On 7 December 2015, Europe adopted its first set of cyber security rules in a European Directive concerning measures to ensure a high common level of network and information security across the EU (“NIS Directive”).
The NIS Directive, as confirmed by Neelie Kroes (Vice-President of the European Commission responsible for the Digital Agenda) is set to “reduce fragmentation caused by 28 different markets, 28 rulebooks, 28 referees and 28 mind-sets” in the cybersecurity space by requiring operators of critical infrastructures (energy, financial market, health, water supply, transport, banking etc.) but also key providers of information society services (e-commerce platforms, social networks etc.) to adopt appropriate steps to ensure that they are resilient to cyber-attacks and mechanisms to report serious incidents to the national competent authorities.
Member States will be required to identify operators of critical infrastructures from the above sectors using criteria such as: whether the service is critical for society and the economy; whether it depends on network and information systems; and, whether an incident could have significant disruptive effects on its provision or public safety. The devil will be in the detail of how such criteria interpreted by Member State authorities. Increased cooperation across Member States on these matters is encouraged through the development of a strategic cooperation group to exchange information and best practices, manage cross border incidents, develop guidelines and coordinated responses and assist each other in cybersecurity capacity building.
In February 2013, the European Commission adopted a proposal for the NIS Directive. The proposal was presented as part of a Communication entitled ‘An Open, Safe and Secure Cyberspace’, where the Commission outlined its legislative priorities indicating that:
Information and communications technology has become the backbone of our economic growth and it’s a critical resource which all economic sectors rely on. It now underpins the complex systems which keep our economies running in key sectors such as finance, health, energy and transport; while many business models are built on the uninterrupted availability of the Internet and the smooth functioning of information systems.
A number of action lines were identified as having a high priority:
- Achieving cyber resilience
- Drastically reducing cybercrime
- Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP)
- Developing the industrial and technological resources for cybersecurity
- Establishing a coherent international cyberspace policy for the European Union and promote core EU values.
In respect of substantive legal measures, the NIS Directive is the main action to ensuring a secure and trustworthy digital environment.
The text needs to be formally approved by the European Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives.