Int. Cybersecur. Law Rev.
https://doi.org/10.1365/s43439-022-00048-9
Analysis of the cybersecurity ecosystem in the European
Union
Zsolt Bederna
· Zoltan Rajnai
Received: 12 January 2022 / Accepted: 17 February 2022
© The Author(s) 2022
Abstract The information society is a complex network of interconnected public and private entities and human beings. Many of them choose a certain level
of technological development from the generally available solutions to support internal processes attaining objectives that support operations, creating technological
dependence via internal or external services of the information and communication technologies (ICTs). Due to the technological development and technological
dependence caused by ICTs, a society-wide political need has arisen for tackling
security requirements for cyberspace in several sectors to satisfy the individuals’
needs that directly or indirectly define the requirements for such services, resulting
in a complex ecosystem with several participants. Although the European Union has
formulated some crucial rules via regulations and directives with which it increasingly defined cybersecurity stakeholders from time to time, there are several missing
affected parties. This paper aims to review the relevant technological, societal, and
economic factors of the information society creating the necessity to strictly handle cybersecurity requirements and analyse decisive stakeholders via a theoretical
framework. Furthermore, it also identifies the current legislative framework issues
to identify pain points.
Keywords Cybersecurity legislation · Cybersecurity stakeholders · Essential
services · NIS Directive · Information society
Zsolt Bederna () · Zoltan Rajnai
Doctoral School for Safety and Security Sciences, Obuda University, Budapest, Hungary
E-Mail: bederna.zsolt@stud.uni-obuda.hu; bederna.zsolt@bederna.hu
K
Int. Cybersecur. Law Rev.
1 Introduction
Technology is one of the most decisive factors of the information society, as the
information and communication technology (ICT) services infiltrate society’s everyday activities, including the economy. So, natural persons and legal entities must
continually struggle to keep up with technological improvements to speed up operations and bridge physical distances. However, due to technological advancement,
society has a growing dependence on ICTs and their safe use; therefore, the legislature process must regulate security commitments.
In 2007, during the cyberattack campaign against Estonia, the European Union
(EU) recognised the importance of cybersecurity, and it emphasised taking the necessary steps to elevate the level of cyber-defence capabilities, resulting in several
changes in legislation framework.
However, as the hypothesis of this work, the legislative approach is still not
comprehensive enough to ensure the security of the European Digital Single Market
(DSM) of the EU today, which results in unregulated areas of the essential services’
and digital services’ cybersecurity. This deficit creates a gap in the (cyber) resilience
of the information society.
The paper first reviews the relevant technological, social, and economic factors
of the information society and discusses legislation framework changes affecting
cybersecurity capabilities. It then parses decisive stakeholders affecting the cybersecurity level in the EU, introducing a theoretical framework, and lastly, the paper
identifies pain points of the current and proposed cybersecurity approaches. The
paper closes with the conclusion.
2 Review of fundamental interrelations of the information society
The post-industrial changes have affected several aspects of everyday life. The term
information society originated in the 1960s and is a concept that responds to the
expansion and ubiquity of information, but still, today, it has ambiguous meanings. Researchers tried to explain the term via emphasising several aspects over the
last half-century. As a result of the previous definitional approaches, Webster [50]
highlighted five characteristics of the information society as technological, cultural,
spatial, occupational, and economic perspectives.
The most common definitions of the information society highlight the technological aspects that cause an increase in the importance of ICT, signalling an information
society’s emergence. According to the technological approach, people live in an information society because ICTs have become widespread and increasingly important
in everyday life.
Indeed, as Kurzweil [32, p. 381] formulated the generalisation of Moore’s Law
in his essay “The Law of Accelerating Results”, “an analysis of the history of technology shows that technological change is exponential, contrary to the commonsense ‘intuitive linear’ view”. This advancement realised cyberspace’s vision due to
the improvement of ICT devices and services. However, like many other terms, cyberspace also has diverse definitions. According to The European Union Agency for
K
Int. Cybersecur. Law Rev.
Cybersecurity (ENISA) [12, p. 7], “cyberspace is the time-dependent set of tangible
and intangible assets, which store and/or transfer electronic information”. However,
Kuehl created a more comprehensive definition [31, p. 28]: according to him, cyberspace is “a global domain within the information environment whose distinctive
and unique character is framed by the use of electronics and the electromagnetic
spectrum to create, store, modify, exchange and exploit information via interdependent and interconnected networks using information-communication technologies”.
Technology development has also caused, for example, the convergence of industrial controls and even entertainment systems with ICT bringing more endpoints
into cyberspace, requiring a differentiation between Information Technology (IT)
and Operational Technology (OT) [45]. IT is widely applied where ICT supports
business processes or processes data, such as finances. At the same time, OT services
are the basis for technological processes, such as manufacturing or streaming, from
which even smart cities gain advantages [33].
The required intermediate step was the increase of the Internet connection’s penetration. Among EU households, penetration was 68% in 2010 and 92% as an
estimate in 2021 [26]. In the same period, the number of companies with Internet
connections increased from 95% to 98%. Furthermore, by the end of 2018, 22 billion devices (e.g., PC, notebook, smartphone, Internet of Things) will be connected
to the Internet worldwide, according to an analysis conducted by Help Net Security [28]. Thus, it is tempting to approach the information society only from the
perspective of technology regarding its simplicity. However, the rapid development
and convergence of technology and globalisation cause functional, behavioural, and
cultural changes; and the information society can be considered a new way of life,
for example, individuals in an overall region benefit ICTs [47] and smart cities [14]
in their everyday lives, organisations do automation [38], and the overall nation may
have a higher productivity rate [4].
Furthermore, according to the spatial structure approach, people live in an information society due to the use of information technologies and globalisation, so
physical space is becoming less and less important. People are surrounded by networks that provide a new framework for social processes, such as production and
distribution. On the other hand, according to the cultural approach, the information
society results from a global, increasingly advancing digital media culture, which
becomes the primary source of meaning and defines the framework for their lives.
While the spatial perspective highlights the geographical stress based on sociology and economics, the cultural perspective stresses the growth of symbols and
signs, including the services available on the Internet. For example, social network
sites have shortened the distance and caused several changes in cultural aspects.
Unsurprisingly, they are one of the most widely used services today. The private use
of social networks in the EU grew from 36% to an estimated 65% between 2011
and 2021 according to Eurostat [26]. However, there are many more ICT services
that become ever more fundamental for society. For example, the EU articulates the
importance of eGovernment, eHealth, and eEducation services in connection with
information society [16]. Thus, unsurprisingly, regarding the various eGovernment
activities of individuals in the EU, Eurostat reported an increase in such activities
from 40% to an estimated 53% between 2010 and 2021.
K
Int. Cybersecur. Law Rev.
Therefore, the new postmodern world of the information society has caused new
needs based on a mixed reality of the physical and virtual worlds. “These new needs
surface with the increasing ability for people to connect, society and the culture” [7,
p. 9], resulting in the complement of Maslow’s pyramid with the individual, singular,
and global needs. The individual needs allow humans to use ICTs to access and
administer information; the singular needs are the dynamics between the subjects,
understood as the identity formation of the human grouping to which it belongs;
and the global needs include knowledge transfer and digital inclusion.
It is precisely the extremely rapid technological development that is one of the
most important key features, affecting the everyday life of the citizens and the operation of the organisations. According to Kovacs [30], “the digitization of society
and the economy means how the social and economic functions of the given country
are integrated and how they are built on digital technology”. Regarding the purpose
and importance of the digital services that the citizens recognise as end-users, there
are digital services that can help satisfy needs belonging to one of the layers of
Maslow’s pyramid [34, 35], explaining human behaviour and motivations. Admittedly, as per [8], several companies, including start-ups, create software services
to cater to different needs by, e.g., accessing easier food and housing, providing
home (i.e., physical) security and cybersecurity, meeting people and finding love, or
creating possibilities for a vibrant social life.
However, today, the EU follows a simple approach and describes the information
society as a “significant degree of activity focuses on the creation, distribution,
use and reuse of information, which activities take place by ICT” [24]. This simple
definition is related to its economic and occupational aspects, voicing that people live
in an information society because the information sector and information-type work
dominate the economy. Moreover, the economic aspect emphasises the involvement
of information businesses and trades, which has expanded over time in contributing
to the Gross National Product. This kind of focus shift has also affected occupations.
The occupational approach describes the information society based on Bell’s postindustrial theory [46], in which the majority of jobs are mostly informational related.
In connection with these two aspects, the DSM is necessarily one of the most
fundamental concepts of the EU. As Micossi [36, p. 32] wrote in his research article,
“over the past thirty years, the SEM [Single European Market] has made impressive
progress, growing to cover the main economic activities, from manufactured goods
to all categories of services, network utilities and public services, public procurement
and the recognition of professional qualifications, as well as the market for codified
technology, that for long lagged behind”.
Recognising the economic importance of cyberspace, the EU accepted the equal
importance of the DSM and even made it a foundation for the economy. Thus,
“Information and Communications Technology (ICT) is no longer a specific sector
but the foundation of all modern innovative economic systems” [18]. For example,
Eurostat [26] points to the increased usage of Internet banking and online shopping.
Furthermore, several industrial production changes are also based on the convergence
of IT and OT represented by the concept of Industry 4.0, which refers to the efficient
production and operating processes, also demonstrating economic and occupational
shifting [48].
K
Int. Cybersecur. Law Rev.
3 Evolution of the legislative framework from a security perspective
In 2013, the first strategy was accepted in the EU [17] with the motto of “An Open,
Safe and Secure Cyberspace”. It pronounced five strategic priorities: (1) achieving cyber resilience; (2) drastically reducing cybercrime; (3) developing cyber-defence policy and capabilities related to the Common Security and Defence Policy
(CSDP); (4) developing the industrial and technological resources for cybersecurity;
and (5) establish a coherent international cyberspace policy. The strategy aimed to
repel cybercriminal activities by cooperation with the newly established European
Cybercrime Centre (EC3), and it encouraged cooperation between the public and
private sectors to enhance CSDP capabilities.
The Directive on security of network and information systems (NIS Directive)
[11] poses another critical milestone as it brought cybersecurity closer to the critical
infrastructure protection defined in [9]. Due to the multi-shareholder and multilevel
approach of the EU, the NIS Directive prescribed obligations: (1) on the Unionlevel to create a Cooperation Group to support and facilitate strategic cooperation
and information exchange among the Member States and to create the computer
security incident response teams network (CSIRTs network) promoting operational
cooperation; (2) for Member States to adopt a national strategy and to designate the
national competent authorities and at least one competent CSIRT for the essential
services; and (3) for operators of essential services (OESs) and for digital service
providers (DSPs) to comply with the established security-related requirements.
However, one year before the NIS Directive, the Payments Services Directive 2
(PSD2) [10] promoted the development of digital financial services, supporting the
entry of new service providers into financial markets. PSD2 enables external third
parties to access the banks’ current account management system and its data on
behalf of bank customers. Because of this, it prescribes cybersecurity-related objectives for companies that it covers. Furthermore, due to the economic value of online
services, the trust services also play a significant role in the Digital Single European Market (SEM) and online government services [44] as they provide electronic
identification, authentication, and trust services (eIDAS).
Meanwhile, the EU realised the underregulated nature of processing personal
data. Due to the technological changes, the quality and quantity of personal data
processing changed, amplifying abuses’ effects. As a result of multi-round consultations, the General Data Protection Regulation (GDPR) [42] was announced. The
GDPR looks at security, including cybersecurity and defence capabilities, from the
viewpoint of privacy and incorporates several tasks and obligations in a very highlevel form. However, this high-level specification relates to the overall legislation
as none of the previously mentioned laws prescribes comprehensive controls, just
a limited control set.
For further enhancements of the overall cybersecurity capabilities, ENISA [12]
categorised the related terms as a basis for further discussion to be conducive to the
EU’s cybersecurity strategy, “to ensure a comprehensive approach to addressing the
cyber challenges of tomorrow”. The authors drew on Maslow’s pyramid of needs
approach to hierarchically categorising cyberspace needs (Fig. 1), including essen-
K
Int. Cybersecur. Law Rev.
Fig. 1 Layers of cybersecurity protection (source: [12, p. 4])
tial security protection, critical asset protection, DSM protection, global stability
protection, and democracy and human rights protection.
The European Commission had considered ENISA’s proposals and had taken
some necessary steps with the Cybersecurity Act [43], which granted a permanent
mandate to ENISA with more resources and new tasks to set up and maintain the
European cybersecurity certification framework and a vital role as the secretariat
in the CSIRTs network. Moreover, at the end of 2020, the EU published its new
cybersecurity strategy [21] to further enhance its cybersecurity capabilities for the
“Digital Decade”, for which the European Commission [20] created the proposal
for a revised Directive on Security of Network and Information Systems (NIS 2
Directive).
The EU’s new cybersecurity strategy tends to reinforce the resilience of the infrastructure and critical services by building a European Cyber Shield, a network
of security operations centres across the EU, a secure communication infrastructure including the broadband mobile networks, and promoting the secure Internet
of Things. It also aims to deal with extreme scenarios affecting the integrity and
availability of the global DNS root system by applying European DNS resolver
services. The strategy is about reinforcing the presence on the technology supply
chain and making up for the deficiencies of cybersecurity skills by enhancing cyber
awareness. Furthermore, it aims to strengthen cyber diplomacy and cyber defence
and promotes standardisation.
K
Int. Cybersecur. Law Rev.
4 A theoretical mapping of cybersecurity stakeholders
4.1 National and supra-national levels
Recognising the cyber resilience issues caused by the high dependence on ICTs,
Member States and the EU have identified several stakeholders, such as agencies,
councils, as well as non-profit and for-profit organisations, to ensure cybersecurity
and resilience at the operational level.
Since its establishment in 2004, legislators have increasingly given ENISA
a prominent role. Thus, in addition to promoting technical guidance and standardisation at the EU level, ENISA cooperates with competent EU institutions and
authorities, bodies, offices, and agencies of the Union, the Member States, or third
countries [43]. In 2018, the EU institutions and bodies agreed on the Arrangement
on the organisation and operation of a computer emergency response team for the
Union’s institutions, bodies, and agencies (CERT-EU) [3]. The CERT-EU’s overall
task is to contribute to the security of the ICT infrastructure of all EU institutions,
bodies, and agencies (as protected organisations). It also coordinates the exchange of
information on cybersecurity and responds to cybersecurity incidents for protected
organisations. A further important actor in tracking cybercrimes is the EC3, set
up in 2013 “to strengthen the law enforcement response to cybercrime in the EU
and thus help protect European citizens, businesses, and governments from online
crime” [25].
Each Member State’s responsibility is to designate (at least) one competent authority and (at least) one CSIRT for essential services and digital services. The
competent authorities also play a consultative role, and the designated CSIRTs aim
to help manage risks and security incidents. An additional obligation for the Member States is to designate a single point of contact for cross-border cooperation
between Member State authorities and relevant authorities in the other Member
States or the cooperation group of CSIRTs network. The competent authorities and
the single point of contact shall notify and cooperate with the relevant national law
enforcement authorities and national data protection authorities.
Furthermore, the NIS Directive gives a distinct role to OESs operating in:
(1) Energy, (2) Transport, (3) Banking services, (4) Financial market infrastructures, (5) Healthcare, (6) Drinking water supply and distribution, or (7) Digital
infrastructure sectors. Also, the NIS Directive distinguishes DSPs operating in the
context of offering: (1) the Online Marketplace service, (2) the Online Search
Engine service, or (3) the Cloud Computing Service. PSD2 defines obligations
for credit institutions, electronic money institutions, post office giro institutions,
payment institutions, the European Central Bank, and national central banks. For
all entities, the trust service providers play an essential role, according to eIDAS, as
they provide electronic identification, authentication, and trust services. Although
the GDPR expands cybersecurity obligations in a certain way as it prescribes duties
to implement security controls, it is only for protection of personal data, regardless
of the organisations’ size.
Fig. 2 aims to conceptualise relationships of a small set of different types of
stakeholders in national and supra-national grouping, highlighting Member State
K
Int. Cybersecur. Law Rev.
Fig. 2 Conceptualising a subset of stakeholders with hypothetical dependencies (source: own edit)
“A” and “B”, as an example, demonstrating various organisational dependencies.
Although not illustrated in the figure, there are several citizens as consumers of
different products and services at the end of the dependence chains.
From a cybersecurity perspective, there are three types of entities differentiated
as: (1) NIS directive, eIDAS, or PSD2 defined entities falling within the scope of
GDPR, (2) EU-level entities defined in different legislations (which must of course
also comply with the GDPR), and (3) entities falling only within the scope of
GDPR regardless of where their headquarters are. Furthermore, an organisation in
a Member State purchases products and uses services from other organisations that
may belong to the same or another Member State or other states. Of course, EUlevel entities, such as ENISA, may use various goods originating outside the EU.
All these goods can comprise different business-like services, even security or any
other ICT products, tools, and services, that are available globally.
4.2 Organisational level
At the same time, society is made up of individuals with non-profit and for-profit
organisations, which are the basic building blocks in terms of the regional and
the higher level of the multi-layered cyber resilience approach. However, for most
organisations, organisational business services depend on the ICT infrastructure and
services via business processes and data. According to Gao et al. [27, p. 307], “the
K
Int. Cybersecur. Law Rev.
analytical results unveil the network characteristics that can enhance or diminish
resilience, offering ways to prevent the collapse of systems, and guiding the design of
technological systems resilient to both internal failures and environmental changes”.
But the security of ICT services is not only a technological problem. According
to the ISACA’s Business Model for Information Security (BMIS) [49], security
comprises people, processes, and technology.
Concerning the complexity that characterises today’s economic relationships, several organisations use external resources [41], creating some dependence on those
suppliers. Thus, resilience is a valid characteristic not only for internal ICT infrastructure and processes but also for external ones. Supply chain resilience (SCRes)
“is the adaptive capability of the supply chain to prepare for unexpected events, respond to disruptions, and recover from them by maintaining continuity of operations
at the desired level of connectedness and control over structure and function” [40].
Furthermore, according to Webster’s five definitional perspectives of the information society, technological development causes changes, affecting organisations,
in various ways. These changes cause public and private entities to create new services, discarding obsolete practices, offering existing services for customers in new
ways, or even the internal ICT services may offer new digital tools for streamlining
processes [39]. Therefore, organisations aggregately determine the actual maximum
Fig. 3 Conceptualising the ecosystem of an organisation (source: own edit)
K
Int. Cybersecur. Law Rev.
technological capabilities, from which an organisation may choose the appropriate
level for its operation.
Fig. 3 conceptualises an organisation with its suppliers and customers, displayed
in the previously applied multi-layer approach. The examined Organisation originates from Member State A, depicted on Fig. 2, which connects to ENISA, the
Energy provider, Digital infrastructure provider, Banking provider, eIDAS provider,
and the entities in Other State and in Member State B. In its internal operation, the
business services apply and depend on ICT services. Furthermore, external resources
may complete or substitute internal resources in business, ICT, or security services,
processes, or other resources, causing supply chain dependence. On the other hand,
the business services supplied by the ICT services cause supply chain dependence
for the Organisation’s customers supplying other organisations’ objectives and satisfying individuals’ needs.
5 Analysing the proposed legislative changes
Rapid technological improvements and increased digitisation have caused growing dependence on ICT services, increased supply chain dependence, intensifying
complexities of such services, expanding cyberspace and hence cybersecurity stakeholders. However, these growing complexities in cyberspace demand the appropriate
level of organisational cybersecurity and resilience capabilities, which increases the
existing difference among organisations.
According to the European Commission [22], the NIS 2 Directive proposal eliminates the distinction between OESs and DSPs and “expands the scope of the current
NIS Directive by adding new sectors based on their criticality for the economy and
society, and by introducing a clear size cap—meaning that all medium and large
companies in selected sectors will be included in the scope. (Thus, in Fig. 2, more
organisations would be illustrated by black-filled circles.) At the same time, it leaves
some flexibility for the Member States to identify smaller entities with a high-security risk profile”. But what about those organisations which are not OES or a DSP
but offer an important service for citizens, or are an important (or even dominant)
economic entity whose downtime noticeably affects the DSM?
The European Commission, LSEC (Leaders in Security), and PwC [23] conducted
research focusing on the EU’s cybersecurity ecosystem. During data collection, they
reached out to companies to measure the cybersecurity industry that: (1) provided
exclusively cybersecurity products and services, (2) provided cybersecurity products
and services, among other activities, or (3) provided products and services that are
part of the cybersecurity value chain. In the operation of technology and related
cybersecurity processes, various local and global, small and large Managed Service
Providers (MSPs), Managed Security Services Provides (MSSPs), and hardware and
software manufacturers have huge further responsibilities.
Furthermore, even though some elements of eGovernment services were elevated
on the EU level by the eGovernment Action Plan 2016–2020 [19], it has wholly
remained on the level of national legislation, because Member States prevented
the integration of eGovernment into the NIS Directive. However, incident records
K
Int. Cybersecur. Law Rev.
support the inclusion of eGovernment services [5]. For example, the malware of
Operation Pawn Storm (APT28) was inside the IVBB (German Informationsverbund
Berlin-Bonn) network from December 2017 and present until the end of February
2018, which may have affected German and EU-wide information [2]. Secondly, in
June 2019, a cybersecurity breach affected more than 4 million Bulgarians’ personal
data and financial records and the EU’s EUROFISC anti-fraud network data [37].
But expanding subjects to comply with obligations without prescribing a minimum set of control obligations gives no real security level improvement, so the
European Commission [22] proposal prescribes a minimum list of basic security
requirements for the subjects of the NIS 2 Directive. The proposal aims to impose
a risk management approach to strengthen security requirements and to address
both cyber and physical resilience of critical entities and networks, including more
specific incident reporting and managing the security of supply chains and supplier
relationships. In contrast, the current NIS Directive distinguishes OESs and DSPs
and may effectuate different obligations for them. But PSD2 and eIDAS subjects will
possibly not be affected by this type of formulation of more precise requirements.
Additionally, although the GDPR prescribes cybersecurity obligations to protect personal data in cyberspace, it does not have effective content mandating a concrete
wide range of cybersecurity controls.
However, a more significant issue arises from the legislative nature of the NIS
Directive, as the prescribing of security requirements without minimum requirements
is allotted to Member States with different capabilities. This statement deals with
lower-level entities. For example, according to Brodin [6], small- and mediumsized enterprises suffer from a lack of resources or knowledge to effectively plan
and implement cybersecurity (and data privacy) capabilities, even though they pose
a vital role in DSM. However, larger organisations may also encounter problems in
security-related processes, according to a global survey conducted between August
2019 and October 2019 [15].
At the same time, organisations, regardless of their size, must keep up a more complex legislative framework. Hypothetically, if a security incident affects an OES’s
IT system offering a payment service and the incident has an impact on personal
data, there is an obligation to notify and cooperate with possibly different competent
authorities under Articles 6, 14, and 16 of the NIS Directive, Articles 33 and 34
of the GDPR, and Article 19 of PSD2. Article 19 of eIDAS prescribes a further
obligation for trust services providers.
As a further issue, illustrated in Fig. 2, organisations have become more vulnerable
to supply problems since “supply chains become longer (more tiers), larger (more
depth), and more complex” [1, p. 1525]. A recent supply chain attack was conducted
against SolarWinds [51] that seriously affected its customers via its monitoring tools
applied worldwide by several organisations. The most prominent publicly known
example is FireEye, a known important supplier of public entities in the United
States. However, probable OESs, DSPs, and other cybersecurity entities in the EU
suffer from this attack directly from SolarWinds, FireEye, or as a chain effect.
Although SolarWinds and other similar entities fall under the scope of the GDPR to
protect its customers’ personal data, its internal development and application delivery
is not properly affected. Therefore, regarding supply chain risks for cybersecurity
K
Int. Cybersecur. Law Rev.
stakeholders, there is currently no sufficient set of requirements, and each entity
selects and manages its suppliers according to its internal policies, if they have any.
Lastly, cybersecurity standards are still fragmented due to the lack of crossMember State interoperable solutions and the lack of higher-level mechanisms. The
Cybersecurity Act has created a voluntary framework for European Union-wide
cybersecurity certification for ICT products, services, and processes [29], as illustrated in Fig. 3. Since, typically, organisations implement cybersecurity capabilities
in a risk-based approach, it is an apparent deficiency that there is no standard approach to identifying interdependencies, conducting business impact analyses, and
modelling risks. Currently, to promote impact analysis, ENISA [13] has created its
Interdependencies tool that “contributes to the NIS Directive (Article 3) objective
for a common and converged level of security in network and information systems
at EU level, and it does not intend to replace existing standards, frameworks or good
practices in use by OESs”.
6 Conclusion
Based on the review and analysis of information society and cybersecurity interrelations, the paper identified some crucial pain points of the current cybersecurity
legislative framework and correlated them with the EU’s new cybersecurity strategy
and the draft version of the NIS 2 Directive.
Currently, there are stakeholders missing from the EU-level cybersecurity ecosystem, like eGovernment entities and organisations that are not in the specified categories of OESs and DSPs, even though they offer important services for citizens or
represent significant (or even dominant) economic entities, whose downtime noticeably affects the DSM. Solving this issue partially, at least, the NIS 2 Directive will
add new sectors based on their criticality for the economy and society. According
to the draft, all medium and large companies in selected sectors will be included in
the scope; simultaneously, smaller entities with a high-security risk profile may be
identified by Member States.
As a further improvement, the draft aims to enhance the security of supply chains
and supplier relationships as supply chains become lengthier, larger, and more complex, affecting cybersecurity and cyber resilience, which is currently an untreated
problem.
The current NIS Directive allows Member States to create their own regulations
and requirements without harmonisation. Fortunately, the draft prescribes a minimum list of basic security requirements. However, there is no standard approach
to identifying interdependencies and conducting business impact analysis, and there
is no standard to model risks, taking into account all BMIS elements. Although
ENISA’s Interdependencies tool aims to foster impact analysis, it is not a mandatory standard; therefore, in the authors’ opinion, both impact analysis and risk modelling currently remain unaddressed. Nevertheless, how such a model can consider
technological dependence and supply dependence is a good question.
Lastly, ENISA’s expanded tasks and obligations have helped reduce the difference
in capabilities and resources, but the complex legislative framework remains.
K
Int. Cybersecur. Law Rev.
Acknowledgements This work results from research at the Doctoral School for Safety and Security Sciences at Obuda University; furthermore, it takes some elements of the first author’s thesis conducted for
the Master of Business Administration at Eötvös Loránd University.
Funding Open access funding provided by Óbuda University.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License,
which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as
you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article
are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the
material. If material is not included in the article’s Creative Commons licence and your intended use is not
permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly
from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.
0/.
Conflict of interest Z. Bederna and Z. Rajnai declare that they have no competing interests.
References
1. Alfarsi F, Lemke F, Yang Y (2019) The importance of supply chain resilience: an empirical investigation. Procedia Manuf. https://doi.org/10.1016/j.promfg.2020.01.295
2. Anomali (2019) APT28 timeline of malicious activity. https://forum.anomali.com/t/apt28-timeline-ofmalicious-activity/2019. Accessed 26 Sep 2020
3. Arrangement between the European Parliament, the European Council, the Council of the European
Union, the European Commission, the Court of Justice of the European Union, the European Central
Bank, the European Court of Auditors, the European External Action Service, the European Economic
and Social Committee, the European Committee of the Regions and the European Investment Bank
on the organisation and operation of a computer emergency response team for the Union’s institutions, bodies and agencies (CERT-EU), Official Journal C 12 1 (2018). https://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=CELEX:32018Q0113(01)
4. Arvina MB, Pradhanb RP, Nairc M (2021) Uncovering interlinks among ICT connectivity and penetration, trade openness, foreign direct investment, and economic growth: the case of the G-20 countries.
Telemat Inform. https://doi.org/10.1016/j.tele.2021.101567
5. Bederna Z, Rajnai Z, Szadeczky T (2021) Attacks against energy, water and other critical infrastructure
in the EU. 2020 IEEE 3rd International Conference and Workshop in Óbuda on Electrical and Power
Engineering (CANDO-EPE). https://doi.org/10.1109/cando-epe51100.2020.9337751
6. Brodin M (2019) A framework for GDPR compliance for small- and medium-sized enterprises. Eur J
Secur Res. https://doi.org/10.1007/s41125-019-00042-z
7. Carrasco-Sáez JL, Butter MC, Badilla-Quintana MG (2017) The new pyramid of needs for the digital
citizen: a transition towards smart human cities. Sustainability. https://doi.org/10.3390/su9122258
8. CBInsight (2015) Maslow’s hierarchy of startups: how tech wants to meet your every need. https://
www.cbinsights.com/research/maslows-hierarchy-of-needs-startups/. Accessed 28 Dec 2020
9. Council Directive 2008/114/EC of 8 December 2008on the identification and designation of European
critical infrastructures and the assessment of the need to improve their protection, Official Journal L
345 75 (2008). http://data.europa.eu/eli/dir/2008/114/oj
10. Directive (EU) 2015/2366of the European Parliament and of the Council of 25 November 2015on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU
and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, Official Journal L 337 35
(2015). http://data.europa.eu/eli/dir/2015/2366/oj
11. Directive (EU) 2016/1148of the European Parliament and of the Council of 6 July 2016 concerning
measures for a high common level of security of network and information systems across the Union,
Official Journal L 194 1 (2016). http://data.europa.eu/eli/dir/2016/1148/oj
12. ENISA (2017) ENISA overview of cybersecurity and related terminology. https://www.enisa.europa.
eu/publications/enisa-position-papers-and-opinions/enisa-overview-of-cybersecurity-and-relatedterminology. Accessed 21 May 2021
K
Int. Cybersecur. Law Rev.
13. ENISA (2021) Interdependencies between OES and DSPs. https://www.enisa.europa.eu/news/enisanews/enisa-publishes-a-tool-for-the-mapping-of-dependencies-to-international-standards. Accessed
23 May 2021
14. Eremiaab M, Tomab L, Sanduleacc M (2017) The smart city concept in the 21st century. Procedia Eng.
https://doi.org/10.1016/j.proeng.2017.02.357
15. Ernst & Young (2020) How does security evolve from bolted on to built-in? https://assets.ey.com/
content/dam/ey-sites/ey-com/en_gl/topics/advisory/ey-global-information-security-survey-2020report-single-pages.pdf. Accessed 26 Sep 2020
16. European Commission (2010) EUROPE 2020 A strategy for smart, sustainable and inclusive growth
(COM(2010) 2020). https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:2020:FIN:
EN:PDF. Accessed 27 Dec 2020
17. European Commission (2013) Cybersecurity strategy of the European Union: an open, safe and
secure Cyberspace (JOIN/2013/01 final). https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?
uri=CELEX:52013JC0001. Accessed 22 Jan 2020
18. European Commission (2015) A digital single market strategy for europe (COM(2015) 192 final).
https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex:52015DC0192. Accessed 27 Dec 2020
19. European Commission (2016) EU egovernment action plan 2016–2020—accelerating the digital transformation of government. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX
%3A52016DC0179. Accessed 29 Jan 2020
20. European Commission (2020a) Proposal for a Directive of the European Parliament and of the Council
on measures for a high common level of cybersecurity across the Union, repealing Directive (EU)
2016/1148. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2020%3A823%3AFIN.
Accessed 22 May 2021
21. European Commission (2020b) The EU’s cybersecurity strategy for the digital decade. https://eur-lex.
europa.eu/legal-content/EN/ALL/?uri=JOIN:2020:18:FIN. Accessed 22 May 2021
22. European Commission (2021) Proposal for directive on measures for high common level of cybersecurity across the Union. https://digital-strategy.ec.europa.eu/en/library/proposal-directive-measureshigh-common-level-cybersecurity-across-union. Accessed 04 Jun 2021
23. European Commission, LSEC, PwC (2019) Cybersecurity industry market analysis. https://doi.org/10.
2759/018751
24. European Union Information society. https://eur-lex.europa.eu/summary/glossary/information_society.
html. Accessed 9 Dec 2020
25. Europol (2021) European cybercrime centre—EC3. https://www.europol.europa.eu/about-europol/
european-cybercrime-centre-ec3. Accessed 23 May 2021
26. Eurostat (2021) Digital economy and society. https://ec.europa.eu/eurostat/web/digital-economy-andsociety/data/database. Accessed 20 Jan 2022
27. Gao J, Barzel B, Barabási AL (2016) Universal resilience patterns in complex networks. Nature. https://
doi.org/10.1038/nature16948
28. Help Net Security (2019) Number of connected devices reached 22 billion, where is the revenue?
https://www.helpnetsecurity.com/2019/05/23/connected-devices-growth/. Accessed 28 May 2020
29. Kohler C (2020) The EU Cybersecurity act and European standards: an introduction to the role of
European standardization. Int Cybersecur Law Rev. https://doi.org/10.1365/s43439-020-00008-1
30. Kovacs L (2017) Comparative study on digital economy and society of Austria and the Visegrad countries. Econ Manag 2:36–47
31. Kuehl DT (2009) From cyberspace to cyberpower: defining the problem. In: Cyberpower and national security. Potomac Books and National Defense Univerity, In, pp 24–42. https://doi.org/10.2307/
j.ctt1djmhj1.7
32. Kurzweil R (2004) The law of accelerating returns. In: Alan Turing: life and legacy of a great thinker.
https://doi.org/10.1007/978-3-662-05642-4_16
33. Lom M, Pribyl O (2020) Smart city model based on systems theory. Int J Inf Manage. https://doi.org/
10.1016/j.ijinfomgt.2020.102092
34. Maslow AH (1943) A theory of human motivation. Psychol Rev 50(4):370–396. https://doi.org/10.
1037/h0054346
35. Maslow AH (1970) Motivation and personality, 2nd edn. Harper & Row,
36. Micossi S (2016) 30 years of the single European market. In: Bruges European economic policy briefings
37. Orr J (2019) Incident of the week: 4 million Bulgarian citizens affected by tax agency data breach.
CYBER Security Hub, 2019.
K
Int. Cybersecur. Law Rev.
38. Parida V, Sjödin D, Reim W (2019) Reviewing literature on digitalization, businessmodel innovation,
and sustainable industry:past achievements and future promises. Sustainability. https://doi.org/10.3390/
su11020391
39. Parviainen P, Tihinen M, Kääriäinen J, Teppola S (2017) Tackling the digitalization challenge: how to
benefit from digitalization in practice. Int J Inf Syst Proj Manag. https://doi.org/10.12821/ijispm050104
40. Ponomarov SY, Holcomb MC (2009) Understanding the concept of supply chain resilience. IJLM.
https://doi.org/10.1108/09574090910954873
41. Prawesh S, Chari K, Agrawal M (2021) Industry norms as predictors of IT outsourcing behaviors. Int J
Inf Manage. https://doi.org/10.1016/j.ijinfomgt.2020.102242
42. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016on the
protection of natural persons with regard to the processing of personal data and on the free movement
of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal
L 119 1 (2016). http://data.europa.eu/eli/reg/2016/679/oj
43. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019on ENISA
(the European Union Agency for Cybersecurity) and on information and communications technology
cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act, Official
Journal L 151 15 (2019). http://data.europa.eu/eli/reg/2019/881/oj
44. Regulation (EU) No 910/2014of the European Parliament and the Council of 23 July 2014on electronic
identification and trust services for electronic transactions in the internal market and repealing Directive
1999/93/EC, Official Journal L 257 73 (2014). http://data.europa.eu/eli/reg/2014/910/oj
45. Ryba M (2014) The role of ICT components in the functioning of critical infrastructure. In:
Światkowska
˛
J (ed) Critical infrastructure security—the ICT dimension. The Kosciuszko Institute,
pp 59–62
46. Scase R, Bell D (1974) The coming of post-industrial society: a venture in social forecasting. Br J
Sociol. https://doi.org/10.2307/590163
47. Tranosab E, Ioannidesc YM (2019) ICT and cities revisited. Telemat Inform. https://doi.org/10.1016/j.
tele.2020.101439
48. Trotta D, Garengo P (2018) Industry 4.0 key research topics: a bibliometric review. 2018 7th International Conference on Industrial Technology and Management, ICITM 2018. https://doi.org/10.1109/
ICITM.2018.8333930
49. von Roessing R (2010) The ISACA business model for information security: an integrative and innovative approach. In: Pohlmann, N., Reimer, H., Schneider, W. (eds) ISSE 2009 securing electronic
business processes. Vieweg+Teubner. https://doi.org/10.1007/978-3-8348-9363-5_4
50. Webster F (1994) What information society? Inf Soc. https://doi.org/10.1080/01972243.1994.9960154
51. Wolpoff D (2020) After the fireeye and solarwinds breaches, what’s your failsafe? TechCrunch.
Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published maps
and institutional affiliations.
K