The European Union continues to move forward with a proposed unified framework to strengthen network and information security systems across its member countries. On December 18, 2015, the Permanent Representatives Committee (Coreper) approved a provisional agreement reached on December 7, 2015, by the European Parliament and European Council on the Network and Information Security Directive (“Cybersecurity Directive”). The Cybersecurity Directive, which was first proposed in 2013, sets forth a multifaceted approach to preventing and responding to cybersecurity incidents by regulated public and private entities. Following the initial proposal, EU member states debated the applicable scope of the Cybersecurity Directive. However, the recent provisional agreement provides a set of clear criteria and requirements for enhancing cybersecurity and addresses two types of entities to be regulated: “operators of essential services” and “digital service providers.” The Cybersecurity Directive would therefore regulate online marketplaces such as eBay and Amazon and search engines such as Google but would provide an exemption for micro and small digital providers.
The Cybersecurity Directive requires member states to adopt its outlined cooperative strategy for regulatory measures for cybersecurity within the EU, to create a computer security incident response team for EU nations to address and respond to cross-border security incidents, and to establish a unified strategic cooperation group to encourage member states to exchange information.
The Cybersecurity Directive sets up guidelines for companies that are “operators of essential services” within the energy, transport, banking, financial market infrastructure, health, water and digital infrastructure sectors. There are three criteria that bring a company within the definition: first, the company provides a service critical for society and the economy; second, the service depends on network and information systems; and third, a cybersecurity incident could have significant disruptive effects on service provision or public safety. Once the companies that provide these critical services are identified, the Cybersecurity Directive would require them to report major security breaches as well as implement minimum standard measures to resist cyber attacks.
The Cybersecurity Directive is expected to enhance cooperation among the member nations of the European Union and increase citizen confidence in network security. The agreement must go through a finalization process that includes formal approval by the European Parliament. This process is expected to conclude in spring 2016, and will provide member nations with 21 months to enact the necessary legislation and an additional six months to identify the “operators of essential services” and “digital service providers” covered by the Cybersecurity Directive.