8.
L. Kolowich, “4 Mistakes to Avoid When Scaling Your Content Marketing [Infographic],” HubSpot, 31 05 2016. [Online]. Available: http://blog.hubspot.com/marketing/scaling-content-mistakes#sm.000mfdcdd1old5s10bd25btkfwua4. [Accessed 29 08 2016].
9.
G. Charlton, “12 useful content marketing examples from ecommerce brands,” Econsultancy, 12 05 2015. [Online]. Available: https://econsultancy.com/blog/66432-12-useful-content-marketing-examples-from-ecommerce-brands/. [Accessed 29 08 2016].
10.
eMarketer, “Advertising & Marketing: Site Visits, Social Shares Measure Content Marketing Success in Europe,” eMarketer, 18 03 2016. [Online]. Available: http://www.emarketer.com/Article/Site-Visits-Social-Shares-Measure-Content-Marketing-Success-Europe/1013970. [Accessed 29 08 2016].
11.
G. Satell, “Marketing: Content Marketers Need to Act Like Publishers,” Harvard Business Review, 21 03 2016. [Online]. Available: https://hbr.org/2016/03/content-marketers-need-to-act-like-publishers. [Accessed 29 08 2016].
12.
J. Lee, “Editorial Strategy and Planning/Operations, Teams and Process: A Step-by-Step Guide to Becoming a Brand Publisher,” Content Marketing Institute, 22 03 2015. [Online]. Available: http://contentmarketinginstitute.com/2015/03/guide-brand-publisher/. [Accessed 29 08 2016].
13.
E. Machin, “What is earned, owned & paid media? The difference explained.,” Titan SEO, [Online]. Available: https://www.titan-seo.com/newsarticles/trifecta.html. [Accessed 06 07 2016].
14.
S. Johnson, “13 Spooky Stats to Scare Your Boss Into Better Marketing [SlideShare],” HubSpot, 31 10 2013. [Online]. Available: http://blog.hubspot.com/marketing/13-spooky-stats-to-scare-your-boss-into-better-marketing. [Accessed 29 08 2016].
15.
TWT Digital Group GmbH, “The Next Big Thing im eCommerce: Verkaufen per Chatbot,” 01 07 2016. [Online]. Available: https://www.twt.de/news/detail/the-next-big-thing-im-ecommerce-verkaufen-per-chatbot.html. [Accessed 31 07 2016].
16.
TWT Digital Group GmbH, “Chatbots: Umsatz dank neuem Kommunikations-Assistenten,” 05 25 2016. [Online]. Available: https://www.twt.de/news/detail/chatbots-umsatz-dank-neuem-kommunikations-assistenten.html. [Accessed 31 07 2016].
17.
C. Erxleben, “Wie Bots Marketing und E-Commerce verändern,” INTERNET WORLD Business, 22 06 2016. [Online]. Available: http://www.internetworld.de/technik/bots/bots-marketing-e-commerce-veraendern-1109221.html. [Accessed 31 07 2016].
18.
TWT Digital Group GmbH, “Chatbots: Umsatz dank neuem Kommunikations-Assistenten,” 25 05 2016. [Online]. Available: https://www.twt.de/news/detail/chatbots-umsatz-dank-neuem-kommunikations-assistenten.html. [Accessed 31 07 2016].
19.
J. Kaczmarek, “Das Phänomen WeChat,” DK Online-Medien UG, 09 03 2016. [Online]. Available: https://web.archive.org/web/20160310160456/http://www.digitalkompakt.de/uebersicht/wechat-messenger/. [Accessed 31 97 2017].
20.
Tencent, “Tencent announces 2016 firt quarter results,” 18 05 2016. [Online]. Available: http://www.tencent.com/en-us/content/ir/news/2016/attachments/20160518.pdf. [Accessed 31 07 2016].
Further Reading
21.
G. Coulouris, J. Dollimore and T. Kindberg, Distributed Systems – Concepts and Design, Amsterdam: Addison-Wesley Longman, 2005.
22.
Wikipedia, [Online]. Available: http://de.wikipedia.org/wiki/Remote_Method_Invocation. [Accessed 26 05 2011].
23.
7 Connections, “http://www.7connections.com,” [Online]. Available: http://www.7connections.com/blog/how-marketing-channels-have-changed. [Accessed 14 07 2016].
24.
Pardot, “http://www.pardot.com,” [Online]. Available: http://www.pardot.com/what-is-marketing-automation/. [Accessed 13 07 2016].
25.
Hasecke, “http://www.hasecke.com,” [Online]. Available: http://www.hasecke.com/plone-benutzerhandbuch/4.0/cms/cms.html. [Accessed 06 07 2016].
26.
Socialmediaführerschein, “http://socialmediafuehrerschein.de,” 05 04 2011. [Online]. Available: http://socialmediafuehrerschein.de/2011/04/05/was-ist-earned-owned-und-paid-media/. [Accessed 06 07 2016].
27.
Gründerszene, “http://www.gruenderszene.de/,” [Online]. Available: http://www.gruenderszene.de/lexikon/begriffe/earned-media. [Accessed 06 07 2016].
28.
C. Messina, “Tweet: how do you feel about using # (pound) for groups. As in #barcamp [msg]?,” 23 08 2007. [Online]. Available: https://twitter.com/chrismessina/status/223115412. [Accessed 31 07 2016].
29.
C. Messina, “2016 will be the year of conversational commerce,” Medium, 19 01 2016. [Online]. Available: https://medium.com/chris-messina/2016-will-be-the-year-of-conversational-commerce-1586e85e3991#.yapmq2x7t. [Accessed 31 07 2016].
30.
TWT Digital Group GmbH, “Wie Chatbots lernen und den Umsatz steigern,” 23 06 2016. [Online]. Available: https://www.twt.de/news/detail/wie-chatbots-lernen-und-den-umsatz-steigern.html. [Accessed 31 07 2016].
31.
F. Schmiechen, “Hallo Bot: Das Ende der Apps, wie wir sie kennen,” 05 07 2016. [Online]. Available: http://www.gruenderszene.de/allgemein/ende-der-apps?utm_source=feedly&utm_medium=rss&utm_campaign=rss&utm_source=rss&utm_medium=rss&utm_campaign=ende-der-apps&_lrsc=9760a935-96f4-4097-aeab-b989a72e9fee&utm_source=twitter&utm_medium=social&utm_campaign=Ele. [Accessed 31 07 2016].
32.
W3Techs, “Usage Statistics and Market Share of Content Management Systems for Websites, July 2016,” Q-Success, 31 07 2016. [Online]. Available: https://w3techs.com/technologies/overview/content_management/all. [Accessed 31 07 2016].
© Springer-Verlag GmbH Germany 2018
Claudia Linnhoff-Popien, Ralf Schneider and Michael Zaddach (eds.)Digital Marketplaces Unleashedhttps://doi.org/10.1007/978-3-662-49275-8_29
29. The European Network and Information Security Directive – a Cornerstone of the Digital Single Market
Martin Schallbruch1
(1)ESMT Berlin, Berlin, Germany
Martin Schallbruch
Email: [email protected]
29.1 Network and Information Security for Digital Markets
Not a big surprise: The digitization of the economy is essential for growth and prosperity in Europe. Comparing the global economic regions, the EU is not at the forefront of digitization. According to studies by the European Commission, 41% of European companies are not digital, only 2% take full advantage of digital opportunities [1]. Few European companies are amongst the world’s ICT leaders. The long term investment level in digital networks in Europe is below the US and Asia [2]. At the same time, it is estimated that a further digitization of the European economy can create up to 1.5 million new jobs [3]. The completion of a Digital Single Market in Europe is therefore one of the Junker Commission’s key policy objectives. With the Digital Single Market Strategy of 2015, the EU Commission presented its program for achieving this goal [1].
A high level of cybersecurity is a crucial prerequisite for Europe’s digital growth. Cybersecurity of digital infrastructures and digital services plays an important and ever growing role for the functioning of the internal market. Different levels of cybersecurity among the Member States are hindering transnational electronic services. Economic theory holds
that an appropriate level of cybersecurity cannot be achieved by market actors alone. Government action is required [4].
With the adoption of the EU Directive on Network and Information Security (NIS) in the summer of 2016, Europe has established requirements and management structures for network and information security. This article examines the role of the new EU legislation in the development of digital technology and digital business models. It looks into the legislation from a technology perspective, asking whether technological development to reduce cyber risks is stimulated by the regulation.
29.2 Regulatory Approaches to Cybersecurity
For a long time, the only international cybersecurity regulation was the Council of Europe Cybercrime Convention of 2001 (Budapest convention), set into force in 2004 [5]. Up to now, 49 countries worldwide have ratified the convention [6]. The aim of the convention is mainly a common criminal policy on cybercrime, i. e. the classification of criminal offences. It is not the objective of the Budapest Convention to, at some extent, stimulate technological or organisational means to enhance cybersecurity. The starting point for a broader discussion about cybersecurity regulation can be placed in 2003, when the G 8 principles for protecting critical infrastructures were adopted. This international document was one of the first to call for legislative cybersecurity measures by nation states. Subsequent recommendations by the UN, OECD, and ITU intensified the international pressure on states to act for the rising issue of cybersecurity [7].
The core element of the first regulatory discussion was ensuring the security of critical infrastructures. Critical infrastructures such as energy and water supply, health systems, transport, finance, and public administration, are crucially important for the functioning of modern societies. At the same time, these infrastructures are highly dependent on reliable information technology. Critical infrastructure protection is therefore a key issue of almost all national cyber security strategies worldwide [8]. Although in general privately owned, most critical infrastructures are already regulated to implement public requirements such as the safety of energy supply.
Therefore, initial regulatory approaches to protect the IT of critical infrastructures had a strong reference to prevailing models of safety regulation of infrastructures. However, the regulation models differ from country to country. In particular, rule‐based approaches and risk‐based approaches confront each other. In rule‐based approaches, the state poses specific requirements to the operators of critical infrastructures; fulfilment of the requirements have to be demonstrated or certified. Under risk‐based legislation operators have to build up their own risk management system. Defining the appropriate means to meet the risks is up to them [9]. The complex nature of risks in cyberspace, the low level of particular technical knowledge of the regulatory bodies, and the high technical development speed makes a purely rule‐based approach too complicated. A classic top down regulation by the state is not possible [4].
Often Public Private Partnerships are considered suitable means for solving this problem. Also at European level, a corresponding PPP, the European Public Private Partnership for Resilience (EP3R), was established in 2009 [4]. However, the idea of ensuring cyber security solely through PPP has proved difficult to implement. Robust empirical evidence of the success of a pure PPP approach still does not exist. The interests of the parties are too divergent. The commitment of the private side in the PPP often follows regulatory threats coming about [4]. Nonetheless, PPP elements can make a contribution to increasing cyber security of critical infrastructures. The technical expertise of the private side helps to compensate for a lack of sector specific technical understanding on the side of the rule‐setting regulator.
There is broad consensus in the literature that so called mixed regulatory responses are the best choice for the legislation of cybersecurity of critical infrastructures [4, 9]. Rule setting, elements of self‐regulation and stimulating market mechanisms are regarded to be most successful in combination. Regulators, on the one hand, get an instrument to check compliance of companies (with respect to the set of rules). Private sector actors, on the other hand, get the chance to define levels and measures of security improvement on their own, meanwhile they have to comply with basic government rules. Technological solutions for cybersecurity are stimulated by giving the market actor the freedom to ask for innovation to fulfil their own, majorly risk based interest in appropriate cybersecurity.
The advantages of a mixed approach are especially obvious with regard to the different security maturity of market operators. While small and medium enterprises have to comply with the minimum security requirements posed by the regulator, bigger and more security mature companies easily meet the regulators’ demand. For them, a risk‐based innovation of their security preparedness can be stimulated by regulation [9].
An important reference to the European discussion were the US policy plans for cybersecurity and critical infrastructure protection. With a Presidential Executive Order, adopted in 2013, together with a Presidential Policy Directive (so called PPD‐21), the US government set out the strategy and action points for cybersecurity of critical infrastructures. As several bills on cybersecurity failed in congress, the president’s initiative follows a completely voluntary approach for private companies. On the basis of PPD‐21, the US National Institute of Standards and Technology (NIST) issued a Cybersecurity Framework, a set of risk‐based cybersecurity standards that had been developed in close collaboration with industry [7]. In fact, as a result of long‐term disputes in congress, the Cybersecurity Act of 2015 has recently been passed. However, it doesn’t change the voluntary character of the technical and organizational standards issued by NIST. The US has decided to move forward with the soft‐law approach to cybersecurity standards.
29.2.1 EU Directive on Network and Information Security
European Institutions started to work on network and information security in 2001. One of the first steps was the implementation of a European Network and Information Security Agency (ENISA), based in Heraklion, Greece. Over the years, ENISA gained influence on the development of cybersecurity structures in the member states (see Table 29.1), assisting in building up Computer Incident Response Teams (CIRTs) and advising European Commission and Member States. Following this, European Commission and EU Council adopted various communications on critical information infrastructures and network and information security. In 2012, the European Commission started an impact assessment to cover policy options to improve the network and information security. The assessment involved many stakeholders in Europe, such as Member States, academics, private companies and the general public. The results were presented in 2013 [10]. Grounded on the findings of the impact assessment and framed by the strategic objectives of the simultaneously developed Cybersecurity Strategy of the European Union [11], the European Commission decided for regulatory action. Table 29.1Importance of sectors for NIS regulation. (European Commission [10])
Sector
No. of respondents who see the need to ensure NIS in this sector (in %)
Banking and finance
91.1
Energy
89.4
Health
89.4
Internet services
89.1
Public administrations
87.5
Transport
81.7
Based on the EU competence in harmonisation of the internal market pursuant to Art. 114 TFEU, the Commission submitted a proposal, which contained, on the one hand, obligations for Member States, and on the other, requirements for market participants. While Member States should strengthen their preparedness and cooperation, the market participants were required to improve the information security of their systems and to report cyber incidents to relevant authorities [7]. From the beginning,
the Commission’s proposal overarched the field of critical infrastructures (“operators of critical infrastructures”, later renamed to “operator of essential services”) and also took into account the providers of digital services, which were initially called “provider of information society services.” This was somehow a result of the impact assessment. Internet services were seen as one of the most important sectors for security of network and information systems.
As a result of a three‐year legislative procedure between the European Parliament, EU Council, and European Commission, an agreement was reached on a Directive Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union at the end of 2015 [12]. It contains three pillars. The first pillar obliges the EU Member States to step up their own structures for cybersecurity. The adoption of a national cybersecurity strategy (art. 7), the designation of one or more competent authorities (art. 8) and the establishment of a Computer Security Incident Response Team (CIRT) are mandatory. The second pillar is the establishment of a cooperation mechanism at EU level. EU and national measures to cybersecurity will be strategically coordinated in a permanent Cooperation Group, composed of representatives from Member States, European Commission, and the ENISA (art. 11). The more practical exchange about risks, incidents, and best practices will take place in a newly founded European CSIRTs Network (art. 12).
Digital Marketplaces Unleashed Page 41