Network Information Security Directive
It is possible that the Network Information Security Directive (NISD) will be agreed before the end of this year. The European Parliament and Council have each agreed versions and are reportedly in the final stages of trialogues with the Commission to reconcile the respective versions and produce final legislation. NISD, first published by the European Commission in early 2013, is intended to reduce the impact of cyber attacks in Europe and save billions of Euros.
NISD is set to impact on a wide range of organisations including e-commerce platforms, social networks, search engines, cloud computing services, app stores and energy suppliers. It will require organisations falling within the definition of "market operators" to take appropriate technical and organisational measures to manage risks posed to the security of networks and information systems and report "significant cyber security incidents" to regulators which member states will be required to set up.
Under the European Parliament's version, online companies would not be required to report cyber incidents and nor would government bodies. This is a very different proposition from the original Commission draft which would have imposed reporting requirements on both these categories.
The scope of NISD remains a sticking point in the trialogues. The Council proposals would allow Member States to decide whether (within certain pre-determined criteria) operators in particular sectors would be subject to the breach reporting requirements. Another issue is overlap with other regulation, for example, payment services regulations and data protection.
Cyber security has continued to move up the agenda over the course of 2014. The government published guiding principles on cyber security for ISPs and government at the end of 2013 and BIS launched its Cyber Essentials Scheme and guidance for business on how to mitigate against the risk of cyber attacks in the spring.
An international task force has been set up to tackle cybercrime to co-ordinate international investigations and actions against key cybercrime threats and the UK allocated £4m to fund a competition to help small businesses in the UK cyber sector grow and develop new solutions to tackle cybercrime threats. The European Banking Authority proposed new internet payment security guidelines and the financial services and data protection regulators are continuing to monitor cyber security issues closely.