Pravno uređenje bezbednosti informacione kritične infrastrukture

Legal regulation of information critical infrastructure security

Authors

  • Tatjana Bugarski Univerzitet u Novom Sadu, Pravni fakultet
  • Milana Pisarić Univerzitet u Novom Sadu, Pravni fakultet

Keywords:

kritična infrastruktura, sajber bezbednost, bezbednost podataka, upravljanje rizikom, NIS Direktiva

Abstract

Mrežni i informacioni sistemi i usluge, kao informaciona kritična infrastruktura, imaju značajnu ulogu u savremenom društvu, pa je njihova  pouzdanost i bezbednost od važnosti za ključne društvene i ekonomske aktivnosti. Ipak, njihovom postojanju i pravilnom funkcionisanju prete određeni bezbednosni rizici u sajber prostoru, koji su sve većih razmera, učestalosti i uticaja. Tako ovi sistemi mogu postati meta sajber napada, odnosno nedozvoljenih radnji koje se preduzimaju sa namerom prouzrokovanja štete i/ili prekida njihovog rada. Ovakvi incidenti mogu ugroziti društvene i ekonomske aktivnosti, koji zavise od informacione kritične infrastrukture. Zbog toga je neophodno posvetiti pažnju sajber bezbednosti. Pri tome, upravljanje rizicima u sajber prostoru mora biti takvo da se ne ugrozi pravna sigurnost. U tom smislu od izuzetne važnosti je način na koji se propisuju smernice za procenu rizika po sajber bezbednost. Dobar primer regulative predstavlja Direktiva Evropske unije o bezbednosti mrežnih i informacionih sistema. Direktiva predviđa da se određene organizacije obavežu da preduzmu odgovarajuće i proporcionalne mere bezbednosti, te da uoče, procene i uzmu u obzir rizike po sajber bezbednost sa kojima se suočavaju, kako bi se smetnje po pružanje usluga sprečile i svele na minimum.  Cilj Direktive je da se propisivanjem tavih obaveza obezbedi da informaciona kritična infrastruktura bude zaštićena od prekida koji bi mogli biti od uticaja po ključne ekonomske i društvene aktivnosti. Predmet rada je analiza obaveze zaštite i informisanja koje Direktiva o bezbednosti mrežnih i informacionih sistema propisuje za pružaoce digitalnih usluga.

Network and information systems and services, as an information critical infrastructure, play a significant role in modern society, so their reliability and security are important for key social and economic activities. However, their existence and proper functioning are threatened by certain security risks in cyberspace, which are of increasing size, frequency, and impact. Thus, these systems may become the target of cyberattacks, i.e. unauthorized actions that are taken with the intention of causing damage and/or interrupting their functioning. Consequently, such incidents may jeopardize social and economic activities, which depend on information-critical infrastructure. That is why it is necessary to pay attention to cyber security. In doing so, risk management in cyberspace must be such as not to jeopardize legal certainty. In that sense, the way in which the guidelines for cyber security risk assessment are prescribed is extremely important. A good example of regulation is the European Union Directive on the Security of Network and Information Systems (NIS Directive). The Directive stipulates that certain organizations are obliged to take appropriate and proportionate security measures and to identify, assess and take into account the cyber security risks they face, in order to prevent and minimize interference with the provision of services. The aim of the Directive is to ensure that information critical infrastructure is protected from disruptions that could affect key economic and social activities by prescribing such obligations. The subject of this paper is the analysis of the protection and information obligations that the NIS Directive prescribes for digital service providers, as well as the analysis of the proposed revision of the Directive.

References

Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, Official Journal of the European Union L 345/75, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32008L0114&from=hr

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, Official Journal of the European Union L 194/1, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016L1148&from=HR

European Parliament resolution of 12 March 2019 on security threats connected with the rising Chinese technological presence in the EU and possible action on the EU level to reduce them (2019/2575(RSP)), https://www.europarl.europa.eu/doceo/document/TA-8-2019-0156_EN.html

Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy COM/2020/605 final, 24.7.2020, https://eur-lex.europa.eu/legal content/EN/TXT/?qid=1596452256370&uri=CELEX:52020DC0605#

Joint Communication to the European Parliament and the Council, The EU's Cybersecurity Strategy for the Digital Decade, 16.12.2020 JOIN(2020) 18 final, https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=72164.

Recovery Plan for Europe, https://ec.europa.eu/info/strategy/recovery-plan-europe_en.

Communication from the Commission on the EU Security Union Strategy, 24.7.2020 COM (2020) 605 final, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52020DC0605&from=EN.

Proposal for a Directive of the European Parliament and of the Council on the resilience of critical entities, 16.12.2020, https://ec.europa.eu/home-affairs/system/files/2020-12/15122020_proposal_directive_resilience_critical_entities_com-2020-829_en.pdf

Downloads

Published

2022-02-17

How to Cite

Bugarski, T., & Pisarić, M. (2022). Pravno uređenje bezbednosti informacione kritične infrastrukture: Legal regulation of information critical infrastructure security. Zbornik Radova Naučno-stručnog društva Za Upravljanje Rizicima U Vanrednim Situacijama (Collection of Papers, Scientific-Professional Society for Disaster Risk Management and International Institute for Disaster Research, 31–42. Retrieved from https://zbornik.upravljanje-rizicima.edu.rs/index.php/d/article/view/27