How Safe is Safe Enough? Improving Cybersecurity in Europe's Critical Infrastructure Under the NIS Directive
47 Pages Posted: 11 Dec 2018
Date Written: December 7, 2018
This paper examines the safeguarding and information obligations the NIS Directive imposes on operators of essential services and digital service providers. The Directive aims to ensure that such services are protected from disruption which could impact key economic and societal activities. Under the Directive, organisations need to take ‘appropriate and proportionate’ security measures. In this paper, we look at what this means in practice. We argue that organisations need to identify, assess, and address the cyber risks they face, so as to prevent and minimise service disruptions. Such risk management inevitably entails a level of subjective judgement and difficult trade-offs; leading to a persistent level of legal uncertainty. At the same time, organisations should be accorded significant discretion when translating the Directive’s high-level principles into practice. The regulator’s role is primarily that of ensuring that such discretion is exercised appropriately, including by providing guidance and monitoring compliance. We illustrate these points by looking at cyber risks in the air transport sector and, in particular, the compliance implications of using cloud services.
Keywords: Critical national infrastructure, cybersecurity, cyber-law, cyberattack, data security, information security, risk management, NIS Directive, risk-based regulation, principles-based regulation, incident notification, essential services, digital services, cloud computing
JEL Classification: K00, K1, K13, K19, K2, K20, K23, K30, K32, K33, D62, D81, L5, L51, L86, L93
Suggested Citation: Suggested Citation