In the past decade, several cyber-attacks targeting critical infrastructures have been made public around the world. Some of these attacks on nuclear facilities, power grids, oil & gas facilities, or national Internet infrastructures have drawn considerable although ephemeral media attention. Other critical infrastructures of a nation, such as logistics and transportation infrastructures, water supplies, healthcare infrastructures, banking networks or telecommunication networks also constitute potential targets.
Although much rarer than mainstream cybercriminal activities, these incidents have naturally caused considerable concern among administrations and authorities worldwide about the cyber-risks to critical infrastructures. In response, authorities on all continents have started to lay down new cybersecurity regulatory obligations. The first of these regulations was the NERC CIP framework, which appeared in North America as early as 2006 for power grids and power generation facilities.
In the European Union, the different member states have historically had very different approaches to regulating the protection of their critical infrastructures, as well as very uneven levels of cyber-defence preparedness. This fragmentation in itself was recognised as a vulnerability. The NIS Directive strives to improve this situation, firstly, by increasing the cooperation between the member states on cybersecurity, and secondly, by compelling all member states to adopt more homogeneous cybersecurity regulations.
The present study provides an overview of the status of the transposition of the NIS Directive in the different member states of the EU. As this document shows, implementation the NIS Directive is facing numerous hurdles in the member states, and reaching a common level of cyber-defence across all Union remains a distant target.
For transnational operators of critical infrastructures, complying simultaneously with several distinct national cybersecurity frameworks can also prove challenging. This document identifies the common approaches that can be used by industry operators to help in these cases.
Nonetheless, in spite of these challenges, the NIS Directive is undoubtedly a step in the right direction, compelling member states that had little or no prior regulation to lay down one, or to strengthen it considerably, and introducing cybersecurity concerns.