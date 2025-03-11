Cybersecurity threats are nearly always cross-border. One cyberattack on critical infrastructure in one country can affect the EU as a whole. The NIS Directive (Directive on security of Network and Information Systems), was adopted in 2016 and came into effect in 2018. It is currently being reviewed and we expect a revised Directive or a Regulation to come into effect beginning in 2021.

IBM strongly supports the development and further enhancement of this legal framework that strengthens cybersecurity in Europe, as we agree that strengthening cybersecurity resilience has benefits for industry, governments and society as a whole. The NIS Directive has played an important part in setting common security requirements across Europe as well as establishing incident reporting procedures. Such requirements and procedures need to be founded on a risk-based approach.

As a leading cloud service provider hosting many customers that provide critical infrastructure (known as Operators of Essential Services or OES), IBM does not believe that expanding the scope of the Directive to include new sectors or services under the OES category is advisable. Adding more sectors will add more burden on Member States and reduce effective supervision, while a narrow approach where Europe concentrates its collective efforts on securing the most critical environments based on risk, will be more effective in increasing cyber resilience. In other words, it is better to have an effort that is carefully focused based on risk than trying to boil the ocean.

In addition to the revision of the NIS Directive, the Commission is expected in the coming months to publish its new Cyber Security Strategy with additional measures such as a European Cybersecurity Competence Centre. IBM’s view is that participation in such an initiative should be open to all industry players, and should not be tinged with a European only, digital sovereignty approach. When it comes to cybersecurity, cooperation is key, not borders.