On 6 July 2016, the Directive on Security of Network and Information Systems 2016/1148 (“NIS Directive”) was adopted by the European Parliament and Council. As the threat posed by cybercrime, online industrial surveillance and attacks on critical infrastructure is growing, the introduction of specific laws in this area across the EU will have a significant impact.
The NIS Directive is the main legislative proposal under the 2013 EU Cybersecurity Strategy. The Directive seeks to work against the continuous threat of cybercrime and online industrial surveillance.
The Directive provides minimum standards of cyber security across the EU for private and public operators of "Essential Services" and Digital Service Providers (“DSPs”). Essential Services include energy, transport, banking, health, water, financial market and digital infrastructures, while DSPs include providers of online marketplaces, cloud computing services and search engines.
The main objectives of the Directive include:
Cybersecurity at National Level:
EU Member States will:
- Adopt a national strategy on the security of network and information systems;
- Designate one or more national competent authorities to supervise the application of the NIS Directive;
- Designate a point of contact to liaise with other Member States and ensure cross-border co-operation; and
- Designate Computer Security Incident Response Teams (“CSIRTs”) to monitor, respond and report on national level incidents.
Cybersecurity at EU Level:
- Establishment of a co-operation group comprised of representatives from Member States, the Commission and the ENISA (the European Union Agency for Network and Information Security). This group will plan, support and share information with Member States. In addition, they will report to the Commission on a 1.5 yearly basis on the functioning of the NIS Directive.
- Establishment of a CSIRT Network: The Network will exchange information on CSIRT services and incidents, support cross-border handling and create a report two years after entry into force of the NIS Directive, reviewing the functionality of the operational co-operation.
Operators of Essential Services and Digital Service Providers:
- These will be responsible for the prevention of risks and handling of incidents on the network systems that they use in their operations. They will identify and notify incidents having a “significant impact on the continuity of essential services,” to the relevant national authority or CSIRT. Notifications will be made based on the number of users affected, duration of the incident and the geographic spread. This system will facilitate cross-border co-operation in respect of notifications across Members States. Security of essential services and digital services will be enhanced with possible notifications leading to public consultations and awareness of ongoing incidents. This will result in a lower rate of disruption to the functioning of the above-mentioned essential and digital services for users.
Member States now have 21 months in which to transpose the Directive into national laws. Member States will also have an additional six months to identify their operators of Essential Services as required by the Directive.
Implications of the new directive
The NIS Directive will provide greater security for EU citizens on the reliability of digital networks. In addition, co-operation and incident-reporting between Member States will increase with the establishment of the ENISA and CSIRT Networks. These advancements will create a more equal and accessible Digital Single Market for businesses and consumers alike.
It is not clear yet how Brexit may possibly impact upon implementation of these measures in the UK; while Ireland will continue to conform to EU standards post-Brexit, the UK may not.