Beyond "Complacency and Panic": Will the NIS Directive Improve the Cybersecurity of Critical National Infrastructure?

This article examines the safeguarding and information obligations the NIS Directive imposes on operators of essential services (OES). The Directive aims to ensure that such services are protected from disruption by requiring OES to take "appropriate and proportionate" security measures. In this article, we look at what this means in practice, with a focus on air transport services. We argue that OES need to identify, assess, and address the cyber risks they face and that such risk management inevitably entails a level of subjective judgement and difficult trade-offs. Regulators should accordingly accord OES significant discretion. However, this raises the risk that OES will abuse their discretion, particularly by engaging in "paper compliance". Regulators will need to actively challenge OES to ensure that they exercise this discretion appropriately.