How Safe is Safe Enough? Improving Cybersecurity in Europe's Critical Infrastructure Under the NIS Directive

47 Pages Posted: 11 Dec 2018

See all articles by Johan David Michels

Johan David Michels

Queen Mary University of London, School of Law

Ian Walden

Queen Mary University of London, School of Law

Date Written: December 7, 2018

Abstract

This paper examines the safeguarding and information obligations the NIS Directive imposes on operators of essential services and digital service providers. The Directive aims to ensure that such services are protected from disruption which could impact key economic and societal activities. Under the Directive, organisations need to take ‘appropriate and proportionate’ security measures. In this paper, we look at what this means in practice. We argue that organisations need to identify, assess, and address the cyber risks they face, so as to prevent and minimise service disruptions. Such risk management inevitably entails a level of subjective judgement and difficult trade-offs; leading to a persistent level of legal uncertainty. At the same time, organisations should be accorded significant discretion when translating the Directive’s high-level principles into practice. The regulator’s role is primarily that of ensuring that such discretion is exercised appropriately, including by providing guidance and monitoring compliance. We illustrate these points by looking at cyber risks in the air transport sector and, in particular, the compliance implications of using cloud services.

Keywords: Critical national infrastructure, cybersecurity, cyber-law, cyberattack, data security, information security, risk management, NIS Directive, risk-based regulation, principles-based regulation, incident notification, essential services, digital services, cloud computing

JEL Classification: K00, K1, K13, K19, K2, K20, K23, K30, K32, K33, D62, D81, L5, L51, L86, L93

Suggested Citation

Michels, Johan David and Walden, Ian, How Safe is Safe Enough? Improving Cybersecurity in Europe's Critical Infrastructure Under the NIS Directive (December 7, 2018). Queen Mary School of Law Legal Studies Research Paper No. 291/2018. Available at SSRN: https://ssrn.com/abstract=3297470

Johan David Michels (Contact Author)

Queen Mary University of London, School of Law ( email )

67-69
Lincoln's Inn Fields
Holborn, London WC2A 3JB
United Kingdom

Ian Walden

Queen Mary University of London, School of Law ( email )

Mile End Road
London, London E1 4NS
United Kingdom

Register to save articles to
your library

Register

Paper statistics

Downloads
157
rank
184,810
Abstract Views
694
PlumX Metrics
!

Under construction: SSRN citations while be offline until July when we will launch a brand new and improved citations service, check here for more details.

For more information