On 17 May 2016, the Council of Europe formally adopted the Network and Information Security (NIS) Directive, a Commission proposal in response to increasing concerns about cyber-attacks and privacy breaches.
Agreed by Member States on 18 December 2015, the Directive aims to ensure a higher common threshold of cybersecurity across the EU through three main measures:
- Enhancing Member States' national cybersecurity capabilities by requiring Member States to define cyber-security strategic objectives and regulatory measures;
- Creating a "Cooperation Group" to support and facilitate the exchange of information and develop trust between Member States. The Directive will also create a network of Computer Security Incident Response Teams (CSIRTs Network) to promote swift and effective cooperation on specific cybersecurity incidents and sharing information about risks; and
- Requiring operators of "essential services" (such as energy, transport, banking and health) to adopt a high level of risk management practices and notify serious incidents to national authorities. Some key digital service providers, such as search engines and cloud computing, will also be included in this cybersecurity regime.
The final stage before the Directive becomes effective EU law (expected August 2016) will be endorsement by the European Parliament, which is expected imminently. Upon its entry into force, the Member States will have 21 months to implement the Directive into their national laws, and 6 additional months to identify operators of critical services.
The Directive is expected to bring many benefits, including more trust in technology and e-services for customers, and the development of more reliable digital networks and infrastructure for Governments and organisations to better provide their essential services across the EU.
Part of the Commission's wider strategy to build a Digital Single Market (DSM) – through which the Commission has stated that the EU could create up to €250 billion in additional growth, thanks to the creation of new jobs and a more knowledge-based society – the EU economy could truly reap the benefits of this NIS Directive. More reliable services, and an effective risk management and incident reporting system, could create more stable conditions for prosperous competition within the Digital Single Market.
The Directive is expected to impact a number of businesses in a wide range of sectors. Companies operating in the identified "critical sectors" are advised to urgently review their security policies in preparation for the new law.
Organisations who wish to participate in shaping EU cybersecurity practices can also take part in the "NIS Platform", which aims to develop incentives to adopt good practices, and to promote the development of secure Information and Communications Technology solutions.