Cybersecurity counts: There is an urgent need to harmonize and reduce fragmentation in the EU
Jochen Michels, Head of Public Affairs Europe
It is worth looking at the full title of the directive, which is usually referred to as the NIS Directive: Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
Why do I say that? Because the title makes the directive's intent very clear. This purpose is worthy of special consideration when it comes to reviewing, adapting and developing the regulation. There is no doubt: since its adoption in 2016, the NIS Directive has supported and further enhanced the development of cybersecurity capabilities within EU Member States. The progress made relates to all three areas of the Directive: (i) national capabilities; (ii) cross-border collaboration; and (iii) national supervision of critical sectors.
However, as a global cybersecurity company, we observe constantly evolving threat scenarios and expanding attack surfaces, putting network and information systems at risk. And that is precisely why we support the EU in its efforts to substantially and sustainably strengthen the resilience of networks and systems against cybersecurity risks. One thing is particularly important for this: we see the need to harmonize the European Digital Single Market and to reduce the fragmentation that has resulted from different legislation, varying implementation of the Directive, and the numerous definitions that exist in the Member States.
For example, operators of essential services (OES) and digital service providers (DSP) have to comply with different requirements for incident reporting. In Europe, there exist different time frames, reported information is duplicated, and addressees differ from European bodies such as the ECB for ECB cyber-incidents, to national NIS authorities under the NIS Directive. That makes things very complicated for operators and authorities alike, and does not do much to deter cybercriminals, who know no borders. They do not care about different legal frameworks and strike targets that seem most promising.
It is therefore necessary to introduce EU-wide common standards that are precisely aimed at the respective security needs and to make it pointless for cybercriminals to carry out attacks because the costs are too high (btw: this is the idea behind the new concept of Cyber-Immunity that Kaspersky has developed in recent years). Thus, we see the need to create a coherent and harmonized common level playing field for OES as well as for DSP across the EU. Why? Common and harmonized cybersecurity rules at EU level seems to be the most effective way to achieve a higher level of cyber-resilience and to promote the digital single market.
One more point seems important in view of the review. The EU is the largest cybersecurity and data market in the world. As with GDPR, a revised NIS Directive has the aim of serving as the blueprint for other regions and thus contributes to global harmonization and standardization in the field of the security of network and information systems.
The EU Commission has launched a comprehensive, structured and inclusive process for revision of the Directive. In doing so, the Commission takes into account scientific knowledge as well as the practical experience of industry, governments, citizens and civil society. Furthermore, the Commission carries out studies and evaluates the state of implementation in the individual member states. All this is a very sensible, targeted and promising process in which we as Kaspersky are contributing at various levels. One example is the feedback we have submitted to the Commission regarding the roadmap.
With this, I refer to one further aspect: the revision of the NIS Directive comes together with the parallel update of European Critical Infrastructure (ECI) Directive 2008/114/EC, which is conducted by another Directorate (DG Home). The fact that the ECI and NIS Directives are currently being revised by two different Directorates seems to be primarily due to the history of the development of both Directives. The ECI Directive arose from the fight against terrorist threats, and in 2008 focused exclusively on the transportation and energy sectors. The 2016 NIS Directive has a more comprehensive horizontal approach. While we believe that the NIS Directive is the more appropriate instrument for addressing security risks and digital threats, including cyberterrorism, it is important that the Union looks into harmonizing the two to achieve synergy and shared understanding through a more integrated and combined approach that we call for.