The 2016 Network and Information Security Directive was the first piece of cyber security legislation in the European Union. The directive sought to establish a high common security level across European critical infrastructures and services. This chapter examines how the use of compulsory (hard) measures and optional (soft) measures in the Network and Information Security Directive have impacted cyber security in the European Union energy sector. An interrupted time series methodology was employed to analyze cyber security benchmark data pertaining to European Union states collected between 2015 and 2023. The results reveal that the hard measures achieved 100% compliance by 2018 when the directive came into force. However, the implementation of the hard measures crowded out the implementation of soft measures. Thus, the directive did not necessarily engender a high common security level. Instead, it led to the prioritization of cyber security measures. Hard measures at the strategic level were prioritized upward whereas soft measures at the tactical level were prioritized downward. The key result is that governmental authorities planning to stipulate hard and soft cyber security measures in legislation must ensure that their prioritizations are correct.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Effects of Hard and Soft Measures in the First European Network and Information Security Directive

  • Øyvind Toftegaard

摘要

The 2016 Network and Information Security Directive was the first piece of cyber security legislation in the European Union. The directive sought to establish a high common security level across European critical infrastructures and services. This chapter examines how the use of compulsory (hard) measures and optional (soft) measures in the Network and Information Security Directive have impacted cyber security in the European Union energy sector. An interrupted time series methodology was employed to analyze cyber security benchmark data pertaining to European Union states collected between 2015 and 2023. The results reveal that the hard measures achieved 100% compliance by 2018 when the directive came into force. However, the implementation of the hard measures crowded out the implementation of soft measures. Thus, the directive did not necessarily engender a high common security level. Instead, it led to the prioritization of cyber security measures. Hard measures at the strategic level were prioritized upward whereas soft measures at the tactical level were prioritized downward. The key result is that governmental authorities planning to stipulate hard and soft cyber security measures in legislation must ensure that their prioritizations are correct.