A new study led by academics from the Cloud Legal Project at Queen Mary University of London has found that current cyber-security standards set by the European Union, known as the NIS Directive, do not go far enough and could potentially be undermined.
12 February 2020
The 2018 NIS Regulations, which implement the NIS Directive in the UK, aim to ensure that operators of essential services are protected from disruption, by requiring them to take “appropriate and proportionate” measures when it comes to cyber-security.
The research, which focused on airports like Heathrow and airlines like British Airways, found that to comply with the regulation, service operators must identify, assess, and then address the cyber risks they face. However, such risk management inevitably entails a level of subjective judgement and trade-offs.
According to the researchers, the requirements of the Directive are too vague and open to interpretation, meaning that some airports and airlines may only put in place those security measures they consider to be in their own commercial interests. Service providers could even go so far as to abuse their discretion by engaging in ‘paper compliance’ – creating lots of security documentation to show regulators, without meaningfully changing their approach, effectively putting profits ahead of cyber-security.
The research also found that the vague nature of the NIS Directive can make it difficult for regulators, such as the Civil Aviation Authority, to effectively police whether the security requirements are being met or not. The study comes after several high profile IT glitches in the airline industry.
Dave Michels, Researcher at Queen Mary’s Centre for Commercial Law Studies, and co-author of the paper said: “Regulators will need to carefully monitor airports and airlines and challenge their approaches as necessary. This will require them to hire cybersecurity experts to do this effectively.”
Ian Walden, Professor of Information and Communications Law and co-author of the study added: “Brexit may further complicate matters due to the UK’s departure from the European Agency for Cybersecurity, which plays an important role by providing guidelines for compliance and sharing best practices.”
For media information, contact:Paul Jordan