A new study led by academics from the Cloud Legal Project at Queen Mary University of London has found that current cybersecurity standards set by the European Union, known as the NIS Directive, do not go far enough and could potentially be undermined.
The 2018 NIS Regulations, which implement the NIS Directive in the UK, aim to ensure that operators of essential services are protected from disruption, by requiring them to take “appropriate and proportionate” measures when it comes to cybersecurity.
Compliance is subjective
The research, which focused on airports like Heathrow and airlines like British Airways, found that to comply with the regulation, service operators must identify, assess, and then address the cyber risks they face. However, such risk management inevitably entails a level of subjective judgment and trade-offs.
According to the researchers, the requirements of the Directive are too vague and open to…
