On 6 July, 2016, the Network and Information Security directive (the “NIS Directive”) was adopted by the European Parliament at second reading. This follows on from formal adoption by the European Council on 17 May, 2016.
The NIS Directive was hailed by Andreas Schwab (the European Parliament’s rapporteur) as a “huge success and a big first step to establishing a comprehensive regulatory framework for platforms in the EU“. In addition, Members of the European Parliament stated that having harmonized cybersecurity standards and increased co-operation between Member States should help organisations protect themselves against cyber attacks and should also help to prevent attacks on Member States.
The key elements of the NIS Directive include:
- a requirement for “operators of essential services” in critical infrastructure sectors (e.g. energy, transportation, healthcare and banking) and digital service providers (e.g. search engine operators, cloud computing services and ecommerce platforms) to implement appropriate technical and organisational measures to manage security risks and to notify the national competent authority of serious incidents;
- the adoption by Member States of a national strategy to include policies and measures to maintain a level of network and information security;
- the designation of a national competent authority to implement and enforce the NIS Directive and create Computer Security Incident Response Teams (“CSIRT“) responsible for investigating data security incidents and cybersecurity risks; and
- the creation of a Cooperation Group to support and facilitate strategic cooperation and information exchange between Member States and a CSIRT Network to “promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.”
The NIS Directive is expected to be published in the EU Official Journal very soon and will enter into force on the 20th day after its publication. Member States will then have 21 months (i.e. by April 2018) to transpose the provisions of the NIS Directive into national laws and an additional 6 months to formally identify their operators of essential service.