Information systems (computing networks and databases) that enable essential services (such as energy, transport, banking and healthcare), businesses and the internet to function are increasingly being faced with malicious cyberattacks, which could potentially lead to security incidents and disruption of essential services. The border-less nature of the internet means that an incident within one Member State can rapidly have a knock-on effect throughout Europe. Hence, an EU-wide cybersecurity solution was proposed by the Commission in 2013, as part of the EU Cybersecurity Strategy.
Last week, negotiators of the European Parliament, the Council and the Commission have reached a consensus on the wording of the Network and Information Security (NIS)Directive. The Directive will set a common baseline level of mandatory cybersecurity measures and reporting of serious breaches to the national authorities, for essential service providers (i.e. businesses with an important role for society and economy) and providers of key digital services (such as search engines and cloud computing providers). This will improve the resilience of the network and information systems throughout Europe by increasing national cybersecurity capabilities (through adoption of a national NIS strategy), and co-operation on cybersecurity between Member States. A network of Computer Security Incident Response Teams (the CSIRTs Network) will also be established, to promote swift and effective operational co-operation for cybersecurity incidents, and the sharing of information about risks.
Once the NIS Directive comes into force, Member States will have 21 months to implement the Directive into their national laws, and a further six months to identify operators of essential services.
"All operators that are likely to fall within the Directive should already be taking cybersecurity seriously and the Directive shouldn’t be requiring a major upheaval for them. The Directive is the EU's fist hitting the table and saying that it is now serious and companies need to stop merely paying lip service to cybersecurity," commented Simon Shooter, Partner, Bird & Bird LLP.