The Network and Information Security Directive in the European Union
On December 7, 2015, the European Parliament and the Luxembourg Presidency of the Council of the EU reached an agreement on common rules to strengthen network and information security across the European Union. The new Network and Information Security Directive was initiated under the 2013 EU Cybersecurity Strategy and announced by the European Commission in the Digital Single Market Strategy.
Xavier Bettel, Luxembourg’s Prime Minister and Minister for Communications and the Media, and President of the Council, said:
“This is an important step towards a more coordinated approach in cybersecurity across Europe. All actors, public and private, will have to step up their efforts, in particular by increased cooperation between member states and enhanced security requirements for infrastructure operators and digital services”.
What is it?
In its original intent, the Network and Information Security Directive was designed to ensure a high common level of cybersecurity in the EU, by:
- Improving Member States’ national cybersecurity capabilities
- Improving cooperation between Member States, and between public and private sectors
- Requiring companies in critical sectors – such as energy, transport, banking and health – as well as key Internet services to adopt risk management practices and report major incidents to the national authorities
Broadly, the five main elements of the proposed NIS Directive are:
- New national strategy – A framework that provides strategic objectives and priorities on information security at national level.
- Cooperation network – Formation of competent authorities to provide cross-border support and strategic co-operation between member states.
- Security requirements – Development of computer security incident response teams (CSIRTs) for effective operational co-operation.
- Use of standards – Establishing security and notification requirements for operators of essential services, as well as digital service providers
- Enforcement
William Long’s article at ComputerWeekly explains each in generous detail. An article on the Willis Towers Watson blog suggests that the proposed framework “calls for stiff penalties to be imposed for non-compliance, with fines potentially reaching as high as 2% of a company’s global turnover, or up to €75 million for the most aggravated cases of complacency“.
In summary, the aim of the NIS Directive is to establish a unified framework for cybersecurity and to ensure that Member States will not adopt different approaches to risk management and incident reporting for affected service providers.
Once agreed and then implemented in the Member States, the benefits of the NIS Directive will include:
- Citizens and consumers will have more trust in the technologies they rely on daily
- Governments and businesses will be able to rely on digital networks and infrastructure to provide their essential services at home and across borders
- The EU economy will reap the benefits of more reliable services and a culture of systematic risk management and incident reporting – creating more equal and stable conditions for anyone trying to compete in the Digital Single Market
So…what’s the controversy?
The NIS Directive has been controversial in relation to its scope of application because many Member States were sensitive to the protection of their sovereignty in security issues and concerned about the economic impact of this type of regulation.
The scope of application of the NIS Directive covers the “operators of essential services” and it obligates the Member States to identify operators of these services within their jurisdictions and to consider:
- If the service they provide is critical for the economy and society
- Whether it depends on network and information systems
- Whether a cybersecurity incident could have significant disruptive effects on public safety
Operators of essential services are those serving an important role for society and the economy, including the transport, banking, financial market infrastructure, energy, health, and water supply sectors.
The scope of application also includes the providers of key digital services, such as cloud computing companies, search engines, and online marketplaces. Social networks and small digital companies (less than 50 employees) are excluded from the scope. The NIS Directive obliges both types of operators to take appropriate security measures and to notify the relevant national authority concerning serious incidents.
Additionally, the NIS Directive will lead to the improvement of national cybersecurity capabilities, since Member States will be required to implement a national strategy in relation to the Directive. This strategy will address the strategic goals and the relevant policies and measures regarding cybersecurity issues and will designate a national competent authority for the implementation and enforcement of the NIS Directive, as well as Computer Security Incident Response Teams responsible for handling incidents and risks. However, the national strategy of each Member State will be conducted under the strategic cooperation between Member States, referred to as a “Cooperation Group.” This group’s function is to support the NIS Directive’s functions and facilitate strategic cooperation and the exchange of information among Member States, thereby developing trust among them.
Is it completed and official now?
The agreement still needs to pass more requirements before it goes into effect. It has to be:
- Approved by the European Union Parliament’s Internal Market Committee and the European Union Council’s Committee of Permanent Representatives, and,
- Published in the EU Official Journal
Once these steps are completed, the NIS Directive will be in force.
At last check, the Presidency was to present the agreed text for approval by Member States’ ambassadors at the Permanent Representatives Committee (“COREPER” – Comité des représentants permanents) on December 18.
Once the NIS Directive is in force, the EU Member States will likely have a 21-month period to implement the regulation into their legislation and six months to identify their operators of essential services.
To connect with the key players of the Network and Information Security Directive, head over to the Twitter feeds below: