Retrospective Workshop 'Challenges of Implementing Cybersecurity: The Perspective of the NIS2 Directive'

On March 13th, an event about cybersecurity and the Network and Information systems Security (NIS) 2 Directive was organized by Evgeni Moyakine, an Assistant Professor IT law from the Faculty of Law, in collaboration with the Jantina Tammes School of Digital Society, Technology and AI. During the workshop 'Challenges of Implementing Cybersecurity: The Perspective of the NIS2 Directive' , held at the House of Connections, participants were immersed in an engaging and informative experience facilitated by the valuable contributions of the invited speakers: Fadi Mohsen , an Assistant Professor Computer Science from the Faculty of Science and Engineering, and Arjan de Jong , Inspector Specialist at the Dutch Authority for Digital Infrastructure. This event aimed at exploring the key challenges of implementing the NIS2 Directive that strengthens EU-wide cyber resilience across certain critical sectors, such as energy, health and public administration.

The afternoon commenced with a presentation by Evgeni Moyakine about the NIS framework encompassing two directives of the EU. He not only explained the main provisions of these legal acts but also highlighted the primary shortcomings and limitations of the NIS1 Directive – such as its narrow scope of application and vague provisions – and the need for the adoption of the second version of this directive. In addition, the legal expert examined the changing dynamics of the cybersecurity landscape and discussed the core issues and challenges related to the process of ensuring digital security of networks and information systems of organizations operating within critical infrastructure. Furthermore, he stressed the relevance and value of cyber attribution and international responsibility for state-sponsored offensive cyber operations and elaborated upon the cybersecurity obligations that the so-called essential and important entities falling within the scope of the NIS2 Directive must comply with to protect their assets from cyber-attacks and other cyber incidents.

Following that, Fadi Mohsen covered the technical perspective of the implementation of the NIS2 Directive and delved into the variety of technical measures to be adopted by public and private entities subject to compliance with this legal act. He shed light on the significance of cyber resilience in the modern era and provided insights into the factors contributing to hackers’ success in their malicious activities. While hackers only need to discover a single vulnerability to launch a cyber-attack, defending networks and systems against them is more challenging and necessitates a proactive and holistic cybersecurity approach. Importantly, the cybersecurity expert detailed specific measures to be taken for safeguarding digital security, including network segmentation and basic cyber hygiene practices, and outlined the actual steps to be taken by the affected organizations.

Subsequently, Arjan de Jong, a UG graduate who had studied IT law, took the stage and addressed the implementation of the NIS2 Directive from a legal standpoint. As a cybersecurity expert who is directly involved in the Dutch transposition efforts, he offered a clear overview of the law-making procedures at both the EU and national levels and articulated the complex nature of the process of implementing European legal regulations governing cybersecurity into national legislation. This explanation was highly valuable considering the fact that the audience comprised more than just legal professionals. Drafting the national law based on the NIS2 Directive is according to him akin to coding in a programming language, such as C++: one tiny mistake in the code can cause the entire system to malfunction or to collapse. The Inspector Specialist recommended all participants in the event, particularly students, to become more engaged in fascinating legislative processes in this field, for instance, by actively contributing to internet consultations.

The workshop ended with the ‘hands-on experience’ in the form of an assignment based on a real-world scenario that was presented to the audience. A ransomware attack strikes the University Medical Centre Groningen and infects the systems of the organization through a phishing email. This digital attack with a highly aggressive ransomware variant called ‘LockBit 3.0’ results in a severe disruption of essential medical services and the availability and confidentiality of all patient records are compromised. The participants were given a set of four questions spanning technical, legal, ethical and educational domains and engaged in discussions with each other and with Evgeni Moyakine who was leading the exercise. They enthusiastically explored the posed questions and exchanged ideas and concerns. Some of them indicated during the networking breaks that the workshop had left a lasting impact on them as a stimulating learning activity, which underscores the potential of this event or other similar events for future iterations.

This article was published by the Faculty of Law.

• Read more news by the Faculty of Law.