347 total views

The rapid technological improvements and the increased digitisation have caused an advancing dependence on information and communication technology (ICT) services. Moreover, such services are getting more complex involving a devastating number of stakeholders in cyberspace, demanding the appropriate level of organisational cybersecurity and resilience capabilities.

Due to the multi-shareholder and multilevel approach of the European Union (EU), in 2016, the NIS Directive prescribed different obligations:

1. On the Union level to create a Cooperation Group to support and facilitate strategic cooperation and information exchange among the Member States and to create the computer security incident response teams network (CSIRTs network) promoting operational cooperation;
2. For Member States to adopt a national strategy and to designate the national competent authorities and at least one competent CSIRT for the essential services;
3. For operators of essential services (OESs) and for digital service providers (DSPs) to comply with security-related requirements. But, according to the author’s opinion, there are a few severe defects of the current approach that is based on the NIS Directive ^[1]Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. … Continue reading.

First of all, there are missing stakeholders. On the one hand, even though some elements of eGovernment services were elevated onto the EU level by the eGovernment Action Plan 2016-2020 ^[2]European Commission, “EU eGovernment Action Plan 2016-2020 – Accelerating the Digital Transformation of Government.” 2016. [Online]. Available: … Continue reading, it has wholly remained on the level of national legislation because the Member States prevented the integration of eGovernment into the NIS Directive. On the other hand, important (or even dominant) economic entities, which downtime noticeable affects the (Digital) Single European Market (SEM), are currently out of scope.

Secondly, there are unhandled dependence on ICT supply chain, although organisations have become more vulnerable to supplying problems due to “supply chains become longer (more tiers), larger (more depth), and more complex” ^[3]F. Alfarsi, F. Lemke, and Y. Yang, “The importance of supply chain resilience: An empirical investigation,” 2019. doi: 10.1016/j.promfg.2020.01.295.. For example, in 2020, a cyberattack was conducted against SolarWinds ^[4]D. Wolpoff, “After the FireEye and SolarWinds breaches, what’s your failsafe?,” TechCrunch, Dec. 21, 2020. that has seriously affected its customers via its network management tool, Orion, applied worldwide. The most prominent publicly known attacked public and private entities were in the United States. Still, among the 18 000 downloaders of malicious code as a software update, however, probable OESs, DSPs, and other entities in the EU could suffer at least indirectly.

So, in the operation of technology and related cybersecurity processes, various local and global, small and large Managed Service Providers (MSPs), Managed Security Services Providers (MSSPs), and hardware and software manufacturers have huge responsibilities. Based on ^[5]European Commission, LSEC, and PwC, “Cybersecurity industry market analysis.” 2019. doi: 10.2759/018751., there are three types of cybersecurity industry entities providing (1) cybersecurity products and services exclusively, (2) cybersecurity products and services, among other activities, or (3) products and services that are part of the cybersecurity value chain.

Thirdly, a more significant issue comes, however, from the legislative nature of the NIS Directive, as it prescribes security obligations without minimum requirements allotted to the Member States having different (cybersecurity) capabilities. At the same time, regarding the complexity of the legislative framework, hypothetically, if a security incident affects an OES’s IT system offering payment services and the incident has an impact on personal data, there is an obligation to notify and cooperate with possibly different competent authorities under Articles 6, 14, and 16 of the NIS Directive, Articles 33 and 34 of the GDPR ^[6]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of … Continue reading, and Article 19 of PSD2 ^[7]Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and … Continue reading. Article 19 of eIDAS ^[8]Regulation (EU) No 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing … Continue reading prescribes further obligations for the trust services providers.

Lastly, the cybersecurity standards are fragmented due to the lack of cross-Member State interoperable solutions and the lack of higher-level mechanisms. The Cybersecurity Act ^[9]Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology … Continue reading have created a voluntary framework for European Union-wide cybersecurity certification for ICT products, services, and processes ^[10]C. Kohler, “The EU Cybersecurity Act and European standards: an introduction to the role of European standardization,” International Cybersecurity Law Review, vol. 1, no. 1–2, 2020, doi: … Continue reading. Since, typically, organisations implement cybersecurity capabilities in a risk-based approach, it is an apparent deficiency that there is no standard approach to identify interdependencies and conduct a business impact analysis and modelling risks. Currently, the ENISA ^[11]ENISA, “Interdependencies between OES and DSPs,” 2021. https://www.enisa.europa.eu/news/enisa-news/enisa-publishes-a-tool-for-the-mapping-of-dependencies-to-international-standards (accessed May … Continue reading, fostering impact analysis, has created its Interdependencies tool that “contributes to the NIS Directive (Article 3) objective for a common and converged level of security in network and information systems at EU level, and it does not intend to replace existing standards, frameworks or good practices in use by OESs”.

According to the European Commission ^[12]European Commission, “Proposal for directive on measures for high common level of cybersecurity across the Union,” 2021. … Continue reading, the NIS 2 Directive proposal eliminates the distinction between OESs and DSPs and “expands the scope of the current NIS Directive by adding new sectors based on their criticality for the economy and society, and by introducing a clear size cap – meaning that all medium and large companies in selected sectors will be included in the scope. At the same time, it leaves some flexibility for the Member States to identify smaller entities with a high-security risk profile.”

As a further improvement, the draft aims to enhance the security of supply chains and supplier relationships and prescribes a minimum list of basic security requirements. On the other hand, there is no standardisation approach to identify interdependencies, conduct business impact analysis, and model risks considering all the organisational ICT ecosystem elements as technology, people, and processes.

Acknowledgement

The blog is based on the recent co-authored article of the author with title of “Analysis of the cybersecurity ecosystem in the European Union” ^[13]Z. Bederna and Z. Rajnai, “Analysis of the cybersecurity ecosystem in the European Union,” International Cybersecurity Law Review, 2022, doi: 10.1365/s43439-022-00048-9..

Zsolt Bederna

Zsolt Bederna is a PhD candidate at Óbuda University Doctoral School on Safety and Security Sciences, Hungary, with the research topic of information and communication technology’s security in critical infrastructures. He conducted various research on different perspectives of cybersecurity, such as the Union-level governance as well as national-level and business effects of cyberattacks, including financial and non-financial impacts. He is a security expert in the business area, holding ISACA, ISC(2), and EC-Council certificates. He is the founder and CEO of a cybersecurity consulting firm and a CTO at a startup working with user awareness.

This author does not have any more posts.