: Cyberattack in which a hacker steals sensitive information by eavesdropping on communications between two users.

This can lead to service disruption, traffic interception, redirection or modification, and large-scale Distributed Denial-of-Service (DDoS) attacks, posing significant security risks.

2. Lack of Data Protection and Sovereignty Risks

BGP typically selects routes based on the fewest number of logical hops to the destination and doesn’t consider other factors such as geopolitical considerations, which can be an issue for reliable data transmission and ensuring data security.

While data is commonly encrypted when sent across the network, it can still be intercepted and potentially decrypted at some point in the future, tampered with, or simply be subjected to denial-of-service attacks. Traffic flows can also reveal a lot of information about who is communicating with whom and may highlight potential sites of interest, while data being sent through third countries could potentially be considered a breach of GDPR requirements.

How SCION makes critical sectors more secure, resilient and compliant

SCION can enhance resilience and security of critical infrastructure systems, which is a key requirement of EU regulations, by addressing many of the existing issues with how traffic is sent over the Internet.

It starts with the network architecture: SCION introduces the concept of trust networks or Isolation Domains (ISDs), which are intentional groupings of entities under a trust environment. Data can only be exchanged within an ISD or with explicitly authorized external ISDs.

This new architecture brings the following benefits:

1. Lower Risk of Cyberattacks and Downtime, Higher Cyber Resiliency

SCION trust networks can choose to be private, limited access, or publicly accessible, which can reduce the attack surface from the rest of the Internet. This minimizes the risk of route hijacking, leaks, MitM, and DDoS attacks.

Organizations can maintain operational continuity and ensure data security, a key requirement under NIS2 and DORA.

SCION’s path control feature also ensures that data flows through pre-determined secure paths, reducing the risk of interception and future decryption, the so-called “harvest now, decrypt later” attacks by quantum computing.

This provides an additional layer of security, aligning with the EU’s focus on long-term cyber resilience.

SCION trust domains are made of redundant connectivity lines provided by multiple ISPs. This ensures that if an ISP is down, data can still travel over other connection lines, avoiding the vendor lock-in scenario that private lines come with.

Redundancy means resilience for critical systems in line with DORA and NIS2 requirements.

In short, SCION provides the same benefits as the public Internet and private lines, with the added bonus of being multi-operator for maximum resiliency.

Case in point: The Secure Swiss Finance Network (SSFN), live since 2022, has over 300+ banks exchanging financial data in a secure and resilient way. For more about the SSFN, click here.

2. Data Sovereignty – Route Your Data Only Through Specific Jurisdictions

SCION allows organizations to select paths for data transmission based on criteria like geofencing. Critical infrastructure operators can choose through which countries their data can travel.

This ensures compliance with GDPR by preventing data from transiting through unapproved, untrusted, and/or high-risk regions.

3. Extra Benefit: Supply Chain Control

SCION’s trust model allows critical infrastructure to create networks by choosing whom to allow into and exclude from the ISD, including third-party providers.

This gives critical operators control over the full supply chain and ensures it meets the high security standards required by NIS2 and DORA.

SCION as a catalyst for security, compliance, and resilience

As the EU tightens its cybersecurity regulations, organizations must adopt innovative solutions to meet these new requirements. SCION offers a transformative approach to Internet routing, addressing the vulnerabilities of BGP and providing a secure, reliable, and compliant infrastructure.

By implementing SCION, critical infrastructures can:

  • Strengthen their defenses against cyberattacks
  • Ensure data privacy and compliance with GDPR
  • Enhance network resilience and business continuity
  • Build a resilient and future-proof digital ecosystem

In a world where cyber threats are constantly evolving, SCION is not just a solution – it’s a strategic advantage. Embrace the future of secure routing and ensure your organization is ready to meet the challenges of tomorrow.

SCION as a solution for businesses