The EnCaViBS team successfully presented their research at this year’s BILETA conference held at the University of Exeter. With COVID-19 restrictions lifted, the team attended their first face-to-face event since the project started in 2019.
Our new R&D specialist, Paula Contreras presented her paper “The transnational dimension of cyber security. The NIS Directive and its jurisdictional challenges: an opportunity for further harmonisation?”, delving into the jurisdictional challenges that arise from the NIS Directive.
In that regard, section 1of her paper examined the relevant legal provisions regarding jurisdiction and identified their shortcomings. She also advanced the idea that the Directive ambiguities have given rise to significant inconsistencies in the transposition measures of the different Member States. Section 2 assessed the amendments to the jurisdiction rules included in the NIS 2 Proposal and outlined the views expressed by different stakeholders during the public consultation that took place in 2021. Section 3 focused on the notion of “main establishment” as a criterion to allocate jurisdiction in cross-border cases and it comparatively explored its evolution in other regulatory instruments applicable to digital services such as the GDPR and the DSA Proposal. Finally, section 4 gathered the insights from the previous sections to evaluate whether the revision of the NIS Directive represents a step towards further harmonisation and overcoming the complex jurisdictional challenges created by cases involving transnational cyber security incidents.
Sandra Schmitz presented her paper “To Report, or Not to Report, that Is the Question! The Struggle in Determining a Report-Worthy Cyber Incident”, advocating for an extension of reporting obligations in the new NIS 2.0 Directive.
The NIS Directive and sector-specific cybersecurity regulations require the reporting of (security) incidents to supervisory authorities. Similarly, the GDPR requires the notification of certain data breaches to DPAs. Following the risk-based approach adopted in the NIS Directive, the proposal for a NIS 2.0 Directive enlists as a basic security element the reporting of incidents that (i) have caused or (ii) have the potential to cause harm, as well as (iii) cyber threats in order to get a full picture of the threat landscape. The proposed extension of reporting duties has caused some uproar in the European Parliament with the Rapporteur blaming the reporting of incidents that have the potential to cause harm as unrealistic and questioning the report-worthiness of cyber threats. Sandra’s paper outlined and analysed the different concepts of a report-worthy incident. Applying the concepts to state of the art security measures, she concluded that there should be an obligation also to report an attack that did not cause harm.