Cybersecurity & Better Regulation
A decisive, but solid response
It has become more and more clear to the EU that cybersecurity is a key priority that requires robust regulation. This has led to a lot of pressure for finalizing key cybersecurity files like the NIS2, while at the same time start working to launch upcoming files (like the Cyber Resilience Act). In the temptation to strike a quick agreement on NIS2, there is also a push to add targeted requirements and stipulations, as well as leverage cybersecurity issues to achieve trade, industrial policy, and other objectives.
Sometimes, however, negotiated outcomes often miss the original targets. Cybersecurity is a dynamic, cross-border exercise, with threats emerging and changing all the time, and in some cases, very sophisticated and well-resourced attackers to protect against. This requires a focus on technical measures that are not static and are driven in collaboration with industry. However, the technical competence required means that strategic measures may be easier to focus on. This is not the ideal approach to take because it will eventually reduce cybersecurity. An over-reliance on static labels, such as “Trusted Vendors”, also lulls industry and society into a false sense of security, while reducing the competitive incentive for trusted vendors to continually patch up security. In turn, a lack of vendor diversity can make it easier for attackers to find vulnerabilities.
Better together with better regulation
With the NIS2 trilogues going full steam ahead, it is pertinent to comment on one aspect that could benefit from greater attention: the importance of better regulation guidelines. Buried at the end of the European Commission NIS2 proposal (Recital 80 to be exact) is a niche reference to the “2016 Interinstitutional Agreement on Better Lawmaking”. This might seem passé, but it most assuredly is not, as the European Commission came out with its “Better Regulation Guidelines and Toolbox” as recently as November last year. This toolbox (unlike the EU 5G toolbox) focuses solely on very technical considerations, with incredibly detailed best practice guidelines for policymakers writing legislation.
This toolbox from November 2021 is important because it prescribes clear boundaries and best practices for EU legislation: the importance of conducting impact assessments; ensuring industry participation in developing standards; and respecting key EU principles of proportionality, subsidiarity, and due process. These best practices are especially important when it comes to cybersecurity. With any digital regulation, there is a high risk of fragmentation of the EU market if you don’t harmonize and create a common baseline. This is especially true given the tension in cybersecurity, which is traditionally viewed as a member state competence. In fact, this tension is a very serious issue, and was the raison d’etre for the review of the NIS directive in the first place. Therefore, it is extremely important for the European institutions to preserve this link to better regulation in the NIS2 text so as to preserve the digital single market itself.
Renew the legislative framework
In addition to the risk of fragmentation, cybersecurity rules also bear the risk of creating uncertainty for industry and for citizens.
This is the other reason why better regulation principles are key – they present an alternative that could be a useful template arguably best suited for cybersecurity – what is known as the “new legislative framework” (NLF) on the safety of products. Orgalim, a trade association representing the EU technology industry, makes this exact observation in its position paper on NIS2 and explicitly recommends that product certification should take place within the NLF framework rather than under through NIS2 (see page 6). Digital Europe, one of the largest EU digital industry associations, also calls for reference to the Better Regulation toolbox (see Footnote 16).
But the most important reason why we need such fresh thinking comes from a recent paper by the influential think tank CERRE on ‘Improving EU institutional design’. CERRE argues that in the NIS2, the “powers and independence of national competent authorities are underspecified”. Further, it makes the link between the EU 5G toolbox of the document and argues that it is “doubtful that the current approach of the 5G Security Toolbox is built in a manner that is entirely consistent with principles of good governance that EU laws have usefully imposed in other fields of digital regulation”. This is a stunning observation given that the NIS2 seeks to bake the soft-law approach of the 5G toolbox into hard law (that could be transposed differently across the Union). CERRE outlines this concern with clarity: “non-technical aspects of the Toolbox risk reaching arbitrary results and may also be questioned from the perspective of proportionality”.
The NLF provides answers to these concerns, and so we believe that EU institutions should ask Member States to apply the Better Regulation Toolbox, rather than the EU 5G Toolbox, in their approach to NIS2.
Cybersecurity is extremely important and robust regulation will be a better outcome for all.
Disclaimer: Any views and/or opinions expressed in this post by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Huawei Technologies.