TFL Vsebine / Revija SIR*IUS

From security of networks and information systems to cybersecurity in European Union

Evropska unija (v nadaljevanju: EU) je že zgodaj prepoznala velik pomen varnosti omrežij in informacijskih sistemov (v nadaljevanju: IS) za delovanje družbe in leta 2013 sprejela Strategijo EU za kibernetsko varnost. Prvi zakonodajni akt EU-ja na tem področju je sledil tri leta kasneje s sprejemom Direktive o ukrepih za visoko skupno raven varnosti omrežij in IS-jev v Uniji – direktive NIS, katere cilj je bil predvsem zagotavljanje visoke skupne ravni varnosti omrežij in IS-jev v EU-ju. Premiki na področju kibernetske varnosti v EU-ju so se začeli v letu 2019, ko je bila z Aktom o kibernetski varnosti vzpostavljena Agencija EU za kibernetsko varnost in sistem vseevropskih certifikacijskih shem, Svet EU-ja pa je vzpostavil okvir, na podlagi katerega lahko izvaja sankcije in ciljno usmerjene omejevalne ukrepe za odvračanje in odzivanje na kibernetske napade. V letu 2019 je tudi Evropsko računsko sodišče zaključilo analizo področja kibernetske varnosti v EU-ju in objavilo informativni dokument – Izzivi za uspešno politiko EU za kibernetsko varnost, v katerem je opravilo pregled kompleksne politike EU-ja na področju kibernetske varnosti ter opredelilo 10 izzivov za njeno uspešno izvajanje. Izbruh novega koronavirusa in razglasitev pandemije marca 2020 pa sta poskrbela za novo realnost. Številne institucije in gospodarske družbe so se morale dobesedno čez noč prilagoditi tej novo nastali situaciji in urediti vse potrebno za delo na daljavo, kar je s seboj prineslo tudi številne nove ranljivosti za uporabnike ter izzive za strokovnjake. Kljub povečanemu zavedanju pomena kibernetske varnosti v takšnih razmerah pa je bila ta na račun uporabnosti pogosto vseeno potisnjena na stran. V prispevku bom predstavil izzive, ki jih je opredelilo Evropsko računsko sodišče, in prihajajoče trende na področju kibernetske varnosti v EU-ju.

The European Union (hereinafter: EU) early recognized the importance of the security of networks and information systems for the functioning of society and adopted Cybersecurity Strategy of the EU in 2013. The first legislative act of the EU in this field followed three years later, when the EU adopted the Directive concerning measures for a high common level of security of network and information systems across the Union – the NIS Directive, aimed primarily at ensuring a high common level of security of networks and information systems in the EU. Shifts in the field of cyber security in the EU began in 2019, when the EU Agency for Cybersecurity and EU-wide certification schemes were established with the Cyber Security Act and the Council of the EU established a framework under which it could impose sanctions and targeted restrictive measures to deter and respond to cyberattacks. In 2019, the European Court of Auditors also completed an analysis of cyber security in the European Union and issued a briefing paper – Challenges to effective EU cybersecurity policy. The paper reviewed the complex cybersecurity policy of the EU and identified 10 challenges for its successful implementation. The outbreak of a new coronavirus and the declaration of a pandemic in March 2020 provided a new reality. Many institutions and companies had to adapt to this new situation literally overnight and arrange everything necessary to work from home, which also brought with it many new vulnerabilities for users and challenges for professionals. Despite the growing awareness of the importance of cyber security in such situations, it has often been pushed aside at the expense of usability. In this paper, we will present the challenges identified by the European Court of Auditors and future trends in cybersecurity in the EU.