NIS Directive: an important step for better cybersecurity protection in Europe

by Evgeny Grigorenko,
Head of Public Affairs, Europe

The Directive on Security of Network and Information Systems (the NIS Directive) – coming into force on May 9, 2018 – is ushering in a new era for cybersecurity and, generally, the citizens of Europe. This milestone signifies the importance of taking cyber-matters seriously: the world we live in is becoming digital, so digital risks and threats should be handled collectively.

The Directive mainly focuses on the protection of the backbone of the Digital Single Market – operators of essential services and digital service providers. Symbolically, these are sectors where the traditional and the digital merge.

In addition to identification of sectors and companies whose operations’ interruption caused by cyber incidents may trigger all-European negative consequences, the NIS Directive provides incentives to increase cybersecurity capacities at the national level, and creates a framework for national level competent authorities and response teams to work together. In the end, as with any piece of European legislation, the goal of the NIS Directive is to address disparities and develop a unified response.

We at Kaspersky are also committed to working with our partners to protect what matters most. In Europe we have always been active in joining forces with like-minded public agencies and private companies. Such initiatives like NoMoreRansom, which we launched with our partners, have borne fruit by helping European citizens unlock their data encrypted by criminals. We have been also involved in thematic groups of the European agency ENISA – together with other stakeholders developing new approaches to the protection of such valuable assets (to society on the whole) as industrial infrastructure and connected cars. And speaking of essential services, Kaspersky – as a leading company in cybersecurity – could certainly propose high-level security solutions, including, for example, the protection of industrial processes, which are highly digitized these days.

We understand that the NIS Directive is only one of the first steps. By transposing it to the national level, the cybersecurity community has gained additional clarity on how the framework is going to work. We were happy to contribute to making the NIS Directive more actionable. For example, we are glad that our suggestions to have security monitoring and anomaly detection were in line with the adopted high-level security principles for NIS security proposed by the UK Government. We believe that only working collectively we can customize grand ideas and apply them to the ever-evolving cyberthreat landscape.

In the meantime, we understand that the NIS Directive is not the final stop and we should continue working on further strengthening cybersecurity protections. Clearly, some questions ahead will need to be answered. For example, to what extent will different countries in Europe and their cybersecurity agencies be ready to consider cybersecurity as a Union-level question, and where they want their own responsibilities to end and the common approach to begin (which is frequently raised via a challenge to the subsidiarity principle). In addition to issues of inter-agency and inter-country relations, another important question is how to better engage and utilize the resources and knowledge of private companies like ours working on cybersecurity protection on a daily basis. The NIS directive establishes a network of the national Computer Security Incident Response Teams "in order to contribute to developing confidence and trust between the Member States and to promote swift and effective operational cooperation". We believe a clearer and more institutionalized role for the private sector would be beneficial to such an aim as well.

Some of these questions may be answered with a new piece of legislation, the so-called Cybersecurity Act. However, that’s a subject for another blog post. Stay tuned...