On December 7, 2015, the European Parliament and the Luxembourg
Presidency of the Council of the EU reached an agreement on common
rules to strengthen network and information security across the EU.
The new network and information security Directive (the "NIS
Directive") was initiated under the 2013 EU Cybersecurity
Strategy following several incidents that highlighted the need to
prevent these cyber attacks in the most efficient way. The NIS
Directive constitutes the first and essential step for the
development of an EU harmonized framework for cybersecurity, as the
Commission announced in the Digital Single Market Strategy last
May.
The NIS Directive has been controversial in relation to its scope
of application because many Member States were sensitive to the
protection of their sovereignty in security issues and concerned
about the economic impact of this type of regulation.
In this context, the scope of application of the recent agreement
is more limited than the original, and it sets the first EU-wide
cybersecurity obligations for those business defined as certain key
digital service providers and operators of essential services
according to the NIS Directive. Operators of essential services are
those serving an important role for society and the economy,
including the transport, banking, financial market infrastructure,
energy, health, and water supply sectors.
The scope of application of the NIS Directive covers the
"operators of essential services," and it obligates
Member States to identify operators of these services within their
jurisdictions and to consider: (i) if the service they provide is
critical for the economy and society, (ii) whether it depends on
network and information systems, and (iii) whether a cybersecurity
incident could have significant disruptive effects on public
safety. The scope of application also includes the providers of key
digital services, such as cloud computing companies, search
engines, and online marketplaces. Social networks and small digital
companies (less than 50 employees) are excluded from the scope,
however. The NIS Directive obliges both types of operators to take
appropriate security measures and to notify the relevant national
authority concerning serious incidents.
Additionally, the NIS Directive will lead to the improvement of
national cybersecurity capabilities, since Member States will be
required to implement a national strategy in relation to the
Directive. This strategy will address the strategic goals and the
relevant policies and measures regarding cybersecurity issues and
will designate a national competent authority for the
implementation and enforcement of the NIS Directive, as well as
Computer Security Incident Response Teams responsible for handling
incidents and risks. However, the national strategy of each Member
State will be conducted under the strategic cooperation between
Member States, referred to as a "Cooperation Group." This
group's function is to support the NIS Directive's
functions and facilitate strategic cooperation and the exchange of
information among Member States, thereby developing trust among
them.
The aim of the NIS Directive is to establish a unified framework
for cybersecurity and to ensure that Member States will not adopt
different approaches to risk management and incident reporting for
affected service providers.
However, this agreement still needs to pass more requirements
before it goes into effect. It has to be approved by the EU
Parliament's Internal Market Committeeand the EU Council's
Committee of Permanent Representativesand published in the EU
Official Journal, at which point the NIS Directive will be in
force. Once the NIS Directive is in force, the EU Member States
will likely have a 21-month period to implement the regulation into
their legislation and six months to identify their operators of
essential services.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.