4 minute read
Revising the NIS Directive: Towards enhanced EU wide harmonisation of cybersecurity requirements for OES and DSP
networked devices. 4 The advancing spread of digital technologies is creating a wide range of new opportunities, both for private as well as commercial user groups. However, digitalisation also poses, as previously mentioned, numerous challenges with regard to safety and security, as well as privacy. While some of these potential challenges, such as regarding safety, are already adequetly and holisticly addressed, other areas still require a more holistic regulatory approach. These can result in additional risks for everyone’s health, as well as for the environment, the economy and public safety at large. These risks can be countered by targeted technical (such as security-by-design), regulatory (unambiguous and holistic regulatory framework) and behavioural measures (e.g. cyber-hygiene). Thereby, the remaining residual risks are kept within acceptable limits. Therefore, the European Union should adopt a holistic approach on cybersecurity, which can only be achieved with the inclusion of all players in the Digital Value Chain. This can be achieved, if the NIS Directive, regulating the resilience and security of critical infrastructures and, and product-related regulations on cybersecurity work hand-in-hand.
Revising the NIS Directive: Towards enhanced EU-wide harmonisation of cybersecurity requirements for OES and DSP
When introducing more harmonised elements in the process of identifying OES, as well as expanding the scope of the Directive with the aim to cover further sectors or services, the process should follow a risk-based and layered approach combined with an impact assessment of the potential implications for the competitiveness of European companies.
The existing inconsistencies in applying the NIS Directive should not just be addressed by simply extending these areas of application to all member states, as most of them stem from services only identified in some but not all the member states. The NIS Directive deliberately provides a flexible framework for the identification of sectors of OES, allowing member states a certain degree of flexibility and allowing for national and sectoral specificities. A targeted regulatory intervention should, therefore, strive for an EU-wide harmonisation of cybersecurity regulations (incl. definitions of sectors falling under the scope of the NIS Directive). While harmonising the scope of the NIS is important, national authorities should nonetheless be provided with a certain leeway in the identification process so that national and sectoral specificities can be accommodated. The same considerations should apply in the context of a future alignment at the EU-level of thresholds above which a company operating in an OES-sector has to fulfil
4 CISCO. 2019. Visual Networking Index: Forecast Highlights Tool. URL: https://www.cisco.com/c/m/en_us/solutions/service-provider/vni-forecast-highlights.html#
the requirements stipulated in the NIS Directive or the national regulation implementing the NIS, respectively. Nonetheless, the Commission should address the confusion created by the scope of the said directive, by establishing a common denominator of critical infrastructure sectors and services that have already been defined by EU member states, which would assist in streamlining the scope and enhancing harmonisation.
The methodologies for identifying OES and setting the thresholds should be clear, transparent and comparable. Irrespective of whether the identification process is carried out by the competent authorities of the member state themselves or as part of a self-identification, it should be possible for the OES falling under the scope of the NIS to verify by themselves whether they meet the requirements.
In addition, the NIS Directive should only introduce base-line requirements for all those areas and sectors of OES that are not regulated yet. Nonetheless, it is imperative that all actors along the digital value chain –including producers of hard- and software –assume their responsibilities when it comes to enhancing and maintaining the resilience of critical infrastructures and OES. When introducing regulatory requirements for products, the EU Commission has to ensure legal consistency with the requirements stipulated in the NIS.
In particular, in areas and sectors, which are already regulated, such as aviation security (cf. Implementing Regulation 2019/1583) and telco companies, the guidelines introduced by these sector-specific regulations should prevail over the NIS Directive, as these sector regulations take into account the specificities of the respective sector and are henceforth, better equipped to address its requirements of the subject matter. In case of contradictions and overlaps, the sector-specific EU regulatory acts should be the relevant ones. This explicitly refers only to EU-wide regulations and not to any national sector-specific regulations that undermine the EU-wide level playing field (e.g. by lower standards). For example, with regard to the telecommunications sector, it is essential that an overlap of the EECC and the NIS Directive avoids unwarranted double regulation for the telco sector. Here, the EU Commission should synchronise the NIS Directive with the EECC art. 40 –Security of Networks & Services, which highly regulates the telecommunications sector. As the EU Commission is currently also reviewing the European Critical Infrastructure Protection Directive, it must ensure that legal requirements introduced by the CIP Directive are compatible with the requirements of the NIS 2.0 Directive.
