The European Commission has notified 17 member states of their failure to implement EU cybersecurity law earlier this month.
On July 19, the Commission sent a formal letter of notice to multiple EU countries as they missed the deadline to implement the EU’s Directive on Security of Network and Information Systems (NIS directive, 2016/1148/EU).
All member states were supposed to fully transpose the directive, which was the first EU-wide legislation on cybersecurity, into national law by 9 May 2018. The directive was adopted by the European Parliament on July 2016 and entered into force in August 2016.
However, even with a deadline of two years to transpose the NIS directive into national law, most member states still failed to comply. The countries affected were Austria, Bulgaria, Belgium, Croatia, Denmark, France, Greece, Hungary, Ireland, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Romania and Spain.
The countries have two months to respond to the formal notice sent by the Commission. Member states can be fined or brought to the EU Court of Justice if they thoroughly fail to comply with EU legislation.
The NIS Directive
The EU’s NIS Directive is aimed at improving cybersecurity and ensuring the protection of critical infrastructure - including energy and water - against cyber attacks, boosting the general level of cybersecurity in the EU.
It requires countries to improve national cybersecurity precautions and notify authorities of cyber attacks; and it applies to vital sectors and critical infrastructure, including healthcare, finance, transportation, energy and utilities.
The Directive requires member states to equip themselves appropriately for cybersecurity by setting up a Computer Security Incident Response Team (CSIRT) and nominating a competent national NIS authority, as well as ensuring strategic cooperation and exchange of information among all member states. It also promotes national supervision of the cybersecurity of critical sectors.
In addition, countries across the EU have the deadline of 9 November 2018 to provide the European Commission with a list of all companies and entities in critical sectors that would be required to report cyber attacks to relevant authorities. Many, if not all, utilities can expect to be included in the list.
The EU is also taking other actions to enhance the cybersecurity of its critical infrastructure and protect it against ever-growing threats, including the energy sector. For example, in 2015 the European Commission formed the the Energy Expert Cyber Security Platform (EECSP), which comprised a report that recommended several actions to the European Commission to increase utility cybersecurity.
Evolving cyber threats to utilities
Such actions from the EU seek to deter the increasing level of cyber threats to utility digital systems and to other critical sectors.
Earlier this year, utilities in both the UK and the US were warned by cybersecurity officials that Russia launched a global hacking offensive that targeted millions of computers, possibly laying the foundation for an attack on critical infrastructure. In addition, there were concerns that Russian hackers might have access to UK energy infrastructure through utilities. Other cyber attacks from Russian hostile agents against European and American utilities have also been reported in recent years.
In addition, the landscape of cyber threats has also evolved significantly. The cyber crime ecosystem now involves different parties and more complex agents, cyberspace is now an arena for terrorism and political espionage and antagonism, and the nature of threats has also evolved significantly to include attacks such as advanced persistent threats (APT) and ransomwares.
With the level of threats rising steadily and utilities being particularly liable to cyber attacks, observing proper cybersecurity measures and complying to regulations is now more important than ever to protect energy systems.