Member States are not applying Directive 2016/1148 on the security of information networks in a unified way, raising concerns about the risk of fragmentation. This is the observation made by the European Commission in a follow-up report published on Monday 28 October.
This Directive, adopted in 2015, aims to ensure a common, high level of security for networks and information systems of general interest for public security, in a context of increasing cyber attacks. On 28 October, the Italian bank UniCredit admitted that it had been hacked, citing a data incident (not involving bank data) with a file dating back to 2015. It requires Member States to establish a list of essential services that will need to take measures to manage risks on their networks and report incidents to the competent authorities.
The Commission's report shall examine the list drawn up by each Member State, according to the sectors and sub-sectors identified in Annex II to the Directive. It notes that an average of 35 services are identified per Member State and their number ranges from 12 to 87. Similarly, the total number of essential service operators (ESOs) reported to the Commission by Member States ranges from 20 to 10,897, with an average of 633 ESOs per Member State. These results are the result of an evaluation conducted between November 2018 and September 2019.
Lack of data and fragmentation
However, the Commission regrets that Member States have been slow to transpose the Directive (it sent a letter of formal notice to six Member States in summer 2019). It also points out that it has received only partial data on the identification of essential service operators from five Member States: Austria, Belgium, Hungary, Romania, Slovenia and Romania.
In addition, the Directive is based on minimum harmonisation, which does not facilitate comparison. This approach allows Member States to deviate slightly from the sectors, subsectors and types of entities identified by the Directive, or even to include new ones. “For example, Bulgaria has drawn up an extremely detailed list of services, which includes even a service not listed in Annex II (electricity markets)”, the report notes, noting that five Member States have also identified information infrastructure, four financial services and four public services. The report is available at: http://bit.ly/2C12O9L (Original version in French by Sophie Petitjean)