In December, EU institutions agreed the details of an EU wide cyber-security directive; the first of its kind. The Network and Information Security Directive (NIS Directive) is intended to strengthen and improve the resilience of network and information systems in Europe.
A significant number of businesses and individuals are reliant on digital technologies, networks and services to conduct their day-to-day life. Given the ever-present nature of cross-border commerce, cybersecurity incidents can have a major impact on companies, and consequently, Europe’s wider economy. The NIS Directive hopes to minimise this effect by implementing a more secure and consistent system which EU sectors can rely on.
What is the Directive?
The Directive’s key provisions can be split into two areas. Firstly, the EU aims to impose a minimum level of security for digital technologies, networks and services across all EU Member States. Businesses that are subject to the NIS Directive will be required to put in place appropriate measures to protect networks and data against cyber security incidents.
Secondly, incidents having a serious impact on the security of core services provided will have to be reported to the competent national authority. The national authority may require that the public be informed of the incident but an announcement will not be mandatory under the NIS Directive. The national authority should consider the wider public interest when coming to this decision.
Who is caught under the Directive?
According to the various statements released by the EU institutions, a two-tiered framework will exist under the NIS Directive, catching both ‘Essential Services’ and ‘Digital Service Providers’.
Essential Services
The Directive lists a number of critical services in which operators of essential services are active, such as energy, transport, finance and health – more will be included in the Directive. Within these sectors, Member States will have to identify concrete “operators of essential services” using the following criteria:
- whether the service is critical for society and the economy;
- whether it depends on network and information systems; and
- whether an incident could have significant disruptive effects on its provision or public safety.
Digital Service Providers
Digital service Providers, including cloud computing providers, search engines and online marketplaces will also be subject to the NIS Directive. However, initial suggestions point towards a lighter regime than operators of essential services.
Both will be expected to comply with the NIS Directive to some degree.
What’s next?
After the official text of the NIS Directive is published, it will need to be signed by the Presidents of Parliament and the Council, followed by a publication in the Official Journal. Member States will then have 21 months to implement this Directive into their national laws and 6 months more to identify operators of essential services.
Beverley Flynn