Protecting critical infrastructure and crucial economic sectors from cyber threats is only becoming more of an imperative for states and private companies alike. When it comes to protecting critical sectors and infrastructure against cyber threats at the European level, the Directive on security of network and information systems (NIS Directive) is the cornerstone.
Its importance lies in being the first complete effort to unify network standards and increase the common level of cyber security since its adoption in 2016. In addition, this European framework also promotes cross-border collaboration, exchange of information and an increased awareness of critical sectors such as energy, health, and transportation.
Despite the enhanced cooperation between national authorities and the progress under EU rules; cyber security capabilities across the EU remain unequal and national legislations differ in many aspects. Furthermore, with the installation of infrastructures for the fifth generation of cellular networks (5G) new concerns have emerged.
Certainly, 5G features will bring a number of new security challenges to the EU. In a statement published in September 2019, the European Commission advocated for a harmonised approach to 5G implementation as an essential requirement to protect EU members' economies and societies. One of the first solutions announced by the Commission in late January this year, was the ‘5G Toolbox’, a guideline for Member States willing to adopt measures mitigating the risks on 5G networks.
However, more than just being a point of discussion in cyber security, cellular networks became an additional issue in diplomatic tensions between the United States and China. Various political and economic pressures have been applied by the Trump Administration on foreign governments, including in Europe, in order to ban Chinese suppliers.
Following the action of numerous Member States updating their legislations on security of networks, the European Commission has launched a review of EU rules on the security of network and information systems. This includes a public consultation of stakeholders which will most likely be followed by propositions of measures aiming at enhancing the level of cyber security within the Union.
Global debates on 5G : an opportunity for the EU to solve a fragmented landscape
We must stress the NIS Directive’s limits and its consequences on the level of security in interconnected networks and potential threats for economies in the EU.
For instance, the Directive gives its Member States the responsibility to identify essential services and operators in sectors that are considered vital for “societal and economic activities”. However, the definition of essential services varies considerably from one Member States to another.
With an average of 35 services per Member State, the number of identified services ranges from 12 to 87. While some have chosen an approach with general definitions, others have drawn a detailed list of services sometimes exceeding the scope of the sectors identified within the Directive.
As a result, similar operators are exposed to different levels of security for the same interconnected services and networks. In essence, this fragmented landscape undermines a comprehensive security approach, which is essential to ensure service continuity and avoid financial losses from cyber attacks.
This becomes an even more important topic concerning 5G networks,
as this technology is expected to integrate more industries and services through innovative solutions.
Consequently, in the revision process, the Commission aims to set up common requirements and capabilities, and provide a comprehensible security framework. Both non legislative measures, such as guidelines to Member States and regulatory interventions are under consideration and seem to be accepted by corporate stakeholders. For instance, relevant companies propose the adoption of a single identification model or a set of guidelines on what constitutes a critical sector. A clear interplay between the NIS and other EU laws referring to information systems is also asked by companies in order to harmonise the compliance procedures.
The revision can be seen as a moment of reconfiguration of relevant key players, such as the industries and the providers within the scope of the NIS. Interconnectivity and sharing of critical information among operators, industries and public authorities undoubtedly present an opportunity to strengthen European norms and practices towards cyber awareness and security.
However, an important part of cutting edge expertise and technology regarding cyber security is developing outside the EU. Having that in mind, the revision of the NIS also shapes the position of the EU within the international landscape of cyber governance. A fragmented approach in EU member states towards critical infrastructures, may undermine EU cyber sovereignty and autonomy vis-à-vis international partners such as the US or China.
The security of 5G networks: a geopolitical issue for Member States
Globally, experts estimate this technology to enable $12.3 trillion of global economic outputs by 2035 and significantly impact job creation. Notably, 2.3 million jobs in the European Union, 3 million in the United-States, and 8 million in China. Yet, the economic benefits of 5G do not fully showcase how cyber security of cellular networks became a geopolitical issue.
The rise of this controversy commenced with the beginning of trade conflicts between the US and China. In 2019, after the imposition of new tariffs on both sides, tensions escalated to product and company bans. The new generation of cellular networks, identified as a key economic factor, was specifically targeted.
A geopolitical logic also took place after the escalation of tensions between India and China over the Western Himalayan border, leading to the first deadly clash in four decades. As a consequence, digital industries and the trade of technologies were directly targeted. While cellular networks were not officially targeted, Chinese suppliers were nevertheless sidelined by the Indian government.
In the EU, things have taken a different path. With its 5G toolbox, the Union resisted the US campaign to cut Chinese companies off its networks, and has given room to its Member States to deal with the security of its 5G networks on their own. Since then, different national decisions have been taken and it is unlikely that a ‘new’ NIS Directive will have an outcome contesting any of these decisions, including geopolitical considerations.
While an outright ban of Chinese companies as a geopolitical response by Europeans is not to be expected, the Commission will nevertheless support the tightening of network security regulations and ensure the legality of decisions based on objective criteria.
As many times before, European institutions will use this opportunity to bring national laws into alignment, while also situating the basis for Member States to act. The security of networks and their reliability for vital sectors is now a key aspect of EU economies and citizens' daily lives. However, relegating the supply of ICTs to geopolitical considerations will not improve the security of networks but instead bring instability in a technological sector largely based on investments in R&D and infrastructures.
co-written by: Dimitrios Kosmopoulos and Carla Peña Chavez
Comments