The European Council has formally adopted the National Information Security Directive (NIS Directive). The NIS Directive was proposed by the European Commission in 2013 and is designed to:
- improve Member States’ national cyber security capabilities;
- improve co-operation between Member States, and between public and private sectors; and
- ensure “operators of essential services” in critical sectors (such as energy, transport, banking and health) and “digital service providers” (such as providers of online marketplaces, search engines and cloud services) to adopt risk management practices and report major cyber incidents to the national authorities.
Member States will be required to adopt a national NIS strategy and establish a NIS authority which can prevent, handle and respond to cyber threats and incidents.
The NIS Directive must now be approved by the European Parliament and is expected to enter into force in August 2016. Member States will then be given 21 months to adopt national law implementing the NIS Directive.
It is important to remember that whilst the NIS Directive is aimed at specific organisations, cyber security is a live issue that should be on every organisation’s agenda. The adoption of the NIS Directive is a timely reminder that all organisations should be taking action to ensure that they are pro-active in identifying and mitigating cyber-threats by ensuring robust internal policies and processes are in place.