The outcome efficacy of the entity risk management requirements of the NIS 2 Directive-Reference-Cited by-同舟云学术

The outcome efficacy of the entity risk management requirements of the NIS 2 Directive

Published:2023-08-17 Issue:4 Volume:4 Page:371-386
ISSN:2662-9720
Container-title:International Cybersecurity Law Review
language:en
Short-container-title:Int. Cybersecur. Law Rev.

Author:

Ferguson Donald David Stewart^ORCID

Abstract

AbstractThe NIS 2 Directive (2022/2555) of the European Union (EU) identifies the cybersecurity risk management requirements for essential and important entities in EU member states. The principal question we address is, how effective are the cybersecurity risk management measures of the NIS 2 Directive against cyberattacks on essential and important entities in EU member states? It was observed, through statutory interpretation and cyber kill chain model analysis, that the cybersecurity risk management measures of the NIS 2 Directive may be significantly limited in their effectiveness against cyberattacks on essential and important entities in EU member states. The limited effectiveness is primarily due to the narrow scope of the cybersecurity risk management measures, including the lack of specific measures focused on the reconnaissance phase of a cyberattack.

Funder

ERDF

Georg-August-Universität Göttingen

Publisher

Springer Fachmedien Wiesbaden GmbH

Subject

Anesthesiology and Pain Medicine

Link

https://link.springer.com/content/pdf/10.1365/s43439-023-00097-8.pdf

Reference39 articles.

1. Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) [2022] OJ L333/80.

2. Lenaerts K, Gutiérrez-Fons JA ‘To Say What the Law of the EU Is: Methods of Interpretation and the European Court of Justice’ (European University Institute 2013). https://heinonline.org/HOL/LandingPage?handle=hein.journals/coljeul20&div=11&id=&page=. Accessed 24 Sept 2019

3. Ferguson DDS (2022) ‘European Cybersecurity Certification Schemes and cybersecurity in the EU internal market.’ Int Cybersecur Law Rev 3:51–114. https://doi.org/10.1365/s43439-021-00044-5

4. Hutchins EM, Cloppert MJ, Amin RM ‘Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains’ (Lockheed Martin 2010). https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf. Accessed 19 July 2019

5. ‘advanced persistent threat’ (NIST CSRC). https://csrc.nist.gov/glossary/term/advanced_persistent_threat. Accessed 5 Mar 2023