Protection of the EU's Critical Infrastructures: Results and Challenges

Mikac, Robert

doi:10.60097/ACIG/162868

Powiadomienia systemowe

Sesja wygasła!
Sesja wygasła!

Artykuł - szczegóły

Tytuł artykułu

Protection of the EU's Critical Infrastructures: Results and Challenges

Autorzy

Mikac Robert

Treść / Zawartość

Pełne teksty:

Pobierz

Identyfikatory

DOI

10.60097/ACIG/162868

Warianty tytułu

Języki publikacji

Abstrakty

At the end of 2022 and the beginning of 2023, the EU adopted several new legislative acts aimed at improving the resilience and protection of network and information systems and critical entities across the Union. The objective of this research is to list the said acts, show their interconnections and focus specifically on the analysis of potential weaknesses of two legislative acts, namely: the NIS2 Directive and the CER Directive. The NIS2 Directive is a significant piece of legislation that aims to improve the cybersecurity of the European Union, while the CER Directive is a crucial piece of legislation that aims to improve the physical security of critical entities in the Union. These two documents are applied in parallel and contain many mutual references, which means that weaknesses in one document can have significant consequences in the implementation of the other. Therefore, through standard desk-top analysis of primary and secondary sources, this paper reviews the protection of the EU's critical infrastructures results and challenges by primarily focusing on these two documents. The research found certain weaknesses, explained them and suggested possible solutions.

Słowa kluczowe

critical infrastructures EU NIS2 directive CER directive

infrastruktura krytyczna UE dyrektywa NIS2 dyrektywa CER

Wydawca

NASK – National Research Institute

Czasopismo

Applied Cybersecurity & Internet Governance

Rocznik

2023

Tom

Vol. 2, No. 1

Strony

1--25

Opis fizyczny

Bibliogr. 34 poz.

Twórcy

autor

Mikac Robert

robert.mikac@fpzg.hr

Faculty of Political Science, University of Zagreb, Croatia

https://orcid.org/0000-0003-4568-6299

Bibliografia

1. The European Commission. (Jul. 24, 2020). Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy, COM(2020) 605 final. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0605. [Accessed: Nov. 12, 2023].
2. P. Contreras, “The Transnational Dimension of Cybersecurity: The NIS Directive and Its Jurisdictional Challenges,” in Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. Springer Proceedings in Complexity, C. Onwubiko, C. et al. Singapore: Springer, 2023, pp. 327 – 341, doi: 10.1007/978-981-19-6414-5_18.
3. U. Franke, J. Turell, I. Johannson, “The Cost of Incidents in Essential Services – Data from Swedish NIS Reporting,” in Critical Information Infrastructures Security. CRITIS 2021. Lecture Notes in Computer Science, vol. 13139, D. Percia David, A. Mermoud, T. Maillart, Eds. Cham: Springer, 2021, pp. 116 – 129, doi: 10.1007/978-3-030-93200-8_7.
4. A. Mishra, Y. I. Alzoubi, M. J. Anwar, A. Q. Gill, “Attributes impacting cybersecurity policy development: An evidence from seven nations,” Computers & Security, vol. 120, 2022, pp. 1 – 23, doi: 10.1016/j.cose.2022.102820.
5. S. Maesschalck, V. Giotsas, B. Green, N. Race, “Don’t get stung, cover your ICS in honey: How do honeypots fit within industrial control system security,” Computers & Security, vol. 114, pp. 1 – 25, 2022, doi: 10.1016/j.cose.2021.102598.
6. M. Mirtsch, K. Blind, C. Koch, G. Dudek, “Information security management in ICT and non-ICT sector companies: A preventive innovation perspective,” Computers & Security, vol. 109, pp. 1 – 23, 2021, doi: 10.1016/j.cose.2021.102383.
7. D. Polverini, F. Ardente, I. Sanchez, F. Mathieux, P. Tecchio, L. Beslay, “Resource efficiency, privacy and security by design: A first experience on enterprise servers and data storage products triggered by a policy process,” Computers & Security, vol. 76, pp. 295 – 310, 2018, doi: 10.1016/j.cose.2017.12.001.
8. C. Banasiński, M. Rojszczak, “Cybersecurity of consumer products against the background of the EU model of cyberspace protection,” Journal of Cybersecurity, vol. 7, no. 1, pp. 1 – 15, 2021, doi: 10.1093/cybsec/tyab011.
9. H. Kavak, J. J. Padilla, D. Vernon-Bido, S. Y. Diallo, R. Gore, S. Shetty, “Simulation for cybersecurity: state of the art and future directions,” Journal of Cybersecurity, vol. 7, no. 1, pp. 1 – 13, 2021, doi: 10.1093/cybsec/tyab005.
10. S. Varga, J. Brynielsson, U. Franke, “Cyber-threat perception and risk management in the Swedish financial sector,” Computers & Security, vol. 105, pp. 1 – 18, 2021, doi: 10.1016/j.cose.2021.102239.
11. J. D. Michels, I. Walden, “How Safe is Safe Enough? Improving Cybersecurity in Europe’s Critical Infrastructure Under the NIS Directive,” Queen Mary School of Law Legal Studies, Research Paper No. 291/2018, pp. 1 – 47. [Online]. Available: https://ssrn.com/abstract=3297470. [Accessed: Nov. 18, 2023].
12. T. Aleksandrowicz, “The Act on the National Cybersecurity System as an Implementation of the NIS Directive,” Internal Security, vol. 12 no. 1, pp. 179 – 193, 2020, doi: 10.5604/01.3001.0014.3196.
13. D. Markopoulou, V. Papakonstantinou, P. de Hert, “The new EU cybersecurity framework: The NIS Directive, ENISA’s role and the General Data Protection Regulation,” Computer Law & Security Review, vol. 35, no. 6, pp. 1 – 11, 2019, doi: 10.1016/j.clsr.2019.06.007.
14. M. D. Cole, S. Schmitz-Berndt, “The Interplay between the NIS Directive and the GDPR in a Cybersecurity threat landscape,” University of Luxembourg Law Working Paper No. 2019 – 017, pp. 1 – 20. [Online]. Available: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3512093. [Accessed: Dec. 3, 2023].
15. S. Schmitz-Berndt, S. Schiffner, “Don’t tell them now (or at all) – responsible disclosure of security incidents under NIS Directive and GDPR,” International Review of Law, Computers & Technology, vol. 35, no. 2, pp. 101 – 115, 2021, doi: 10.1080/13600869.2021.1885103.
16. S. Schmitz-Berndt, „Refining the Mandatory Cybersecurity Incident Reporting Under the NIS Directive 2.0: Event Types and Reporting Processes,” in Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. Springer Proceedings in Complexity. C. Onwubiko et al. Singapore: Springer, 2023, pp. 343 – 351, doi: 10.1007/978-981-19-6414-5_19.
17. S. Schmitz-Berndt, “Defining the reporting threshold for a cybersecurity incident under the NIS Directive and the NIS2 Directive,” Journal of Cybersecurity, vol. 9, no. 1, pp. 1 – 11, 2023, doi: 10.1093/cybsec/tyad009.
18. T. Sievers, “Proposal for a NIS directive 2.0: companies covered by the extended scope of application and their obligations,” International Cybersecurity Law Review, vol. 2, pp. 223 – 231, 2021, doi: 10.1365/s43439-021-00033-8.
19. N. Vandezande, „Cybersecurity in the EU: How the NIS2-directive stacks up againstits predecessor,” SSRN, pp. 1 – 16, 2023. [Online]. Available: https://ssrn.com/abstract=4383118. [Accessed: Dec. 10, 2023].
20. A-V. Dragomir, “What’s new in the NIS2 Directive Proposal Compared to the Old NIS Directive,” SEA – Practical Application of Science, vol. 9, no. 27, pp. 155 – 162, 2021 [Online]. Available: https://seaopenresearch.eu/Journals/articles/SPAS_27_1.pdf. [Accessed: Nov. 30, 2023].
21. S. Schmitz-Berndt, P. G. Chiara, “One step ahead: mapping the Italian and German cybersecurity laws against the proposal for a NIS2 directive,” International Cybersecurity Law Review, no. 3, pp. 289 – 311, 2022, doi: 10.1365/s43439-022-00058-7.
22. The European Parliament and the Council of the European Union. (Dec. 14, 2022). Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive) [Online]. Available: https://eur-lex.europa.eu/eli/dir/2022/2555/oj. [Accessed: Aug. 12, 2023].
23. The European Parliament and the Council of the European Union. (Dec. 14, 2022). Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022L2557&qid=1692286376725. [Accessed: Aug. 12, 2023].
24. The European Parliament and the Council of the European Union. (Dec. 14, 2022). Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554. [Accessed: Aug. 13, 2023].
25. The Council of the European Union. (Dec. 8, 2008). Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32008L0114. [Accessed: Aug. 14, 2023].
26. The European Commission, Directorate-General for Migration and Home Affairs. Evaluation study of Council Directive 2008/114 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, Executive summary, 2019, doi: 10.2837/353895.
27. The European Commission, Directorate-General for Migration and Home Affairs. Evaluation study of Council Directive 2008/114 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection – Final report, 2019, doi: 10.2837/864404.
28. The European Parliament and the Council of the European Union. (Jul. 6, 2016). Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. [Online]. Available: https://eur-lex.europa.eu/eli/dir/2016/1148/oj. [Accessed: Aug. 14, 2023].
29. V. Papakonstantinou, “Cybersecurity as praxis and as a state: The EU law path towards acknowledgement of a new right to cybersecurity?” Computer Law & Security Review, vol. 44, pp. 1 – 15, 2022, doi: 10.1016/j.clsr.2022.105653.
30. O. Michalec, S. Milyaeva, A. Rashid, “Reconfiguring governance: How cyber security regulations are reconfiguring water governance,” Regulation & Governance, vol. 16, no. 4, pp. 1325 – 1342, 2022, doi: 10.1111/rego.12423.
31. E. K. Szczepaniuk, H. Szczepaniuk, T. Rokicki, B. Klepacki, “Information security assessment in public administration,” Computers & Security, vol. 90, pp. 1 – 11, 2020, doi: 10.1016/j.cose.2019.101709.
32. The European Commission. Commission Staff Working Document Impact Asessment Report Accompanying the document Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, SWD/2020/345 final – part 1/3, 2020. [Online]. Available: https://eur-lex.europa.eu/resource.html?uri=-cellar:d51e4bbb-3fa8-11eb-b27b-01aa75ed71a1.0001.02/DOC_1&format=PDF. [Accessed: Dec. 13, 2023].
33. The European Commission, Directorate-General for Migration and Home Affairs. Evaluation study of Council Directive 2008/114 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, Annex II, 2020. [Online]. Available: https://op.europa.eu/en/publica-tion-detail/-/publication/71835078-b043-11ea-bb7a-01aa75ed71a1/language-en/format-PDF/source-search. [Accessed: Aug. 21, 2023].
34. R. Mikac, I. Cesarec, R. Larkin, Critical infrastructure: A platform for the successful development of the security of nations. Zagreb: Jesenski i Turk (in Croatian), 2018.

Uwagi

Opracowanie rekordu ze środków MNiSW, umowa nr SONP/SP/546092/2022 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2024).

Typ dokumentu

Bibliografia

Identyfikator YADDA

bwmeta1.element.baztech-a42bb2e5-58fd-427d-8f96-7ebc1f9c560a