Will EU Institutions next Monday (7 December), as it gives birth to a network and information security (NIS) directive, run the risk of fragmentation and adding more red tape in an effort to help build minimum resilience capabilities and common rules for incident reporting?
Cybersecurity is a comprehensive concept that encompasses several different dimensions of information security. It spans from consumer education to information sharing and even more complex issues such as critical information infrastructure protection and the fight against cybercrime and cyber-terrorism. It also plays a major role in defense and national security matters, yet the latter are not regulated by the EU, as competence falls exclusively with Member States. Yet when we speak about cybersecurity, the key word is “trust” – key for promoting information sharing, technical cooperation and exchange of best practices at international and at multi-stakeholder level.
The EU agenda on cybersecurity has undergone a two-step of evolution. Before 2013, the EU was merely interested in the topic and was handling it by “patch-working” sectoral legislations. The first comprehensive EU communication on cybersecurity came with the publication of the NIS directive, just months before Edward Snowden’s revelations on the US government surveillance programs.
Since then, the interest in Brussels on the subject has increased exponentially, as decision-makers have understood the need for urgent action. But as the draft bill now enters its final phase, an open question is who exactly will be obliged to report incidents, and under what conditions? Besides critical infrastructures, the EU institutions have agreed to expand the scope to “digital service providers” (e-commerce platforms, cloud computing services, search engines and others), and, while modalities for the former group are already defined, it is quite the opposite for the latter. Moreover, the issue of fragmentation appeared, as Member States obtained during the interinstitutional talks the privilege of identifying nationally which critical operators should comply with the bill.
Another issue is how this new legislation would avoid overlaps with existing rules. While the text foresees an article on the matter, the latest Parliament proposals suggest that such duplications should be avoided for “sector-specific legislations”. It is questionable whether horizontal legislations, such as the expected general data protection regulation, would fall under this definition. The risk is that, if an incident on the network involves a data breach, the operator would have to equally report to the cyber-relevant authorities and to the data protection authorities – a mess with regards to technical and business operations, and an increased risk when it comes to compliance.
Finally, as the Commission took a new legislative shift in focusing on delivering “less and better regulation”, it is questionable to what extent a fragmented directive would fit this policy agenda. The process reminds me of a comment shared with me by a global security expert who said, “unfortunately, when it comes to cybersecurity, the interest exceeds the understanding”. I hope policymakers take the initiative to resolve these issues and prove him wrong.
Next Monday, Member States and Parliament will be responsible not only for finalizing this new bill, but also for guiding the Commission in its 2016 agenda on cybersecurity, as defined in the Digital Single Market strategy. For further details, have a look at the comprehensive DSM timeline developed by FleishmanHillard’s technology team.