Network and Information Security (NIS) Directive

Subscribe to Network and Information Security (NIS) Directive

In January, the UK government confirmed that it will be implementing the EU’s Network and Information Security Directive (NIS Directive) regardless of Brexit. EU countries have until 9 May 2018 to implement the Directive into their national laws. Given Brexit, the UK government confirmed in its Cyber Security Regulation and Incentives Review that details of the UK’s implementation of the NIS Directive will be released in 2017.
Continue Reading NIS Directive to be implemented in UK despite Brexit

The Council of the European Union adopted the EU Network and Information Security (NIS) Directive (the ‘Directive’) 17 May, ready for final adoption by the European Parliament. The Directive, initially proposed in 2013, has been progressing through the EU legislative procedure for some time. As we reported in December last year, the Directive covers

After almost three years, consensus has been finally reached on the text of the Network and Information Security (“NIS”) Directive, the first-ever, EU-wide cyber security regulation. The NIS Directive (or Cybersecurity Directive) lays down baseline cybersecurity and mandatory breach reporting obligations on critical infrastructure operators and digital service providers across the EU.

The Directive also envisages a “strategic cooperation group”, with the aim of encouraging Member States to exchange information and best practices on cybersecurity breaches. In addition, Member States will be required to set up Computer Security Incident Response Teams (CSIRTs) to handle incidents and identify coordinated responses alongside the other Member States.

The announcement, which was made 7 December 2015, has been a long time coming. Work on the Directive first began in February 2013, and has since been under trilogue negotiations between the European Commission, Parliament and Council.
Continue Reading A New EU Era of Cybersecurity on the Horizon

On 25 July 2015 in Germany, the new IT Security Act entered into force. The law aims to improve IT security in companies and public bodies, especially in the field of critical infrastructure, thus stipulating minimum security standards and reporting obligations for operators and providers of communication systems.

The law will affect institutions listed as “critical infrastructure” such as energy, information technology, telecommunications, transport and traffic, health, water, and food supply, as well as finance and insurance firms.
The new cyber-security law obliges firms and federal agencies to certify for minimum cyber-security standards and obtain Federal Office of Information Security (BSI) clearance. Operators of critical infrastructure will have to report significant security incidents and even suspected cyber-attacks to the BSI. It gives companies two years to introduce cyber-security measures. Fines of 100,000 Euro for non-compliance will be enforced.

Continue Reading Germany passes new cyber-security law

U.S. tech giants, like Google and Facebook, found themselves caught between the European Parliament and the European Commission as disagreements continue as to whether Internet service providers should be included within the definition of ‘market operators’ in the Proposed Directive on Network and Information Security (IP/13/94) (the ‘Directive’). Currently, the EU Commission would like to see both search engines and social networks included, whereas the European Parliament prefers a common European framework focusing on critical infrastructure only, such as financial services and power stations.

The EU Parliamentary view is that broadening the scope of the Directive risks undermining the aim of the law which is to protect key or critical services, whereas including ISPs, and as a consequence some U.S. tech giants, would require the tech giants to report global cyber attacks to each of 28 member states’ respective regulators. Those arguing against ISP inclusion argue that they are already highly regulated, and that many of the requirements contained in the proposed Directive are already provided for by commercial contracts and service level agreements, and that the introduction of additional legislation would create added complexity and have a negative impact on innovation within the tech industry.
Continue Reading Tech giants caught between EU disagreements on scope of Proposed Network and Information Security Directive

In July, the European Commission (‘Commission’) published a communication titled “Towards a thriving data-driven economy” (‘Communication’), setting out the conditions that it believes are needed to establish a single market for big data and cloud computing. The Communication recognizes that the current legal environment is overly complex, creating “entry barriers to SMEs and [stifling] innovation.”

The Cyber Security Directive (formally known as the Network & Information Security Directive) (the Directive) was considered by the European Parliament (the Parliament) in March. After a first reading of the Directive, MEPs voted strongly in favour of its progression to the next stage of the legislative process. This will involve negotiations between the European

The Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament has published the latest draft of the proposed Network and Information Security (NIS) Directive (the ‘Directive’) following a series of amendments by MEPs. The proposal for the Directive was first published by the European Commission 7 February 2013 as part of

ENISA, the European Union Agency for Network and Information Security, has released a series of reports and guidance tackling the topic of cyber security.

  • ENISA Threat Landscape (ETL) Report 2013
    The report reviews more than 250 incidents of cyber attacks that took place in 2013.  A table in the report analyses fluctuations in the top

The UK Government Department for Business, Innovation and Skills (BIS) has issued an impact assessment (IA) at the end of September on the draft Network and Information Security Directive (the Directive) proposed by the European Commission on 7 February 2013. The Directive aims to achieve a common high level of network and information security across