How Safe is Safe Enough? Improving Cybersecurity in Europe's Critical Infrastructure Under the NIS Directive

47 Pages Posted: 11 Dec 2018

See all articles by Johan David Michels

Johan David Michels

Queen Mary University of London, School of Law - Centre for Commercial Law Studies

Ian Walden

Queen Mary University of London - Centre for Commercial Law Studies (CCLS)

Date Written: December 7, 2018

Abstract

This paper examines the safeguarding and information obligations the NIS Directive imposes on operators of essential services and digital service providers. The Directive aims to ensure that such services are protected from disruption which could impact key economic and societal activities. Under the Directive, organisations need to take ‘appropriate and proportionate’ security measures. In this paper, we look at what this means in practice. We argue that organisations need to identify, assess, and address the cyber risks they face, so as to prevent and minimise service disruptions. Such risk management inevitably entails a level of subjective judgement and difficult trade-offs; leading to a persistent level of legal uncertainty. At the same time, organisations should be accorded significant discretion when translating the Directive’s high-level principles into practice. The regulator’s role is primarily that of ensuring that such discretion is exercised appropriately, including by providing guidance and monitoring compliance. We illustrate these points by looking at cyber risks in the air transport sector and, in particular, the compliance implications of using cloud services.

Keywords: Critical national infrastructure, cybersecurity, cyber-law, cyberattack, data security, information security, risk management, NIS Directive, risk-based regulation, principles-based regulation, incident notification, essential services, digital services, cloud computing

JEL Classification: K00, K1, K13, K19, K2, K20, K23, K30, K32, K33, D62, D81, L5, L51, L86, L93

Suggested Citation

Michels, Johan David and Walden, Ian, How Safe is Safe Enough? Improving Cybersecurity in Europe's Critical Infrastructure Under the NIS Directive (December 7, 2018). Queen Mary School of Law Legal Studies Research Paper No. 291/2018, Available at SSRN: https://ssrn.com/abstract=3297470

Johan David Michels (Contact Author)

Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )

Ian Walden

Queen Mary University of London - Centre for Commercial Law Studies (CCLS) ( email )

67-69 Lincoln's Inn Fields
London, WC2A 3JB
United Kingdom

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
752
Abstract Views
3,404
Rank
62,114
PlumX Metrics