Towards an Efficient and Coherent Regulatory Framework on Cybersecurity in the EU: The Proposals for a NIS 2.0 Directive and a Cyber Resilience Act

Schmitz-Berndt, Sandra; Cole, Mark D.

doi:10.5604/01.3001.0016.1323

Artykuł - szczegóły

Tytuł artykułu

Towards an Efficient and Coherent Regulatory Framework on Cybersecurity in the EU: The Proposals for a NIS 2.0 Directive and a Cyber Resilience Act

Autorzy

Schmitz-Berndt Sandra , Cole Mark D.

Treść / Zawartość

Pełne teksty:

Pobierz

Identyfikatory

DOI

10.5604/01.3001.0016.1323

Warianty tytułu

Języki publikacji

Abstrakty

Cybersecurity regulation in the EU has long been implemented in a piecemeal fashion resulting in a fragmented regulatory landscape. Recent developments triggered the EU to review its approach which has not resulted in the envisaged high level of cyber resilience across the Union. The paper addresses the EU’s limited mandate to regulate cybersecurity and outlines how the internal market rationale serves as a basis to harmonise cybersecurity legislation in the EU Member States. In that regard, the recent Proposal for a NIS 2.0 Directive (adopted by the European Parliament in November 2022) and the Proposal for a Cyber Resilience Act (published in September 2022) highlight how the EU seeks to align legislation and reduce complexity between different, often sectoral reg- ulatory approaches to cybersecurity, while at the same time extending regulation in a view to achieve a high level of cybersecurity across the EU. As regards the latter, the paper also outlines how the Cyber Resilience Act will complement the NIS 2.0 Directive in order to close existing regulatory gaps.

Słowa kluczowe

cyber resilience act cybersecurity EU legislative framework NIS 2.0 directive

ustawa o cyberodporności cyberbezpieczeństwo ramy legislacyjne UE dyrektywa NIS 2.0

Wydawca

NASK – National Research Institute

Czasopismo

Applied Cybersecurity & Internet Governance

Rocznik

2022

Tom

Vol. 1, No. 1

Strony

1--17

Opis fizyczny

Bibliogr. 52 poz.

Twórcy

autor

Schmitz-Berndt Sandra

sandra.schmitz@uni.lu

Interdisciplinary Centre for Security, Reliability and Trust (SnT), University of Luxembourg, Luxembourg

https://orcid.org/0000-0001-9443-9206

autor

Cole Mark D.

Faculty of Law, Economics and Finance, Department of Law, University of Luxembourg, Luxembourg

https://orcid.org/0000-0003-4382-8791

Bibliografia

1. K. Okereafor, Cybersecurity in the COVID-19 pandemic. Boca Raton: CRC Press, 2021.
2. Europol. (2021). European Union serious and organised crime threat assessment 2021. [Online]. Available: https://www.europol.europa.eu/cms/sites/default/files/documents/socta2021_1.pdf. [Accessed: Oct. 24, 2022].
3. BBC. (2021, May 20). Cyber-attack on Irish Health Service ‘catastrophic’. [Online]. Available: https://www.bbc.com/news/world-europe-57184977. [Accessed: Oct. 24 2022].
4. BSI. (2021). Die Lage der IT-Sicherheit in Deutschland 2021. [Online]. Available: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2021.pdf%20__blob=publicationFile&v=4. [Accessed: Oct. 24, 2022].
5. BSI. (2022). Die Lage der IT-Sicherheit in Deutschland 2022. [Online]. Available: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2022.pdf__blob=publicationFile&v=5. [Accessed: Oct. 24, 2022].
6. European Parliament. (2021). Recent cyber-attacks and the EU’s Cybersecurity Strategy for the Digital Decade. [Online]. Available: https://www.europarl.europa.eu/RegData/etudes/ATAG/2021/690639/EPRS_ATA(2021)690639_EN.pdf. [Accessed: Oct. 24, 2022].
7. Politiets Sikkerhetstjeneste. (2020, Dec. 8). Datainnbruddet mot Stortinget er ferdig etterforsket. [Online]. Available: https://www.pst.no/alle-artikler/pressemeldinger/datainnbruddet-mot-stortinget-er-ferdig-etterforsket/. [Accessed: Oct. 26, 2022].
8. BBC. (2018, Feb. 28). Fancy Bear: Germany investigates cyber-attack ‘by Russians’. [Online]. Available: https://www.bbc.com/news/world-middle-east-43232520. [Accessed: Oct. 26, 2022].
9. L. Cerulus. (2021, Feb. 15). France identifies Russia-linked hackers in large cyberattack. [Online]. Available: https://www.politico.eu/article/france-cyber-agency-russia-attack-security-anssi/. [Accessed: Oct. 26, 2022].
10. European Commission. (2022, Oct. 18). Critical infrastructure: Commission accelerates work to build up Europeanresilience. [Online]. Available: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_6238. [Accessed: Oct. 24, 2022].
11. J. Plucinska. (2022, Oct. 6). Nord Stream Gas ‘sabotage’: Who’s being blamed and why? [Online]. Available: https://www.reuters.com/world/europe/qa-nord-stream-gas-sabotage-whos-being-blamed-why-2022-09-30/. [Accessed: Oct. 24, 2022].
12. J. Thurau. (2022, Oct. 25). Germany’s critical infrastructure is poorly protected. [Online]. Available: https://www.dw.com/en/germanys-critical-infrastructure-is-poorly-protected/a-63505983. [Accessed: Oct. 26, 2022].
13. C. Vallance. (2022, May 10). UK blames Russia for satellite Internet hack at start of war. [Online]. Available: https://www.bbc.com/news/technology-61396331. [Accessed: Oct. 24, 2022].
14. European Commission. (2022, Oct. 18). Proposal for a Council Recommendation on a coordinated approach by the Union to strengthen the resilience of critical infrastructure, COM(2022) 551 final. [Online]. Available: https://data.consilium.europa.eu/doc/document/ST-13713-2022-INIT/en/pdf. [Accessed: Oct. 24, 2022].
15. European Commission. (2022, June 28). Security Union: Commission welcomes today’s political agreement on new rules to enhance the resilience of critical entities. [Online]. Available: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_4157. [Accessed: Oct. 26, 2022].
16. European Commission. (2020, Dec. 16). Proposal for a Directive of the European Parliament and of the Council on the resilience of critical entities, COM(2020) 829 final. [Online]. Available: https://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=CELEX%3A52020PC0829. [Accessed: Oct. 26, 2022].
17. U. v. d. Leyen. (2021, Sep. 15). 2021 State of the Union Address. [Online]. Available: https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_21_4701. [Accessed: Oct. 24, 2022].
18. European Commission & High Representative of the European Union for Foreign Affairs and Security Policy. (2013). Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Cybersecruity Strategy of the European Union: An open, safe and secure cyberspace, JOIN(2013) 1 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=JOIN:2013:0001:FIN. [Accessed: Oct. 24, 2022].
19. European Commission. (2015, May 6). Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A Digital Single MArket strategy for Europe, COM(2015) 192 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52015DC0192. [Accessed: Oct. 24, 2022].
20. European Commission. (2022, May 13). Commission welcomes political agreement on new rules on cybersecurity of network and information systems. [Online]. Available: https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2985. [Accessed: Oct. 26, 2022].
21. European Commission. (2020, Dec. 16). Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, COM(2020) 823 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2020%3A823%3AFIN. [Accessed: Oct. 26, 2022].
22. European Parliament. (2022, Nov. 10). Consolidated text and legislative resolution of 10 November 2022 on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148. [Online]. Available: https://www.europarl.europa.eu/doceo/document/TA-9-2022-0383_EN.html. [Accessed: Oct. 26, 2022].
23. European Parliament. (2022). Legislative resolution of 10 November 2022 on the proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (COM(2020)0595 – C9-0304/2020 – 2020/0266(COD)). [Online]. Available: https://www.europarl.europa.eu/doceo/document/TA-9-2022-0381_EN.pdf. [Accessed: Oct. 26, 2022].
24. European Commission. (2022, Mar. 22). Proposal for a Regulation of the European Parliament and of the Council laying down measures on a high level of cybersecurity at the institutions, bodies, offices and agencies of the Union, COM(2022) 122 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022PC0122. [Accessed: Oct. 26, 2022].
25. European Commission. (2022, Mar. 22). Proposal for a Regulation of the European Parliament and of the Council on information security in the institutions, bodies, offices and agencies of the Union, COM(2022) 119 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52022PC0119. [Accessed: Oct. 26, 2022].
26. European Commission. (2022, Sep. 15). Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/2010, COM(2022) 454 final. [Online]. Available: https://ec.europa.eu/newsroom/dae/redirection/document/89543. [Accessed: Oct. 11, 2022].
27. G. G. Fuster, L. Jasmontaite, “Cybersecurity regulation in the European Union: The digital, the critical and fundamental rights,” in The Ethics of Cybersecurity, M. Christen, B. Gordijn, M. Loi, Eds. Cham: Springer, 2020, pp. 97–115.
28. European Commission & High Representative of the Union for Foreign Affairs and Security. (2017). Joint Communication to the Parliament and the Council, resilience, deterrence and defence: Building strong cybersecurity for the EU, JOIN(2017) 450. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52017JC0450. [Accessed: Oct. 26, 2022].
29. European Commission. (2019, Mar. 29). Commission Recommendation of 26 March 2019, cybersecurity of 5G networks, COM(2019) 2335 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32019H0534. [Accessed: Oct. 26, 2022].
30. A. Bendies. (2017). A paradigm shift in the EU’s common foreign and security policy. [Online]. Available: https://www.swp-berlin.org/publications/products/research_papers/2017RP11_bdk.pdf. [Accessed: Oct. 26, 2022].
31. European Commission. (2020, Feb. 19). Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Shaping Europe’s digital future, COM(2020) 67 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A52020DC0067. [Accessed: Oct. 26, 2022].
32. European Commission. (2021, Aug. 24). Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy, COM(2020) 605 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021AE0879. [Accessed: Oct. 26, 2022].
33. European Commission & High Representative of the Union for Foreign Affairs and Security Policy. (2020, Dec. 16). Joint Communication to the European Parliament and the Council, The EU’s Cybersecurity Strategy for the Digital Decade, JOIN(2020) 18 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020JC0018&qid=1671800243772. [Accessed: Oct. 26, 2022].
34. C. Calliess, A. Baumgarten, “Cybersecurity in the EU - the example of the financial sector: A legal perspective,“ German Law Journal, pp. 1149–1179, 2020, doi: 10.1017/glj.2020.67.
35. European Commission. (2013, Feb. 7). Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union, COM(2013)
36. A. Bendiek, E. Pander Maat. (2019, Oct. 2). The EU’s regulatory approach to cybersecurity. [Online]. Available: https://www.swp-berlin.org/publications/products/arbeitspapiere/WP_Bendiek_Pander_Maat_EU_Approach_Cybersecurity.pdf. [Accessed: Oct. 26, 2022].
37. European Commission. (2020, Sep. 24). Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU)No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595. [Accessed: Oct. 26, 2022].
38. European Commission. (2009, Mar. 30). Communication from the Commission on Critical Information Infrastructure Protection “Protecting Europe from large-scale cyberattacks and disruptions: enhancing preparedness, security and resilience”, COM(2009) 149 final. [Online]. Available: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF. [Accessed: Oct. 26, 2022].
39. European Commission et al. (2021). Study to support the review of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) - No 2020-665. Final study report. [Online]. Available: https://www.ceps.eu/wp-content/uploads/2022/07/KK0921034ENN.en_compressed.pdf. [Accessed: Oct. 26, 2022].
40. European Commission. (2021). Report from the Commission to the European Parliament and to the Council assessing the consistency of the approaches taken by Member States in the identification of operators of essential services in accordance with Article 23(1) of Directive 2016/1148, COM(2019) 546 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52019DC0546. [Accessed: Oct. 26, 2022].
41. S. Schmitz-Berndt, A. Machalek. (2022). EnCaViBS - Summary report on cooperation. [Online]. Available: https://encavibs.uni.lu/wp-content/uploads/sites/158/2022/08/EnCaViBS-questionnaire-report_cooperation.pdf. [Accessed: Oct. 26, 2022].
42. S. Schmitz-Berndt, “Defining the reporting threshold for a cybersecurity incident under the NIS Directive and the NIS 2 Directive”, Journal of Cybersecurity, 2023 (forthcoming).
43. European Commission. (2020, Dec. 16). Commission Staff working document, Impact assessment report, SWD(2020) 345 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020SC0345. [Accessed: Oct. 26, 2022].
44. T. Sievers, “Proposal for a NIS Directive 2.0: Companies covered by the extended scope of application and their obligations,” International Cybersecurity Law Review, vol. 2, pp. 223–231, 2021.
45. European Commission. (2022, Sep. 15). Cyber Resilience Act. [Online]. Available: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act. [Accessed: Oct. 28, 2022].
46. European Commission. (2022). “Call for evidence for an impact assessment,” Ref. Ares, 1955751.
47. P. G. Chiara, “The Cyber Resilience Act: The EU Commission’s Proposal for a horizontal regulation on cybersecurity for products with digital elements,“ International Cybersecurity Law Review, pp. 255–272, 2022. 48 bitkom. (2022). Position paper on a Cyber Resilience Act (CRA). [Online]. Available: https://www.bitkom.org/sites/main/files/2022-05/20220519_CRA_Bitkom_Positionspapier_eng_final.pdf. [Accessed: Oct. 26, 2022].
48. final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52013PC0048. [Accessed: Oct. 26, 2022].
49. European Commission. (2022, Sep. 15). State of the Union: EU Cyber Resilience Act - questions & answers. [Online]. Available: https://ec.europa.eu/commission/presscorner/detail/en/QANDA_22_5375. [Accessed: Oct. 29, 2022].
50. A. Bradford, „Digital economy,“ in The Brussels Effect: How the European Union rules the world. New York: Oxford University Press, 2020. pp.131–170.
51. D. E. Sanger, N. Perlroth. (2021, June 8). Pipeline attack yields urgent lessons about U.S. cybersecurity. [Online]. Available: https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html. [Accessed: Oct. 24, 2022].
52. P. Contreras. (2022, June 8). EnCaViBS poster series: NISD in a nutshell – penalties. [Online]. Available: https://encavibs.uni.lu/2022/06/08/nisd-in-a-nutshell-penalties/. [Accessed: Oct. 26, 2022].

Uwagi

Opracowanie rekordu ze środków MEiN, umowa nr SONP/SP/546092/2022 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2022-2023).

Typ dokumentu

Bibliografia

Identyfikator YADDA

bwmeta1.element.baztech-5e2636f0-e05c-409b-bde9-1c3b051d1d78