Supporting cybersecurity: The NIS Directive

As the global threat to data and security continues to loom large, the EU have sought to bolster their defences with their first-ever comprehensive piece of legislation on cybersecurity. agendaNi assesses the implications of the NIS Directive.

The issue of cybersecurity is one which has gained heightened prominence over recent years. Security breaches of the NHS, HM Revenue and Customs and British Airways have confirmed what experts have long forewarned: that hackers and cyber-attackers are becoming increasingly competent and audacious in their attempts to compromise the defences of huge organisations across both the private and public sectors.

As the capabilities of would-be cyber-attackers continue to develop, so has the legislation of the European Union, which seeks to enhance its security to face the mounting threat. The Directive on the security of network and information systems (the NIS Directive) was adopted by the European Parliament in July 2016, before being entered into force a month later in August 2016. EU member states now approach 2018’s November deadline which requires that they transpose the Directive into their national laws and identify operators of essential services.

As the first piece of EU-wide legislation on cybersecurity, the Directive will provide essential legal measures to boost the overall security of the European territories. As part of these legal measures, the Directive will encourage a culture of preparedness amongst member states by establishing several bodies, including a Computer Security Incident Response Team (CSIRT) as well as a competent national NIS authority in each state. The EU will also encourage cooperation amongst member states by setting up a cooperation group, allowing the facilitation of strategic information as well as operational coordination on specific cybersecurity incidents and risks.

The Directive has been enacted at a time when cybersecurity is a growing concern amongst governments, businesses and private individuals. However, the legislation emphasises the importance of protecting key economic and infrastructural players from cyber threats, identified by the EU as “vital for our economy and society”. Included in these operators of essential services are the energy, transport and water sectors, as well as banking, healthcare, financial market infrastructures and digital infrastructure, all of which are obliged by the Directive to take appropriate security measures and to notify serious incidents to the relevant national authority. Key digital service providers such as online marketplaces, cloud computing services and search engines are also identified as being obliged to fulfil the same reporting demands. 

The EU have called for the implementation of the Directive to be “swift and effective”. In order to quicken the pace of the Directive’s implementation, the “NIS toolkit” provides practical information to member states by presenting best practices from the Member States and by providing explanation and interpretation of specific provisions of the Directive to clarify how it should work in practice.

Indeed, the Directive has been issued with a degree of urgency from the European Union, which is visible from the text seen within the document. “The magnitude, frequency and impact of security incidents are increasing, and represent a major threat to the functioning of network and information systems,” reads the Directive. “Such incidents can impede the pursuit of economic activities, generate substantial financial losses, undermine user confidence and cause major damage to the economy of the Union… the security of network and information systems is therefore essential for the smooth functioning of the internal market.”