The institutionalization of cybersecurity management at the EU-Level : 2013-2016

Backman, Sarah

January 2016

International cybersecurity is arguably one of the most serious, complex and recent security-issues of our time. The connectivity between EU member states regarding cybersecurity due to the borderless nature of cyber, together with increasing threat-levels, has made the need for a common response widely acknowledged in the EU for several years. Even so, a common EU cybersecurity response involves problems such as reluctance of member states to share information, that cybersecurity management is linked to national security and therefore touches upon sovereignty, and different levels of cybersecurity development between member states. Despite this, the Network and Information Security Directive was adopted by the European Council in May 2016, involving EU-wide binding rules on cybersecurity. This thesis examines and explains, through a neo-functionalistic approach, how and why this development towards supranational management of cybersecurity in the EU has happened. The author finds that cybersecurity management seems to have institutionalized from a nascent phase during 2013, moving towards an ascendant phase during the end of 2013 and 2014, to end up between an ascendant and a mature phase during 2015 and 2016 – which makes the adoption of the NIS-directive logical. The neo-functionalistic explanation to the development of supranational cybersecurity management in the EU highlights the role of the Commission as a ‘policy entrepreneur’ and the publication of the EU cybersecurity strategy, accompanied by the proposal for the NISdirective in 2013. These regulatory outputs sparked further institutionalization by providing many opportunities and venues for member states to interact and build networks on cybersecurity issues, by initiatives with normative impact to foster an EU ‘cybersecurity community’, by the continuous strengthening of supranational cybersecurity actors such as ENISA, and by supranational cybersecurity cooperation platforms, such as the NIS-platform and the European Private Public Partnership on cybersecurity. Between 2013 and 2016, 21 EU Member States published national cybersecurity strategies, almost all referring clearly to their commitment to EU cybersecurity initiatives. This provides an indicator of a high level of legitimacy of supranational cybersecurity management. However, the thesis also finds that the strongest supporters of EU cybersecurity management are not the most powerful member states but rather the smaller ones. While not expressing a strong commitment to EU initiatives in cyber policy documents, the most powerful member states still agreed to the NIS-directive. This supports the neo-functionalist notion about the “stickiness” of an institutionalization-process, and the possibility that powerful states might have double paths, committing to EU regulation and institutionalization while still continuing their own way.

EU cybersecurity management

EU

cybersecurity

institutionalization

neofunctionalism

the NIS-Directive

Influence of the legislation on the cybersecurity posture – The case of the NIS Directive

Josip, Furjan

January 2023

No description available.

Annan elektroteknik och elektronik

Kybernetická bezpečnost ve vesmírném prostoru: Rámec zvládání rizik spojených s kybernetickými útoky a model vylepšení evropských politik / Cybersecurity for Outer Space - A Transatlantic Study

Perrichon, Lisa

January 2018

Cyber attacks can target any nodes of the space infrastructure, and while these attacks are called non-violent, there is a credible capability to use cyber attacks to cause direct or indirect physical damage, injury or death. However, the vulnerability of satellites and other space assets to cyber attack is often overlooked, which is a significant failing given society's substantial and ever increasing reliance on satellite technologies. Through a policy analysis, this dissertation assess the set of political provisions provided by the European Union to address the cyber security issue of the space infrastructure. Such study aims at exploring the geopolitical consequences linked to space cyber security risks, and at assessing the political preparedness of the European Union to address these challenges. The perspective of transatlantic cooperation to further support both American and European effort to tackle this security risk is also addressed. The overarching value of the study is to contribute to future European cyber security for space and transatlantic debates by providing useful perspectives and key takeaways on these two domains. Ultimately, he existing set of policies are not sufficient to address the cyber security issue in Outer Space, a unified approach by the European Union and the United...

Case study: testing Wahlgren’s escalation maturity model within public sector organisations in Sweden : Studying model support for operators of essential services in meeting NIS directive requirements for incident escalation

Ferguson, Isaac Yaw

January 2021

Critical infrastructures are vital services, and attacks on such systems affect people's social and economic well-being. Therefore, operators of such services must have appropriate measures in place to handle IT-related incidents. However, reports show that organisations classified as Operators of Essential Services (OES) do not have appropriate measures to handle IT-related incidents. A case study approach is used in this study to test the usability and the applicability of Wahlgren's Escalation Maturity Model level within various public sector organisations in Sweden regarding their escalation and communication of IT-related incidents. A follow-up semi-structured interview is also conducted with employees at the technical level to determine if the current organisation's maturity level shortcomings are known across different organisational levels. The tool's maturity level scaling attributes are difficult to understand because all organisations in this study achieve the same level of maturity, even though there is a wide range of performance regarding the number of questions answered in the affirmative. The data output generated from the testing of the model can assist organisations in improving their incident escalation activities. However, the lack of precision of the model makes it challenging to apply in the public sector. The results reveal that all the five organisations obtained an escalation maturity level of zero (0), non-existent, regarding escalation of IT-related incidents. As a result, with the current model, the participating organisations will have a difficult task complying with the NIS Directive's security and notification requirements.

IT security

maturity model

IT-related incidents

NIS directive

operation of essential services

escalation maturity

Information Systems, Social aspects

Cybersäkerhet inom små och medelstora organisationer : Med anpassning till EU:s NIS-Direktiv / Cybersecurity in Small and Medium-Sized Enterprises : Adapting to the EU's NIS-Directive

Abas, Hassan, Almén, Jonathan

January 2024

Denna studie undersöker hur små och medelstora företag i Sverige implementerar EU:s NIS-direktiv genom sina cybersäkerhetsstrategier och -policyer. Syftet är att identifiera de huvudsakliga utmaningarna och framgångsfaktorerna i denna process. Genom intervjuer med ledande personer inom dessa företag framkommer det att ledningens fulla engagemang är avgörande för att integrera NIS-direktivens krav i den dagliga verksamheten. Studien identifierar tvångsmässig och mimetisk isomorfism som viktiga faktorer för anpassning, där företagen påverkas både av regulatoriska krav och av att efterlikna framgångsrika strategier från andra företag. Resultaten visar att proaktiv riskhantering, inklusive regelbundna utbildningar och användning av standarder som ISO 27001 och NIST, stärker företagens motståndskraft mot cyberhot. Användning av externa konsulter är en effektiv strategi, trots de höga kostnaderna. Studien betonar behovet av skräddarsydda cybersäkerhetsstrategier som tar hänsyn till varje företags unika förutsättningar och behov / This study investigates how small and medium-sized enterprises in Sweden implement the EU's NIS Directive through their cybersecurity strategies and policies. The aim is to identify the main challenges and success factors in this process. Interviews with key individuals within these companies reveal that strong leadership engagement is crucial for integrating the NIS Directive requirements into daily operations. The study identifies coercive and mimetic isomorphism as significant factors for adaptation, where companies are influenced both by regulatory demands and by mimicking successful strategies from other firms. The findings show that proactive risk management, including regular training and the use of standards such as ISO 27001 and NIST, enhances companies' resilience against cyber threats. The use of external consultants is an effective strategy, despite the high costs. The study emphasizes the need for tailored cybersecurity strategies that consider each company's unique conditions and needs.

NIS Directive

Cybersecurity

Isomorphism

Risk Management

NIS-direktiv

Små och medelstora företag (SMF)

Cybersäkerhet

Isomorfism

Riskhantering

Information Systems

Förändringar vid införande av cybersäkerhetsdirektiv hos kommuner : En kvalitativ kartläggning över vilka förändringar som kan uppstå i svenska kommuner till följd av EU-direktiv för cybersäkerhet / Changes when implementing cybersecurity directives in municipalities : A qualitative survey of the changes that may occur in Swedish municipalities as a result of EU cybersecurity directives

Ström, Sandra, Plyhr, Matilda

January 2024

The purpose of this study is to investigate changes in municipalities that occur when the NIS and NIS 2 directives are introduced. The changes refer to internal and external changes that municipalities experience. Furthermore, an increased threat of cyber attacks as well as a lack of cyber security is the basis for conducting the survey. A research gap has been identified regarding municipalities' work with EU directives for cyber security, which the study intends to contribute to. The study's empirical data consists of six semi-structured interviews with various Swedish municipalities, where the result is the identified changes that the municipalities state. In a thematic analysis, the following themes are presented: IT focus, IT systems, competence development and cooperation, employment, clarity, conflict of interest, prerequisites for the NIS 2 directive and meaningfulness. The study uses Bolman and Deal's (2021) framework Four frame model, which forms the structure for the results and the analysis and strengthens the study by contributing with a comprehensive theory for possible changes. The study contributes with insight into the changes that municipalities may face upon the introduction of the NIS 2 directive, as well as what changes municipalities have experienced upon the introduction of the NIS directive. / Denna studie har till syfte att undersöka förändringar hos kommuner som uppstår vid införandet av NIS- och NIS 2-direktivet. Förändringarna avser interna och externa förändringar som kommuner upplever. Vidare ligger ett ökat hot om cyberattacker samt en bristande cybersäkerhet till grund för undersökningens genomförande. Ett forskningsgap har identifierats kring kommuners arbete med EU-direktiv för cybersäkerhet, vilket studien ämnar bidra till. Studiens empiri utgörs av sex stycken semistrukturerade intervjuer med olika svenska kummuner, där resultatet utgörs av de identifierade förändringar som kommunerna uppger. I en tematisk analys presenteras följande teman: IT-fokus, IT-system, kompetensutveckling och samarbete, anställning, tydlighet, intressekonflikter, förutsättningar för NIS 2-direktivet samt meningsfullhet. I studien tillämpas även Bolman och Deals (2021) ramverk Four frame model, vilken utgör strukturen för resultatet och analysen samt stärker studien genom att bidra med en heltäckande teori för möjliga förändringar. Studien ämnar bidra med insikt i de förändringar som kommuner kan ställas inför vid införandet av NIS 2-direktivet, samt vilka förändringar kommuner har upplevt vid införandet av NIS-direktivet.

NIS directive

NIS 2 directive

Municipality

Cyber security

Information security

IT security

EU directive

Change

NIS-direktivet

NIS 2-direktivet

Kommun

Cybersäkerhet

Informationssäkerhet

IT-säkerhet

EU-direktiv

Förändring

Information Systems