The European parliament agreed on a network and information security (NIS) directive (Netwerk en InformatieBeveiliging - de NIB-richtlijn). Setting common cybersecurity standards and stepping up cooperation among EU countries will help firms to protect themselves, and also help prevent attacks on EU countries interconnected infrastructure. The NIS directive "is also one of the first legislative frameworks that applies to platforms. In line with the Digital Single Market strategy, it establishes harmonised requirements for platforms and ensures that they can expect similar rules wherever they operate in the EU". This is a big first step to establishing a comprehensive regulatory framework for platforms in the EU. Member states will also have to set up a network of Computer Security Incident Response Teams (CSIRTs) to handle incidents and risks, discuss cross-border security issues and identify coordinated responses. HSD partner NCSC (National Cyber Security Center) is one of those CSIRTs. The European Network and Information Security Agency (ENISA) will play a key role in implementing the directive, particularly in relation to cooperation. The need to respect data protection rules is reiterated throughout the directive.
What does this mean for EU member states?
The new EU law lays down security and reporting obligations for "operators of essential services" in sectors such as energy, transport, health, banking and drinking water supply. EU member states will have to identify entities in these fields using specific criteria, e.g. whether the service is critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service. Some digital service providers - online marketplaces, search engines and cloud services - will also have to take measures to ensure the safety of their infrastructure and will have to report major incidents to national authorities. The security and notification requirements are, however, lighter for these providers. Micro- and small digital companies will be exempted from these requirements. The NIS directive will soon be published in the EU Official Journal and will enter into force on the twentieth day after publication (in August). Member states will then have 21 months to transpose the directive into their national laws and six additional months to identify operators of essential services.
Earlier this month the European Commission launched a new public-private partnership on cybersecurity that is expected to trigger €1.8 billion of investment by 2020. You can read more about this here.