EU Directive on Network and Information Security: Consultation

May 27, 2013

The European Commission published a proposal for a directive for network and information security on 7 February 2013. This was accompanied by a cyber security strategy that contains non-legislative measures on a broad range of issues. These documents can be found on the European Commission website.

The government is preparing an initial impact assessment on the potential effects of the directive in the UK and has launched a call for evidence to gather data to inform the evidence base for this assessment. Further details can be accessed here. The period for submissions ends on 21 June.

The preference for submitting evidence is via the online response form. However evidence can be submitted in a number of ways as explained in the document.

The consultation document states that the UK shares the Commission’s desire to improve levels of network and information security across the EU – the government wants to ensure that the internal market is a safe place to do business and that Member States know who to contact in the case of a cyber incident and can effectively work together. While supportive of the broad objectives the Directive is seeking to achieve, the government state that they need to ensure that the proposals create the right incentives for the private sector to share information, best practice and good governance.  

The proposed Directive covers the following main issues:                      

·       it obliges all Member States to produce a national cyber security strategy and establish a CERT and a competent authority for cyber security;  

·       it mandates information sharing between Member States, as well the creation of a pan-EU cooperation plan and coordinated early warnings for cyber incidents;  

·       it mandates compulsory reporting of security breaches that have a significant impact on the provision of core services to a ‘national competent authority’ that would enforce the Directive. Sectors that this would apply to include public administration, the finance, energy, transport and health sectors, as well as to ‘enablers of internet society services’ which includes app stores, cloud service providers, social networks and e-payment providers.  

The Call for Evidence aims to gather data to inform an initial impact assessment on the potential effects of the Directive in the UK.