Review of the NIS Directive: Key takeaways of the second EU Cybersecurity Webcast

Arnaud Dechoux, Public Affairs Manager Europe

The review of the Network and Information Security (NIS) Directive will be a key milestone of the EU agenda for the coming months. This is why our second EU Cybersecurity Webcast, on September 9, 2020, was dedicated to the theme: ‘Review of the NIS Directive – from cybersecurity to cyber-immunity?’

The discussion was joined by over 150 European attendees and top-class speakers from different stakeholder groups and regions: Evangelos Ouzounis, Head of Secure Infrastructure and Services at ENISA; Kaspersky CEO Eugene Kaspersky; Susanne Dehmel, Member of the Executive Board, Legal & Security at Bitkom; and Corrado Giustozzi, Member of CERT-AGID Italy, Senior Cyber Security Expert, and lecturer at the University of Rome ‘La Sapienza’.

Key takeaways:

• The original NIS Directive has laid a solid foundation; it’s time to take it to the next level: Four years after its implementation, the NIS Directive has been successful in establishing a basis for an increased common level of cyber-resilience in Europe. It encouraged the creation of national strategies were established, and led to increased cooperation between Member States. The cybersecurity of organizations and critical infrastructure today enjoys large awareness and has become a political priority. However, the time is ripe to upgrade the directive into a NISD++ that is future-proof and fit to tackle cyberthreats and technology evolutions of tomorrow. One of the main goals of the revision should be to overcome existing fragmentation and to establish a level playing field in order to support the further development of the Digital Single Market.
• Vertical implementation: Cross-border harmonization, i.e., horizontal implementation, has been rightfully a major focus of the original NIS Directive. However, one objective of the revision could be to enhance sectorial implementation in several areas, as this would allow to take into account the specifics of concrete sectors. This could be combined with the introduction of new areas in the scope for the identification and designation of Operators of Essential Services (OES).
• Closer, broader cooperation: Cross-border and cross-organization cooperation and information sharing between all stakeholders is key to ensuring cyber-resilience. Public-to-public collaboration platforms created by the NIS Directive, such as the network of European CSIRTs/CERTs, have proved efficient but could be further developed. Critical infrastructure cybersecurity could also be enhanced through broader public-to-private and private-to-private information sharing about cyberthreats, vulnerabilities, and incidents. Information Sharing and Analysis Centers (ISACs) are an example of such a model.
• Making critical systems immune to cyberattacks: Industrial systems have become a target of choice for cybercriminals; this is why they should be systemically secure by design. Cyber-immunity is based on the assumption that a cyberattack can be made more costly for the attacker than the potential damage or profit by securing the core infrastructure of targeted critical systems. Further information about the cyber-immunity concept developed by Eugene Kaspersky can be found here and here.

You can watch the recording of the webcast here. And do not forget that through October 2 you can reply to the European Commission’s public consultation on the review of the NIS Directive.

We look forward to hosting you at our next #EUCyberSecurityWebcast. If you are interested in participating in further EU policy-related webcasts organized by Kaspersky, please email us at Kaspersky.EU-Policy@political-intelligence.com.