The Cybersecurity Directive: Pirate’s angle

Network and Information Systems. NIS 2. The almost forgettable title hides major and crucial changes in the field of European Cybersecurity. After a year of work and negotiations in several parliamentary committees, we managed to put together a document that updates the Union’s resilience against cyberattacks. As Pirates, we played in this process our role and managed to get a few of our priorities into the final text.

In 2016 the European Union created its major piece of EU-wide legislation on cybersecurity, the NIS Directive. At the time cyber attacks were already a daily problem for all Member States. Since then, attacks have increased even further as cybercriminals become more numerous and more technically skilled.

Specifically, those trained and operated by authoritarian regimes like Russia or China, have become more able to considerably disrupt critical infrastructure. To respond to this increased exposure to cyber threats, the NIS 2 Directive, which I worked on in the AFET committee a year ago, now covers medium and large entities from more sectors that are critical for the economy and society, including providers of public electronic communications services, digital services, wastewater and more.

Pirate footprint in new legislation

Cyberspace does not care about borders and attacks can come from any Internet connection on earth and can target any European citizen, institution, or business. As such common European Union-wide minimum standards are a suitable way to address this challenge.

Last month, the European Parliament together with experts from national governments updated this landmark legislation to make us safer in cyberspace. Pirates played an important role in improving the draft and quite a few of our priorities made it into the final text. Here are the ones I find crucial: 

  1. Open-source software and technology has been recognised for its significant role in providing better security. EU Member States should include cybersecurity-related requirements for ICT products in public procurement, including cybersecurity certification as well as encryption requirements and the use of open-source products. This will hopefully lead to an overall improvement and safeguard of vulnerable public networks across the EU.
  2. Coordinated bug disclosure by Computer security incident response teams (CSIRTs). From now on Member States response teams, which were already established by NIS 1, will facilitate access to information on vulnerabilities registered in the European vulnerability registry and significantly improve national cooperation. Coordination on this critical area will allow quicker patch and response times for all networks in the EU once bugs have been identified by at least one Member State.
  3. International Cooperation among like-minded people and nations. The national work of CSIRTs and other competent authorities must include cooperation with like-minded countries and organisations for this global security problem to be adequately addressed. Member States are now more able and enticed to participate and contribute to such cooperation.
  4. Cybersecurity training and education that is free of charge and open to all citizens and SMEs. Almost everyone in the European Union owns at least one internet connected device. Likely, you are reading this article on one of them right now. As such widespread and free education and support from competent national authorities will be significantly improved. The more we invest in basic cybersecurity training and education, the better we become as a Union in countering attacks.

New features are also streamlined notification obligations for entities under attack, in order to allow for enough time and flexibility to first react to the attack, yet also allow for competent authorities to have enough time for active support and assistance.

New policies for large companies on the use of encryption and multi-factor authentication will equally add security, as well as accountability of top management for non-compliance with the cybersecurity obligations with fines up to 2% of total annual turnover. That will ensure that all these new measures are correctly applied by critical companies and utilities.

I’m strongly convinced that the mix of improved and new measures will lead to a safer European cyberspace.