Hegle Pärna and Merlin Liis-Toomela: Cyber threats increasingly complicated
The use of hybrid warfare tactics and the spread of ransomware attacks have made protecting national security and public services from cyber threats even more challenging, write Hegle Pärna and Merlin Liis-Toomela.
Europe's critical infrastructure is facing increasingly complex and growing cyber threats. In October 2022, a cyberattack completely paralyzed Denmark's railway traffic, and this year, a large-scale cyberattack hit several French ministries, causing significant operational disruptions.
Across Europe, there is a rising wave of cyberattacks targeting critical infrastructure and government institutions, with individuals also being affected. In Estonia as well, our critical infrastructure is becoming more vulnerable, particularly in the context of geopolitical conflicts, where cyber warfare plays a crucial role.
Of cybersecurity and relevant legislation
In addition to cyber incidents targeting critical infrastructure, other recent incidents should not be underestimated. According to the Information System Authority's (RIA) September report, 512 significant cyber incidents were recorded in September. This means that at least 512 incidents had a substantial impact on the security of information systems or the continuity of services. It has also been revealed that the number of incidents has grown by nearly 90 percent over the past year.
All of this clearly highlights the increase in both the frequency and severity of cyberattacks this year, particularly against critical infrastructure and various key government institutions. The use of hybrid warfare tactics and the spread of ransomware attacks have made protecting national security and public services from cyber threats even more challenging.
To combat the growing cyber threats, the updated directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive) was adopted in November 2022 and came into effect on January 16, 2023. For several years, the European Union has had the first cybersecurity directive (NIS1) in place, aimed at promoting cybersecurity and ensuring unified requirements within the EU. The NIS1 Directive laid the groundwork for several important obligations, ranging from the creation of national cybersecurity strategies to the requirements imposed on providers of essential services.
The obligation to notify the local supervisory authority (in Estonia, the Information System Authority or RIA) of significant cyber incidents originates from the NIS1 Directive. Estonia adopted the NIS1 Directive through its Cybersecurity Act.
Given that NIS1 has become outdated in light of increasing threats, member states are now required to update their cybersecurity legislation and transpose the NIS2 Directive into national law by October 17, 2024, at the latest. As of the time of this commentary, the draft legislation for adopting the NIS2 Directive in Estonia has not yet been made public.
Recently, the European Commission initiated infringement proceedings against Estonia for failing to properly transpose the EU directive on the protection of persons who report breaches of Union law, known as the Whistleblower Directive. Additionally, earlier this year, Estonia faced infringement proceedings for not fully transposing the directive on waste from electrical and electronic equipment. Could a similar fate await Estonia due to delays in adopting the NIS2 Directive?
Estonia has been quite proactive in adopting the first (NIS1) directive. The NIS1 directive set a minimum threshold that every member state had to meet and follow when incorporating the directive into national law.
Through its current Cybersecurity Act, Estonia has implemented NIS1 obligations more broadly than the directive originally required. As a result, many of the requirements outlined in the NIS2 Directive have already been partially met. However, no member state can overlook the deadline for transposing the directive, meaning the timeline by which the obligations under the directive must be incorporated into national law. Based on media reports, it can be inferred that the draft legislation is expected to be introduced in the near future.
Considering the circumstances under which the European Commission has previously initiated infringement proceedings, and taking into account Estonia's proactive approach in adopting the NIS1 directive, there is hope that there is still some buffer time available.
Even if the European Commission were to initiate infringement proceedings against Estonia due to delays in transposing the NIS2 Directive, the process typically begins with a formal letter of inquiry to the member state. The member state generally has two months to respond to such a letter.
Of harmonization of the legal framework
The experience of transposing the NIS1 Directive shows that different countries interpret and implement the directive's requirements in significantly varied ways. The directive sets minimum standards, and many member states do not extend beyond these. Consequently, much like the field of data protection, there may arise a need for a cybersecurity regulation that would be directly applicable to member states without the need for individual national transposition.
One example of NIS2 implementation is Germany, which has broadened the scope of critical infrastructure defined by NIS2 by adding hydrogen infrastructure, digital infrastructure and ICT service management – areas not explicitly named in NIS2 but considered critical in the German context.
Germany's law also imposes stricter requirements on management accountability and incident reporting: cyber incidents must be reported within 24 hours, updates provided within 72 hours and a final report submitted within one month. Similarly, the Czech Republic and Hungary have expanded the definition of critical sectors to include the defense industry and public transport. Croatia, on the other hand, has extended obligations to non-essential sectors, though without imposing strict reporting requirements.
Looking forward, if there are too many discrepancies in how NIS2 is implemented across member states, the EU may consider adopting a regulation to ensure uniformity. A similar approach was taken in data protection, where the directive was replaced by the General Data Protection Regulation (GDPR) in 2016, which came into force in 2018. This change was driven by the need for more harmonized data protection rules within the single market.
Therefore, it is not out of the question that the European Commission could consider a cybersecurity regulation in the future to ensure consistent implementation of cybersecurity standards across the EU.
The implementation and interpretation of directives can vary significantly among member states, which may reduce their effectiveness in ensuring unified cybersecurity protection. However, the increasing complexity and international scope of cyber threats require a more unified and coordinated approach.
In this context, a regulation would be a better solution, as it would apply automatically across all member states, ensuring consistent implementation and reducing the risks arising from discrepancies. A regulation would help create a clearer and stronger framework, better equipped to address the rapidly evolving challenges of cybersecurity.
--
Follow ERR News on Facebook and Twitter and never miss an update!
Editor: Marcus Turovski