The European Cybersecurity Strategy and the NIS Directive towards a more secure online Union

According to a survey conducted by PWC “at least 80% of European companies have experienced at least one cybersecurity incident over the last year and the number of security incidents across all industries worldwide rose by 38% in 2015”1. These incidents cause an annual loss of 260 billion euros to 340 billion euros, thus, damaging the overall economy of the Union. To better appreciate the services that the technological revolution has brought about, citizens and business firms need to develop more trust and confidence in the security of the system.

In order to face the new challenges represented by cybercrime in Europe, Member States adopted, in July 2016, the first legislation at European level on cybersecurity: the Directive on Security of Network and Information Systems (the NIS Directive). Its main goal is to eliminate the differences among Member States in the legislation on cybersecurity, establishing a cooperation system based on trust and security. This first step is the most recent result of the EU Cybersecurity Strategy developed in 2013. The NIS Directive is expected to give an unprecedented boost to the level of cybersecurity in the Union.

Background

On February 2013, the European Commission adopted the EU Cybersecurity Strategy in order to reduce and to prevent cybercrime more efficiently. The Commission’s main objectives in the field of cybersecurity were three, namely: 1) increasing cybersecurity capabilities and cooperation; 2) making the EU a strong player in cybersecurity and 3) mainstreaming cybersecurity in EU Policies2. Moreover, one of the key points of the Strategy was the adoption of a common Directive dealing with network and ICT security among Member States – what would later become the NIS Directive.

In the framework of the EU Cybersecurity Strategy, the European Commission took further steps to strengthen the online protection of the Europeans: the European Agenda on Security (adopted in April 2015) and the Digital Single Market Strategy (adopted in May 2015). The former set up three pillars to enforce the fight against crime and terrorism: 1) preventing terrorism and countering radicalization; 2) fighting organized crime; and 3) fighting cybercrime. The latter stressed the vital role of trust and security as necessary tools to increase cybersecurity capabilities and cooperation among Member States.

As Andrus Ansip, Vice-President for the Digital Single Market, declared in the official press release on the new public-private partnership on cybersecurity: “Without trust and security, there can be no Digital Single Market. Europe has to be ready to tackle cyber-threats that are increasingly sophisticated and do not recognize borders. Today, we are proposing concrete measures to strengthen Europe’s resilience against such attacks and secure the capacity needed for building and expanding our digital economy.”3

NIS Directive

The text for a Directive on Security of Network and Information Systems was proposed by the European Commission in 2013. However, the text was approved on 7 December 2015 only after a long negotiation in the European Parliament, the Council and the Commission4. The Directive was officially adopted on 6 July 2016 by the 28 Member States of the European Union. Its adoption was welcomed as a great achievement by Andrus Ansip, Vice-President for the Digital Single Market and by Günther H. Oettinger, Commissioner for the Digital Economy and Society.

In force since August 2016, the Directive gives the Member States 21 months to transpose it in their national systems, and six additional months were conceded to identify the operators of essential services. Article 5 of the Directive specifies the criteria for the identification of the main operators as follow: “(a) an entity provides a service which is essential for the maintenance of critical societal and/or economic activities; (b) the provision of that service depends on network and information systems; and (c) an incident would have significant disruptive effects on the provision of that service”5.

The NIS Directive identifies three main actions. First, a Computer Security Incident Response Teams (CSIRT)6 should be set up across the EU in order to provide a faster and more efficient answer to cyber threats or attacks. Secondly, the Directive encourages the establishment of a ‘Cooperation Group’ to guarantee a “strategic cooperation and the exchange of information among Member States and to develop trust and confidence amongst them”.7 The Cooperation Group needs to be supported by a ‘CSIRT Network’ to provide an operational cooperation on specific cybersecurity attacks or incidents. Thirdly, a “culture of security” should be promoted among European businesses which have been identified as key providers.

Businesses play a key role in the strategy. For this reason, a contractual Public-Private Partnership (cPPP) has been signed between the European Cyber Security Organization (ECSO), representing the cybersecurity stakeholders, and the Commission. This partnership is expected to triple the investments in the field of research and innovation, that amount already to 450 million euros under Horizon 20208. Cybersecurity could be used to gain a competitive advantage: in fact, an effective analysis of the previous hacking attempts could yield better results in preventing future breaches than a simple incremental increase in the defense systems of the network. Monitoring online behaviors of potential intruders as well as legitimate visitors could become a useful tool to better understand a company’s business environment9.

Furthermore, the European Commission is working over a European certification framework for ICT services and products in order to overcome the difficulties represented by a fragmented EU cybersecurity market. In addition to this initiative, a voluntary labelling scheme is expected to increase the security of ICT products.

In developing a national strategy on the security of NIS, the Member States may request the assistance of the European Union Agency for Network and Information Security (ENISA)10. ENISA was established in 2004 to contribute “to the development of a culture of NIS in society […] in order to raise awareness of NIS, thus contributing to proper functioning of the internal market”11. Under the Directive, the Agency shall support the work of the CSIRT and the Cooperation Group in ensuring an effective implementation of the Directive at the national level.

Conclusion

In an era in which technology plays a central role in society and in economy and where e-payments and clouds are a key element of our lives, the European Union has developed a comprehensive strategic framework to protect its citizens and its business from cyber threats and attacks. The system is based on trust and security – both considered essential elements in the realization of the EU’s strategic objectives.

The recent adoption of the NIS Directive represents an important increase in the overall online security of the Union. Introduced in order to overcome Member States’ practices differences, the first EU-wide legislation on cybersecurity is designed to create common security standards at national level. In addition, cooperation and sharing of good practices at the European level ensure a good implementation.

Instead of trying to build an impenetrable “wall”, the approach chose in the strategy it is an analysis of attempted attacks in order to understand which are the weak points of the system and thus, where to improve. This approach, complemented by a sharing of information between Member States, will more efficiently guarantee the protection of the online Union.

Federica Sola

Master’s Degree in International Relations (LUISS “Guido Carli”)


Notes

1 European Commission, Commission signs agreement with industry on cybersecurity and steps up efforts to tackle cyber-threats, Press Release, 5 June 2016, Brussels, available at http://europa.eu/rapid/press-release_IP-16-2321_en.htm.

2 European Union External Action EU Cybersecurity plan to protect open internet and online freedom and opportunity, Press Release, 7 February 2013, Brussels, available at http://europa.eu/rapid/press-release_IP-13-94_en.htm.

3 European Commission, Commission signs agreement with industry on cybersecurity and steps up efforts to tackle cyber-threats, Press Release, available at http://europa.eu/rapid/press-release_IP-16-2321_en.htm.

4 European Commission, Commission welcomes agreement to make the EU online environment more secure, Press Release, 8 December 2015, Brussels, available at http://europa.eu/rapid/press-release_IP-15-6270_en.htm.

5 European Council and European Parliament, Directive concerning measures for a high common level of security of network and information systems across the Union, L 194/13, 6 July 2016, Brussels, article 5(2), available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC.

6 Computer Security Incident Response Teams receive and review the notification of attacks reported by Member States. Their role and tasks in relation to the strategy are defined at article 9 and Annex I of the Directive (L 194/13).

7 Supra, Directive concerning measures for a high common level of security of network and information systems across the Union, article 1 (b).

8 Supra Commission signs agreement with industry on cybersecurity and steps up efforts to tackle cyber-threats.

9 With “business environment” we refer to “[t]he combination of internal and external factors that influence a company’s operating situation”. Read more in The Business Dictionary at: http://www.businessdictionary.com/definition/business-environment.html. Archer T. and Burg D., Safety in the Cloud, in strategy+business, 8 March 2016, available at http://www.strategy-business.com/article/Safety-in-the-Cloud.

10 Supra Directive concerning measures for a high common level of security of network and information systems across the Union, article 7(2).

11 ENISA, About ENISA, all information available at https://www.enisa.europa.eu/about-enisa.

Analyses