Jusletter IT

The 2016 EU Directive on security of network and information systems (NIS Directive) is arguably the most significant attempt at increasing cybersecurity and network resiliency in Europe. It includes Internet based services and their operators into the well established category of critical infrastructure (CI). This implies an increased reliance on business participation. Numerous categories of Internet based services will need to raise the level of security they provide for their infrastructure and software. They will also be required to share information on threats and best practices in preventing and combating cyberthreats with their peers and states agencies. The NIS Directive makes therefore cybersecurity one more area of international law and policy that relies on a good-business practice based standard of due diligence, required from critical infrastructures operators. This has thus far been the case for e.g. power plant operators, water suppliers or banking services. This paper seeks to put this latest development of cybersecurity in the context of contemporary international law, drawing analogies with the law of state responsibility and international liability, as developed by international environmental law, law of treaties or diplomatic relations.