Cyber Security update
Published 1 September 2016
Network and Information Security Directive published in Official Journal
On 19 July 2016, the Network and Information Systems Directive (the "NIS Directive") was published in the Official Journal of the European Union. Member States have until 9 May 2018 to implement the NIS Directive through national laws.
The NIS Directive arose as part of the EU cybersecurity strategy and aims to harmonise cyber security and improve cyber resilience across the EU. Member States are obliged to adopt a national strategy for cyber security, set up Computer Security Incident Response Teams ("CSIRTs") and nominate a competent national authority. Member States will also be required to set up a cooperation group and a network of CSIRTs to facilitate information sharing.
Once in force, Member States will have until 9 November 2018 to identify "operators of essential services" within the jurisdiction. These are services that are critical for society and the economy, and which would suffer significant disruption from a cyber incident. Such providers encompass energy, transport, health, banking and drinking water supply sectors. Operators are required to take appropriate and proportional security measures and to notify serious incidents to the relevant national authority.
Member States will also need to identify certain digital service providers, including major online marketplaces, search engines and cloud services, which will also have to take measures to ensure the safety of their infrastructure and will have to report major incidents to national authorities. However, the security and notification requirements for these providers are lighter than for providers of essential services.
Competent authorities will have the power to initiate assessments of the security measures of operators of essential services at any time and may order operators to resolve any deficiencies. In line with the "lighter touch approach" for digital service providers, competent authorities will be more reactive, only taking action if they receive evidence that there has been a breach of the requirements. Penalties are not specified in the NIS Directive, and will be for Member States to set at appropriate levels.
EU public-private partnership on cybersecurity announced
As part of the EU cyber security and digital single market strategy, the Commission has launched a new public-private partnership that aims to foster cooperation in research and innovation in the cyber sector and build cyber security solutions for essential sectors such as energy, health, transport and finance. The EU will invest €450 million in the partnership, and expects private partners to invest three times more.
EU carries out review of ENISA
The Commission has set out a roadmap for an evaluation of the European Union Agency for Network and Information Security ("ENISA"). In view of the changes in the cybersecurity regulatory and policy landscape, particularly the adoption of the NIS Directive that foresees new tasks for ENISA, the Commission considers that the review is required to ensure that ENISA's objectives, mandates and tasks remain appropriate.
The NIS Directive provides that ENISA should assist Member States, the Commission and cooperation groups by providing advice and facilitating the exchange of best practice. ENISA should also be involved in the development of guidelines for sector-specific criteria for determining the significance of the impact of an incident.