On May 17, 2016, the European Council formally adopted the Network and Information Security Directive (the “NIS Directive“) at first reading. According to the Council press release, the NIS Directive is meant to increase cooperation among EU Member States on the vital issues of cybersecurity.
The NIS Directive was first proposed by the European Commission in 2013 as part of the EU’s Cyber Security Strategy. The formal adoption of the NIS Directive by the Council follows on from the political agreement reached in December 2015. It must now be approved by the Parliament at second reading. The NIS Directive is expected to enter into force in August 2016, after which Member States will have 21 months to implement it into their national laws.
The key elements of the NIS Directive include:
- a requirement for “operators of essential services” in critical infrastructure sectors (e.g. energy, transportation, healthcare and banking) and digital service providers (e.g. search engine operators, cloud computing services and ecommerce platforms) to implement appropriate technical and organisational measures to manage security risks and to notify the national competent authority of serious incidents;
- the adoption by Member States of a national strategy to include policies and measures to maintain a level of network and information security;
- the designation of a national competent authority to implement and enforce the NIS Directive and create Computer Security Incident Response Teams (“CSIRT”) responsible for investigating data security incidents and cybersecurity risks; and
- the creation of a Cooperation Group to support and facilitate strategic cooperation and information exchange between Member States and a CSIRT Network to “promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.”
Preparations for the implementation of the NIS Directive are underway and the CSIRT network has already held two informal meetings.