European Cybersecurity Strategy and Proposed Network Security Directive

The European Commission recently published 2 documents:

* the Cybersecurity Strategy of the European Union (English version; 20 pages)
* the Proposed Directive on Network and Information Security (English version; 27 pages + 2 annexes)

Mozilla is trying to work out whether we need to have a position on these documents and, if so, what that position should be. How might this affect the open web? Are there any actions we could or should take in response?

This is part of the work of the new Public Policy module. Particularly if you live in the EU, we would appreciate it if you would read one or the other and indicate any parts of it which are particularly of interest to you and to Mozilla.

The first document, the Strategy, sets forth the EU’s vision of cybersecurity. The second one, the proposed NIS Directive, if enacted, would require all Member States, and key “Internet enablers” such as e-commerce platforms, social networks, plus critical infrastructure companies (energy, transport, banking, and healthcare) to take action to ensure “a secure and trustworthy digital environment throughout the EU”. This might mean, for example, requiring them to adopt risk management practices and report major security incidents on their core services.

(I would expect these documents to be available in other EU languages but, although the press release is, I can’t see where the documents are. Pointers gratefully received.)

One thought on “European Cybersecurity Strategy and Proposed Network Security Directive

  1. Bits of Freedom, a Dutch digital rights organization, is happy to see the Commission has taken over some points from their consultation about cybersecurity being personal security and that cybersecurity must respect fundamental rights [1][2]. BoF is also largely positive about the general goals in the NIS Directive [3].

    But they do raise concerns about the combination of article 8, 15 and 39 with respect to the lack of guarantee on privacy of European citizens and the possibility for states to exchange data with other states, without being restricted to only the very minimal set of relevant data. They are afraid more data can be shared than necessary without any control or visibility for the civilians themselves.

    I’m not sure if I agree with BoF since I don’t really see the problems they talk about but it might be wise if more people would take a look at it.

    [1] https://www.bof.nl/2013/01/02/improving-cybersecurity/
    [2] https://www.bof.nl/live/wp-content/uploads/20121011-Consultation-Improving-NIS-in-EU-BoF.pdf
    [3] https://www.bof.nl/2013/02/07/europese-cyberregels-gooien-privacy-te-grabbel/ (in Dutch)