Analysis of new European cybersecurity strategy and new NIS2 Directive

European Union showcased its new aims for cybersecurity (“strategy”), along with the new proposal for directives regulating cybersecurity, critical infrastructure, and end-to-end encryption. The strategy goes first.

Strategic EU focus on cybersecurity?

The strategy contains several interesting points, for example:

European DNS

European DNS resolver system. This point is critical to the stability and usability of the internet. The low presence of Europe (esp. some Member States) in the letter-servers (root) is well-felt and sometimes has amusing consequences. It’s a question of cyber sovereignty.

Quantum computing or quantum networks

The strategy is curious/odd in one place. It mentions experimental technology like “quantum computing” in the same lines as other mature ones like “encryption”, or “artificial intelligence”. Perhaps the drafters either read some books, or were unable to put certain concepts in the right proportions? We don't know the rationale here. This might be mildly worrying. After all this is a strategic document. That said, the idea to build and develop quantum-encryption networks is good (note: this is different from quantum computing!). Europe used to be the leader in this space.

Technology standards

European Union will allocate more resources to the work on internationally-important technology standards. This is long overdue but the question immediately emerges: with whom the EU will do this? Technology standardisation is a remarkably broad and quickly changing area. It could work nicely with concepts of cyber sovereignty or the upholding of European values in technologies. But we will need to wait for more for this. (Important point for me personally, as I am recently working on a research paper in this actual area: a study why the EU approach to standardisation is quite limited now and how it could change.)

Protection of civil society and researchers

"EU should make sustained efforts to protect human rights defenders, civil society, and academia working on issues such as cybersecurity, data privacy, surveillance, and online censorship.”.

Requires no comment.

NIS, NIS2, cybersecurity Directive

The meat of the proposals is of course the new NIS2 Directive (“on measures for a high common level of cybersecurity across the Union”). This Directive recently emerged to be one of the most important ones. It considers a type of “entity”. For example, one related to the operators of essential services. Essential for countries or societies. Ones that must be guarded against high-impact disruptions. NIS2 is now also fully aligned with the new directive on critical infrastructure, which also addresses aspects of physical security (often crucial to cybersecurity in data centers).


NIS2 has two types of entities. Essential and important. Risk management frameworks for these entities are similar. But the duties will be different, the same with the level of penalties (fines).

Essential and important services

Services include are cloud providers, data center services (essential entities). But also postal services and express and courier delivery services (important entity). The annex has a full list, including entities from sectors (‘essential’) like energy, transport, banking, health, drinking water, wastewater, digital infrastructure (DNS servers, cloud computing, etc), public administration, or space. In general, the list conforms to the notion of “critical infrastructure”. Cyberattacks on such infrastructures may have severe effects, with international and humanitarian repercussions.

Supply-chain cyber risk is notable

“Entities should therefore assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures”

No details provided.

European vulnerability database

Because more catalogs and databases are exactly what we need. there will be a European vulnerability database, to compete with a competing U.S. NIST one:

“Although similar vulnerability registries or databases do exist, these are hosted and maintained by entities which are not established in the Union. A European vulnerability registry maintained by ENISA would provide improved transparency regarding the publication process before the vulnerability is officially disclosed and resilience in cases of disruptions or interruptions on the provision of similar services. “
“The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated”

Again a cyber sovereignty impact can be slightly felt at this point.

End-to-end encryption to be made mandatory but inspectable

“In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime.”

This is curious. Problematic.

Some observations:

  • End-to-end encryption (e2ee) should be mandatory in some cases
  • The idea behind end-to-end encryption is that nobody outside the conversation can access the conversation content
  • But lawful access is to be guaranteed

These points are contradicting because end-to-end encryption either provides end-to-end encryption, or it does not. Go figure. This will be controversial. It potentially gives grounds for "inspectable end-to-end encryption", so not sure really if this is the end-to-end encryption (?).

In Europe, we recently experienced a sign of such ideas for lawful access to e2ee arriving. While lawful access is the cornerstone of nations abiding by the rules-of-the-law notion, how to reconcile this policy (so not a technology) with e2ee technology (so not a policy) is unclear.

Incident notification submission

NIS requires the submission of breach notifications following important incidents. Similar requirements exist also in other regulations, for example, the GDPR. This may mean that certain events must be notified several times, to several competent authorities. So to simplify there is a proposal to unify those submissions. But in this way, NIS2 is entering the GDPR territory. Which should have a precedent over aspects of personal data.

Peer-review of cybersecurity frameworks

There will be an interesting mechanism of peer-review (Article 16). Cybersecurity experts from Country X will be reviewing the extent of cybersecurity protections (“for assessing the effectiveness of the Member States’ cybersecurity policies”) in Country Y. So for example a person from France will review the system in Greece, an expert from Greece will do this for Germany. So on, so on.

Risk assessment and notifications

Important and essential entities will be tasked with assessing the cybersecurity risks facing them. Furthermore, entities will need to notify the competent authorities about the “significant cyber threat that those entities identify that could have potentially resulted in a significant incident” (“caused or has the potential to cause substantial operational disruption or financial losses for the entity concerned”). Possibly also disclose this to their users. Initial notification must come “within 24 hours after having become aware of the incident”, with a detailed final report “no later than one month after”. The authorities may inform the public about such an event if it’s important.

Fines, 10M or 2%, minus GDPR

Supervision and enforcement are to be “effective, proportionate and dissuasive”. Investigative powers include on-site inspections, random checks. Competent authorities may issue warnings, binding instructions (“you must configure X this way, now)”, orders, but also fines.

Some infringements may result in fines of “at least 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the undertaking to which the essential or important entity belongs in the preceding financial year, whichever is higher”. When the infringement relates to a personal data breach, such fines do not stack up on top of the GDPR fines. GDPR has precedence in this case (and its even higher fining regime) .

Summary

These years, many countries are boosting their cybersecurity. Europe is no exception. NIS2 is significantly strengthening the guarantees of NIS. It also contains this rather controversial element. It recommends end-to-end encryption (even mandates in some cases), but it should be a crippled deployment - a one that is inspectable. The problem is that today nobody knows how to do this securely. So this is the more puzzling part.


Did you like the assessment and analysis? Any questions, comments, complaints or offers for me? Feel free to reach out: me@lukaszolejnik.com