At a trialogue meeting on December 7, the Luxembourg Presidency of the Council of the European Union reached agreement with the European Parliament on common rules to strengthen network and information security (NIS) across the EU. The new directive will set out the first ever EU-wide cybersecurity obligations for operators of essential services and digital service providers. Essential service sectors include energy, transport, banking, financial market, health and water supply. Operators in essential service sectors and digital service providers will be required to take measures to manage cyber risks and report major security incidents, but the two categories will be subject to different regimes. For many such organizations, the NIS Directive constitutes the first breach reporting requirement in Europe.
The draft rules also contemplate the establishment of a strategic cooperation group to facilitate the exchange of information and best practices among member states. In addition, a network of national Computer Security Incidents Response Teams (CSIRTS) will be established to discuss cross border security incidents and identify coordinated responses.
Agreement was reached only after a number of compromises by all sides with the result that the agreement may not be considered to be ideal from a number of perspectives.
On the plus side, it will be down to Member States to identify which entities fall within the scope of “operators of essential services” within their jurisdictions. Specific criteria for such determinations include whether the service is critical for society and the economy, whether it depends on network and information systems and whether a cybersecurity incident could have significant disruptive effects on public safety.
On the down side, “digital service providers” will be caught if they fall in scope of the definitions of “search engines”, “e-commerce marketplace” and “cloud computing” with an exemption for small companies (under 50 employees). A compromise was reached to exempt “social networks”. We understand that there will be no individual identification of companies by Member States though each company will be regulated only by a ‘home’ Member State.
The European Parliament was keen to secure legal clarity through “implementing acts” thereby ensuring that Member States will not be able to take different approaches to risk management and incident reporting for digital service providers. It is expected that this work will probably be developed by the European Agency for Network and Information Security (ENISA) with the involvement of stakeholders after the draft rules have been drawn up. Digital service providers will watch this space with particular interest.
At present, the news is that political agreement has been reached and at this point, no detailed text is available. The Presidency is due to report on progress on the draft Directive at the next Transport, Telecommunications and Energy Council meeting this coming Friday, December 11th so more detail may emerge in the meeting’s minutes.
The provisionally agreed text still needs to be formally approved by the Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives. Member States are likely to be required to implement the Directive within 21 months of the date of entry into force of the Directive.