After almost three years, consensus has been finally reached on the text of the Network and Information Security (“NIS”) Directive, the first-ever, EU-wide cyber security regulation. The NIS Directive (or Cybersecurity Directive) lays down baseline cybersecurity and mandatory breach reporting obligations on critical infrastructure operators and digital service providers across the EU.
The Directive also envisages a “strategic cooperation group”, with the aim of encouraging Member States to exchange information and best practices on cybersecurity breaches. In addition, Member States will be required to set up Computer Security Incident Response Teams (CSIRTs) to handle incidents and identify coordinated responses alongside the other Member States.
The announcement, which was made 7 December 2015, has been a long time coming. Work on the Directive first began in February 2013, and has since been under trilogue negotiations between the European Commission, Parliament and Council.
Who Does It Apply To? The Directive will apply to companies that provide an “essential service” in the energy, transport, banking, financial market, health and water supply sectors. The trilogue have set down a list of criteria in determining which companies provide an “essential service”, but ultimately it will be for Member States to make this decision.
Digital Service Providers, such as online marketplaces, search engines and clouds, will also fall under the scope of the Directive. Their inclusion has been one of the more contentious aspects of negotiations, with the Commission arguing for, and Parliament against. However, a compromise position has been reached through the negotiation of a lighter regulatory regime that will apply, compared with the stricter regime imposed on critical infrastructure operators.
What Requirements Does It Impose? Under the Directive, critical infrastructure operators will need to ensure that the digital infrastructures they use to deliver essential services are “robust enough to resist cyber-attacks”. They must also report serious security breaches to public authorities. Digital Service Providers have similar, albeit less strict, obligations; they must ensure their infrastructures are “secure” and must report any major security breaches.
Organisations may also be subject to additional, country-specific obligations. This is because the Directive sets down “baseline” obligations, giving Member States the freedom to impose additional security requirements.
Affected organisations must therefore ensure they carry out system-wide security reviews, and put procedures in place to prevent, manage and respond to breaches.
When Does It Come into Force? At present, the Directive still needs to be formally approved. This is expected to take place 18 December 2015. Once finalised and published, Member States will have 21 months to transpose the Directive into their national law. A further six months will be allowed for Member States to identify which operators provide an “essential service”.