Network and Information Security and Cyber Defence in the European Union

This chapter will address the remaining central strands of the Cybersecurity Strategy of the European Union (EUCSS 2013), namely those of Network and Information Security (NIS) and cyber defence. These two areas of cybersecurity policy are driven by two different mandates, and therefore very different processes and actors, even though collaborative structures on cybersecurity have now been established within the EU institutional milieu. Moreover, they are at different stages of development, with the issue of NIS part of the EU agenda for over ten years, and cyber defence only appearing more explicitly as a specific cybersecurity priority in the EUCSS. There will, thus, be a certain asymmetry in the balance of the analysis that follows, but it will nevertheless focus on the evolution of the two strands in the context of building resilience and indeed defence prior to the publication of the EUCSS and offer an early assessment of how measures outlined in the strategy might move the EU towards effective security as resilience in the near future. As with cybercrime, it must be emphasised here that these two strands whilst being analytically separated in this chapter, are very much interlinked — cyber defence is a critical element in securing systems and infrastructures against cyber-attacks. However, these two dimensions are ‘governed’ by very different mandates and therefore dynamics, which have varied implications for the evolving, even though overlapping ecosystem for both.