RESEARCH PAPER
Protection of the EU's Critical Infrastructures: Results and Challenges
1
University of Zagreb, Croatia
Publication date: 2023-12-31
Applied Cybersecurity & Internet Governance 2023;2(1):1-5
KEYWORDS
ABSTRACT
At the end of 2022 and the beginning of 2023, the EU adopted several new legislative acts aimed at improving the resilience and protection of network and information systems and critical entities across the Union. The objective of this research is to list the said acts, show their interconnections and focus specifically on the analysis of potential weaknesses of two legislative acts, namely: the NIS2 Directive and the CER Directive. The NIS2 Directive is a significant piece of legislation that aims to improve the cybersecurity of the European Union, while the CER Directive is a crucial piece of legislation that aims to improve the physical security of critical entities in the Union. These two documents are applied in parallel and contain many mutual references, which means that weaknesses in one document can have significant consequences in the implementation of the other. Therefore, through standard desk-top analysis of primary and secondary sources, this paper reviews the protection of the EU's critical infrastructures results and challenges by primarily focusing on these two documents. The research found certain weaknesses, explained them and suggested possible solutions.
REFERENCES (34)
1.
The European Commission. (Jul. 24, 2020). Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy, COM(2020) 605 final. [Online]. Available: https://eur-lex.europa.eu/lega.... [Accessed: Nov. 12, 2023].
2.
P. Contreras, “The Transnational Dimension of Cybersecurity: The NIS Directive and Its Jurisdictional Challenges,” in Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. Springer Proceedings in Complexity, C. Onwubiko, C. et al. Singapore: Springer, 2023, pp. 327 – 341, doi: 10.1007/978-981-19-6414-5_18.
3.
U. Franke, J. Turell, I. Johannson, “The Cost of Incidents in Essential Services – Data from Swedish NIS Reporting,” in Critical Information Infrastructures Security. CRITIS 2021. Lecture Notes in Computer Science, vol. 13139, D. Percia David, A. Mermoud, T. Maillart, Eds. Cham: Springer, 2021, pp. 116 – 129, doi: 10.1007/978-3-030-93200-8_7.
4.
A. Mishra, Y. I. Alzoubi, M. J. Anwar, A. Q. Gill, “Attributes impacting cybersecurity policy development: An evidence from seven nations,” Computers & Security, vol. 120, 2022, pp. 1 – 23, doi: 10.1016/j.cose.2022.102820.
5.
S. Maesschalck, V. Giotsas, B. Green, N. Race, “Don’t get stung, cover your ICS in honey: How do honeypots fit within industrial control system security,” Computers & Security, vol. 114, pp. 1 – 25, 2022, doi: 10.1016/j.cose.2021.102598.
6.
M. Mirtsch, K. Blind, C. Koch, G. Dudek, “Information security management in ICT and non-ICT sector companies: A preventive innovation perspective,” Computers & Security, vol. 109, pp. 1 – 23, 2021, doi: 10.1016/j.cose.2021.102383.
7.
D. Polverini, F. Ardente, I. Sanchez, F. Mathieux, P. Tecchio, L. Beslay, “Resource efficiency, privacy and security by design: A first experience on enterprise servers and data storage products triggered by a policy process,” Computers & Security, vol. 76, pp. 295 – 310, 2018, doi: 10.1016/j.cose.2017.12.001.
8.
C. Banasiński, M. Rojszczak, “Cybersecurity of consumer products against the background of the EU model of cyberspace protection,” Journal of Cybersecurity, vol. 7, no. 1, pp. 1 – 15, 2021, doi: 10.1093/cybsec/tyab011.
9.
H. Kavak, J. J. Padilla, D. Vernon-Bido, S. Y. Diallo, R. Gore, S. Shetty, “Simulation for cybersecurity: state of the art and future directions,” Journal of Cybersecurity, vol. 7, no. 1, pp. 1 – 13, 2021, doi: 10.1093/cybsec/tyab005.
10.
S. Varga, J. Brynielsson, U. Franke, “Cyber-threat perception and risk management in the Swedish financial sector,” Computers & Security, vol. 105, pp. 1 – 18, 2021, doi: 10.1016/j.cose.2021.102239.
11.
J. D. Michels, I. Walden, “How Safe is Safe Enough? Improving Cybersecurity in Europe’s Critical Infrastructure Under the NIS Directive,” Queen Mary School of Law Legal Studies, Research Paper No. 291/2018, pp. 1 – 47. [Online]. Available: https://ssrn.com/abstract=3297.... [Accessed: Nov. 18, 2023].
12.
T. Aleksandrowicz, “The Act on the National Cybersecurity System as an Implementation of the NIS Directive,” Internal Security, vol. 12 no. 1, pp. 179 – 193, 2020, doi: 10.5604/01.3001.0014.3196.
13.
D. Markopoulou, V. Papakonstantinou, P. de Hert, “The new EU cybersecurity framework: The NIS Directive, ENISA’s role and the General Data Protection Regulation,” Computer Law & Security Review, vol. 35, no. 6, pp. 1 – 11, 2019, doi: 10.1016/j.clsr.2019.06.007.
14.
M. D. Cole, S. Schmitz-Berndt, “The Interplay between the NIS Directive and the GDPR in a Cybersecurity threat landscape,” University of Luxembourg Law Working Paper No. 2019 – 017, pp. 1 – 20. [Online]. Available: https://papers.ssrn.com/sol3/p.... [Accessed: Dec. 3, 2023].
15.
S. Schmitz-Berndt, S. Schiffner, “Don’t tell them now (or at all) – responsible disclosure of security incidents under NIS Directive and GDPR,” International Review of Law, Computers & Technology, vol. 35, no. 2, pp. 101 – 115, 2021, doi: 10.1080/13600869.2021.1885103.
16.
S. Schmitz-Berndt, „Refining the Mandatory Cybersecurity Incident Reporting Under the NIS Directive 2.0: Event Types and Reporting Processes,” in Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. Springer Proceedings in Complexity. C. Onwubiko et al. Singapore: Springer, 2023, pp. 343 – 351, doi: 10.1007/978-981-19-6414-5_19.
17.
S. Schmitz-Berndt, “Defining the reporting threshold for a cybersecurity incident under the NIS Directive and the NIS2 Directive,” Journal of Cybersecurity, vol. 9, no. 1, pp. 1 – 11, 2023, doi: 10.1093/cybsec/tyad009.
18.
T. Sievers, “Proposal for a NIS directive 2.0: companies covered by the extended scope of application and their obligations,” International Cybersecurity Law Review, vol. 2, pp. 223 – 231, 2021, doi: 10.1365/s43439-021-00033-8.
19.
N. Vandezande, „Cybersecurity in the EU: How the NIS2-directive stacks up against its predecessor,” SSRN, pp. 1 – 16, 2023. [Online]. Available: https://ssrn.com/ abstract=4383118. [Accessed: Dec. 10, 2023].
20.
A-V. Dragomir, “What’s new in the NIS2 Directive Proposal Compared to the Old NIS Directive,” SEA – Practical Application of Science, vol. 9, no. 27, pp. 155 – 162, 2021 [Online]. Available: https://seaopenresearch.eu/Jou.... [Accessed: Nov. 30, 2023].
21.
S. Schmitz-Berndt, P. G. Chiara, “One step ahead: mapping the Italian and German cybersecurity laws against the proposal for a NIS2 directive,” International Cybersecurity Law Review, no. 3, pp. 289 – 311, 2022, doi: 10.1365/s43439-022-00058-7.
22.
The European Parliament and the Council of the European Union. (Dec. 14, 2022). Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive) [Online]. Available: https://eur-lex.europa.eu/eli/.... [Accessed: Aug. 12, 2023].
23.
The European Parliament and the Council of the European Union. (Dec. 14, 2022). Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC. [Online]. Available: https://eur-lex.europa.eu/lega.... [Accessed: Aug. 12, 2023].
24.
The European Parliament and the Council of the European Union. (Dec. 14, 2022). Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011. [Online]. Available: https://eur-lex.europa.eu/lega.... [Accessed: Aug. 13, 2023].
25.
The Council of the European Union. (Dec. 8, 2008). Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. [Online]. Available: https://eur-lex.europa.eu/lega.... [Accessed: Aug. 14, 2023].
26.
The European Commission, Directorate-General for Migration and Home Affairs. Evaluation study of Council Directive 2008/114 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, Executive summary, 2019, doi: 10.2837/353895.
27.
The European Commission, Directorate-General for Migration and Home Affairs. Evaluation study of Council Directive 2008/114 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection – Final report, 2019, doi: 10.2837/864404.
28.
The European Parliament and the Council of the European Union. (Jul. 6, 2016). Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. [Online]. Available: https://eur-lex.europa.eu/eli/.... [Accessed: Aug. 14, 2023].
29.
V. Papakonstantinou, “Cybersecurity as praxis and as a state: The EU law path towards acknowledgement of a new right to cybersecurity?” Computer Law & Security Review, vol. 44, pp. 1 – 15, 2022, doi: 10.1016/j.clsr.2022.105653.
30.
O. Michalec, S. Milyaeva, A. Rashid, “Reconfiguring governance: How cyber security regulations are reconfiguring water governance,” Regulation & Governance, vol. 16, no. 4, pp. 1325 – 1342, 2022, doi: 10.1111/rego.12423.
31.
E. K. Szczepaniuk, H. Szczepaniuk, T. Rokicki, B. Klepacki, “Information security assessment in public administration,” Computers & Security, vol. 90, pp. 1 – 11, 2020, doi: 10.1016/j.cose.2019.101709.
32.
The European Commission. Commission Staff Working Document Impact Asessment Report Accompanying the document Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, SWD/2020/345 final – part 1/3, 2020. [Online]. Available: https://eur-lex.europa.eu/reso.... [Accessed: Dec. 13, 2023].
33.
The European Commission, Directorate-General for Migration and Home Affairs. Evaluation study of Council Directive 2008/114 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, Annex II, 2020. [Online]. Available: https://op.europa.eu/en/public.... [Accessed: Aug. 21, 2023].
34.
R. Mikac, I. Cesarec, R. Larkin, Critical infrastructure: A platform for the successful development of the security of nations. Zagreb: Jesenski i Turk (in Croatian), 2018.
CITATIONS (2):
2.
IT Governance in Critical Sectors: Towards the NIS2 Implementation
Matiss Veigurs, Tomass Lasmanis, Andrejs Romanovs
2024 IEEE 65th International Scientific Conference on Information Technology and Management Science of Riga Technical University (ITMS)
Matiss Veigurs, Tomass Lasmanis, Andrejs Romanovs
2024 IEEE 65th International Scientific Conference on Information Technology and Management Science of Riga Technical University (ITMS)
| eISSN: | 2956-4395 |
| ISSN: | 2956-3119 |
Publisher
NASK – National Research Institute
Kolska Street 12
01-045 Warsaw, Poland
www.nask.pl
E-mail: contact@acigjournal.pl
Kolska Street 12
01-045 Warsaw, Poland
www.nask.pl
E-mail: contact@acigjournal.pl
© 2006-2025 Journal hosting platform by Bentus
We process personal data collected when visiting the website. The function of obtaining information about users and their behavior is carried out by voluntarily entered information in forms and saving cookies in end devices. Data, including cookies, are used to provide services, improve the user experience and to analyze the traffic in accordance with the Privacy policy. Data are also collected and processed by Google Analytics tool (more).
You can change cookies settings in your browser. Restricted use of cookies in the browser configuration may affect some functionalities of the website.
You can change cookies settings in your browser. Restricted use of cookies in the browser configuration may affect some functionalities of the website.
