There is an uneven landscape when it comes to cybersecurity readiness in Europe, writes Thomas Boué. To build a foundation for cyber protections, the European Union needs to start with the most critical infrastructure, he argues.
Thomas Boué is Director of Government Affairs for the EMEA region at BSA | The Software Alliance, an advocacy organisation for the global software industry.
Improving Europe’s ability to defend against cyber threats is vital to the safety and security of European citizens and the economy. Stronger safeguards, faster and better detection, and more effective response and remediation – that’s the goal. To build a foundation for cyber protections in Europe we need to start with Europe’s most critical infrastructure, ensuring from the outset that EU laws are helping to secure that which needs protecting the most.
Earlier this year, the European Commission took its first foray into the cybersecurity space by introducing a draft directive to ensure a high common level of network and information security across the union (the “NIS Directive”) with the intent to improve harmonisation of cybersecurity across the EU. That’s a worthwhile objective, as there is an uneven landscape when it comes to cybersecurity readiness in Europe. A report due out from BSA early next year will show the patchwork effect that exists across the 28 EU Member States.
Bolstering cybersecurity has been of paramount concern for the software industry for decades. Software companies monitor networks and information systems constantly, looking for threats and responding with updates and tools.
But the cyberthreat landscape is vast, and ever-changing. Those who invest significant time and resources in cybersecurity will tell you the importance of viewing cyber threats through a lens of risk; focusing protections on those areas where the potential for harm is greatest. While the Commission’s initiative is positive, the proposal tries to tackle too much from the outset by casting the scope of the Directive so wide as to include everything from critical infrastructure to online games and music services.
The NIS Directive should start with Europe’s most critical networks and infrastructure, such as transport, energy and banking, in order to establish a foundation for cybersecurity readiness first and foremost in those areas where disruption would have major security and public safety impacts. It should build on the regulatory infrastructures already in place that support critical systems and infrastructure.
Keeping the Directive’s reporting requirements focused on critical infrastructure and excluding information society services would eliminate conflicts or redundancies in process. Consider this example:
If business-to-business services like cloud services are included in the scope directly, it would create a situation where a single incident would be reported by both an IT service provider and the operator of the infrastructure. There would then be two (or more) reports for what is ultimately one problem, wherein only one entity has an clear and complete understanding of the impact of the incident on the critical network or service. This would create a confusing and burdensome situation for operators, service providers and competent authorities. It also puts service providers in the untenable position of having to circumvent their customer (the critical infrastructure provider) and provide sensitive and confidential information – that may be imprecise – to a third party.
A better solution would be to have one consolidated report from the critical infrastructure operator outlining the problem and its implications, no matter where it occurred within the value chain. This would ensure clear, first-hand information is provided to the competent authority about how to reduce the threat risk in the future.
The European Parliament wisely recognised the value of a narrow focus in the Directive. MEP Andreas Schwab said in his report, “at the beginning of the project, we need to talk specifically and first and foremost about protecting critical infrastructure in the EU,” which of course doesn’t exclude expanding its scope in the future.
The consequence of casting the net too wide at the outset will be inefficiency and compliance challenges, and a false sense of security that important protections have been achieved when, perhaps, they have not.
The same is true for a Directive that allows too much variation in the implementation among Member States. It is important that the NIS Directive promotes as much harmonization as possible throughout the Single Market.
Focusing on critical infrastructure and creating reasonably harmonized reporting structures are, by far, the best ways to improve cybersecurity protections in Europe. We very much hope that the next round of trilogue discussions on 11 November will reflect this approach.