Eleven recommendations to improve cyber resilience across the European Union

Deloitte’s response to the European Commission’s public consultation on the revision of the NIS Directive

Deloitte put forward eleven key recommendations to support the Commission’s revision of the Directive on the security of network and information systems (NIS Directive). The key message is that the European Commission should step up its effort to promote harmonisation in the field of network and information systems.

The public consultation's objectives

The NIS Directive is the first piece of EU-wide legislation on cybersecurity. Its recent implementation has already promoted cyber resilience across the European Union, by focusing on capabilities, preparedness, cooperation, information exchange, and awareness on cybersecurity practices. With the consultation on the review of the NIS Directive, the Commission aimed to achieve the following goals:

  1. Assess if cybersecurity has increased across the EU
  2. Identify current and upcoming challenges
  3. Assess the effectiveness of the NIS Directive

Deloitte's response

As the Directive undergoes its first review by the Commission, its impact should be evaluated taking into account a few key aspects. First, the NIS Directive went into force only in May 2018 - quite a limited time to bring about any measurable impact. Most Member States have in fact only recently implemented the changes required by its provisions. Second, the level of information sharing on the implementation of the Directive is still very limited and fragmented. Third, the COVID-19 crisis has accelerated the pace of digitisation, increasing the growing dependence of essential services on ICT and proving to be a catalyst for cyber criminals all over the world. As a result, keeping normative developments up to speed has become even more relevant.

Our eleven recommendations

Leveraging on its network offering professional services to actors influenced by the adoption of the NIS Directive, Deloitte put forward eleven recommendations to support the Commission’s evaluation work:

Follow a risk-based approach

  • Adopt a risk-based approach to address cyber risks, as opposed to a simple compliance exercise
  • Raise awareness about the importance of enterprise-wide cyber risk management with the board of directors

Promote further harmonisation

  • Promote harmonisation in the three main areas of the Directive: identification of operators of essential services (OES), security requirements, and information sharing between private and public actors
  • Provide a common and harmonised procedure for incident reporting by simplifying compliance with sectorial requirements

Redefine the sectoral scope

  • Collect further information on the impact of the Directive on sectors in scope and classify their criticality via a risk-based approach
  • Extend the scope of essential sectors under the NIS Directive only to operators that are essential across all Member States

Include third-party providers

  • Extend the scope of digital service providers under the NIS Directive to managed security services (MSS)

Enhance national cyber strategies

  • Clarify the responsibilities of the roles identified within national governments’ governance framework on cybersecurity to avoid institutional conflict among the different ministries and institutions
  • Facilitate the work of Computer Emergency Response Teams in giving the necessary guidance to enact incident response and threat intelligence

Improve coordination at the European level

  • Allocate more competences and resources to ENISA to facilitate the exchange of best practices on cyber capabilities
  • Ensure that the NIS Cooperation Group promotes information sharing between NIS actors and national authorities by acting as the strategic layer on cyber capabilities
Did you find this useful?