As member states move to implement the European Commission’s first piece of EU-wide legislation on cybersecurity into their national laws, agendaNi outlines the implications of the NICS Directive.
Plans to implement joined-up network and information security were first put forward in 2013 but the Directive on security of network and information systems (NIS Directive) was not adopted by the European Parliament until 6 July 2016, entering into force on August of that year.
According to a 2016 survey by the European Commission, more than 80 per cent of EU companies have experienced one or more cyber security incidents and the number of security incidents across all industries worldwide rose 38 per cent in 2015. The directive, which aims to protect the European online economy from cyber threats, also seeks to increase cooperation on cybersecurity amongst member states and organisations within the EU.
In particular, it focuses on protecting the key areas of a country’s infrastructure such as energy, transport, health and finance and places a duty on organisations within these sectors to report cybersecurity breaches. However, the directive also stretches to areas including cloud storage, search engines, internet exchanges and e-commerce sites, who are required to cooperate by sharing information on security breaches.
Some of the key elements of the directive include:
- member states are required to be appropriately equipped via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority;
- establishing of a cooperation group to ensure member state information sharing and establishing a CSIRT Network to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks;
- identification by member states of operators of essential services and a requirement by these by these sectors to notify serious incidents to the relevant national authority. Key digital; service providers will also be required to comply with security and notification requirements; and
- as an EU directive, rather than a regulation, member states are obliges to pass domestic laws to apply its rules and are expected to come into full effect in May 2018. It is expected to address some jurisdictional challenges facing a number of industry sectors across Europe.
Welcoming the adoption of the Directive, European Commission Vice-President Andrus Ansip (left) said: “If we want people and businesses to make the most of digital services, they need to trust them. A digital single market can only be created in a secure online environment. The rules adopted create the right conditions for people and businesses to use digital tools, networks and services in the EU with confidence.”
Commissioner Günther H. Oettinger added: “I am now calling on member states to make the most of new cooperation mechanisms and to support the additional initiatives on cybersecurity. Cooperation with the industry is also essential. All these initiatives reinforce each other and are vital if we want our digital economy and society to thrive.”
Even as Britain prepares to leave the EU, the timing of the directive means that it will still need to enact full implementation until their exit is fully complete. While it is not clear what stance Britain will take on voluntarily aligning with the EU’s policies after their exit, any British organisation processing data for EU residents will still be governed by the directive. Post-Brexit, the UK will still need to ensure it finds a way to be considered as a country with an adequate level of data protection and aligning with the EU directive is viewed as safeguarding the trust of global customers.
Alongside the directive, the Commission launched a public-private partnership that is expected to trigger €1.8 billion of investment by 2020. The partnership is part of a series of initiatives to better equip Europe against cyber-attacks and to strengthen the competitiveness of its cybersecurity sector. The aim of the partnership is to foster cooperation at early stages of the research and innovation process and to build cybersecurity solutions for various sectors.