In 2013 the EU Commission put forward a proposal for a Directive to ensure a high common level of network and information security (NIS) in the EU. After the usal lengthy negotiation and some compromises, the European Parliament and the Luxembourg Presidency of the EU Council of Ministers reached an agreement on the rules on 7 December. The proposed Directive will:
· improve cybersecurity capabilities in Member States
· improve Member States’ cooperation on cybersecurity
· require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to the national authorities.
Next steps
Following this political agreement, the text will have to be formally approved by the European Parliament and the Council. After that it will be published in the EU Official Journal and will officially enter into force. Member States will have 21 months to implement this Directive into their national laws and 6 months more to identify operators of essential services.
Cornerstones of the NIS Directive
Improving national cybersecurity capabilities
Member States will be required to adopt a national NIS strategy defining the strategic objectives and appropriate policy and regulatory measures in relation to cybersecurity. Member States will also be required to designate a national competent authority for the implementation and enforcement of the Directive, as well as Computer Security Incident Response Teams (CSIRTs) responsible for handling incidents and risks.
Improving cooperation
The Directive will create a ‘Cooperation Group’ between Member States, in order to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence amongst them. The Commission will provide the secretariat for the Cooperation Group. The Directive will also create a network of Computer Security Incident Response Teams, known as the CSIRTs Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks. The EU Agency for Network and Information Security (ENISA) will provide the secretariat for the CSIRTs Network.
ENISA will play a key role in many aspects of the Directive, particularly in relation to cooperation
Security and notification requirements for operators of essential services
Businesses with an important role for society and economy, referred in the Directive as “operators of essential services”, will have to take appropriate security measures and to notify serious incidents to the relevant national authority.
The Directive will cover such operators in the following sectors:
· Energy: electricity, oil and gas
· Transport: air, rail, water and road
· Banking: credit institutions
· Financial market infrastructures: trading venues, central counterparties
· Health: healthcare providers
· Water: drinking water supply and distribution
· Digital infrastructure: internet exchange points (which enable interconnection between the internet’s individual networks), domain name system service providers, top level domain name registries
Member States will identify these operators on the basis of criteria, such as whether the service is essential for the maintenance of critical societal or economic activities.
Security and notification requirements for digital service providers
Important digital businesses, referred to in the Directive as “digital service providers” (DSPs), will also be required to take appropriate security measures and to notify incidents to the competent authority. The Directive will cover the following providers:
· Online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online)
· Cloud computing services
· Search engines
In line with the objectives of the Digital Single Market strategy, the Directive aims to establish a harmonised set of requirements for digital service providers, so that they can expect similar rules wherever they operate in the EU.
Comment
DigitalEurope has given a guarded welcome to the agreement on the Cybersecurity Directive.
It states that while the agreed text successfully solves the difficult question of jurisdiction for digital service providers, which is one of the most important issues covered by the proposed law. This issue was a key element for all negotiators to make sure this law takes a ‘light touch’ approach to regulation.
According to DigitalEurope, digital service providers will now look to authorities in the country where their European headquarters are based for guidance on security measures, incident reporting and regulatory oversight, instead of in all 28 EU Member States. Such a system will avoid multiple overlapping and potentially contrary processes and controls that would have bogged down security teams in compliance rather than security innovation.
DigitalEurope states that it is not convinced, however, that the scope of services covered by the proposed Directive is proportionate to the risk. The inclusion of all cloud services and online marketplaces means virtually all ICT services are covered, whether they are critical to the economy and society or not. This means it will be especially important to get the implementation of this law right. As Member States transpose the Directive into national law and produce implementation guidance they should look to build upon existing best practices. Member States should recognise well-established international standards that have strong market adoption, and incident reporting should be as simple and efficient as possible.
