Loto tag

SHIFT Avocats

Pour vos oreilles !

Découvrez la playlist Good Rock avec Saez

2013: the Year of Awareness for Cybersecurity


2013 may be the beginning of a new era for the regulation of cyber-security. The signs are numerous these last months but the strongest is the draft European directive revealed on February 7.

You just have to take a look at article 4 which gives you the main principle of this text :

« Member States shall ensure a high level of security of the network and information systems in their territories in accordance with this Directive. »

You know what, during my thesis presentation 10 years ago I maintained the idea that a state must provide and ensure a minimum level of security on networks and information systems. My thesis director did not exactly agree with me (#badmemories). Just to say to you that I’m happy to see  such an affirmation in a European level text.

The proposed Directive aims to ensure a high level of network and information security (NIS) in Europe across the board. So the first step consists in improving the security of the Internet and the private networks and information systems underpinning the functioning of European societies and economies.

The second step will be achieved by requiring the Member States to increase their preparedness for cyber attacks notably through better cooperation with each other. But, this simultaneously implies of course solliciting operators of critical infrastructures, such as energy, transport, and key providers of information society services (e-commerce platforms, social networks, etc), as well as public administrations to adopt appropriate measures.

What is really interesting to note is the awareness of the need of  resilience and stability of network and information systems.

The chosen strategic approach is a mixed approach, combining voluntary initiatives for Member State NIS capabilities and mechanisms for EU-level cooperation with regulatory requirements for key private players and public administrations.

To reach these objectives, the role of national authorities in charge of questions of Cybersecurity should be strengthened. But in my opinion, the true heart of this text is in its chapter IV :

« SECURITY OF THE NETWORKS AND INFORMATION SYSTEMS OF PUBLIC ADMINISTRATIONS AND MARKET OPERATORS« ; and more especially in  Article 14″, « Security requirements and incident notification« .

Following the provisions of the latter, the member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. But the text doesn’t define who those « market operators » are. Same question with the notion of   » level of security appropriate to the risk presented » which has to be settled regarding the « state of the art ». It will be interesting to follow how the European Network and Information Security Agency (ENISA) is implied in the definition of this notion.

We must underline that some of the principles are in common with those of the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data (…) (2012/01/ 25). Notably the draft directive plans a mechanism of notification of incidents having a significant impact on NIS and gives the power to the Commission to define what those incidents are.

Indeed administrations and market operators should be required to notify the relevant authorities of  incidents having a significant impact on the security of the core services they provide. In France, this authority is most likely the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI).

For its part, the French government already seems to be working on an independent bill on cybersecurity. According to « les Echos » and « le Monde » this text would take into account the recommendations of the last  official report on defense, and would impose obligations of security on 250 to 1000 vital economic importance operators to drastically protect their information system.

So, this issue seems definitly bound for legislative inflation.

Gérald SADDE – Lawyer / firewall

  • LinkedIn
  • Viadeo
  • Facebook
  • Twitter
  • Furl
  • Google Reader
  • Share/Bookmark

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Get Adobe Flash playerPlugin by wordpress themes