By Cynthia O’Donoghue and Kate Brimsted
After almost three years, consensus has been
finally reached on the text of the Network and Information Security (“NIS”) Directive, the first-ever, EU-wide cyber security
regulation. The NIS Directive (or Cybersecurity Directive) lays down baseline
cybersecurity and mandatory breach reporting obligations on critical
infrastructure operators and digital service providers across the EU.
The Directive also envisages a “strategic cooperation
group”, with the aim of encouraging Member States to exchange information and
best practices on cybersecurity breaches. In addition, Member States will be
required to set up Computer Security Incident Response Teams (CSIRTs) to handle
incidents and identify coordinated responses alongside the other Member States.
The announcement, which was made 7 December 2015, has been
a long time coming. Work on the Directive first began in February
2013, and has since been under trialogue negotiations between the European
Commission, Parliament and Council.
Who Does It Apply To? The Directive will apply to companies that
provide an “essential service” in the energy, transport, banking, financial
market, health and water supply sectors. The trialogue have set down a list of
criteria in determining which companies provide an “essential service”, but
ultimately it will be for Member States to make this decision.
Digital Service Providers, such as online
marketplaces, search engines and clouds, will also fall under the scope of the
Directive. Their inclusion has been one of the more contentious aspects of negotiations, with the Commission arguing for, and
Parliament against. However, a compromise position has been reached through the
negotiation of a lighter regulatory regime that will apply, compared with the
stricter regime imposed on critical infrastructure operators.
What Requirements Does It Impose? Under the Directive, critical
infrastructure operators will need to ensure that the digital infrastructures
they use to deliver essential services are “robust enough to resist
cyber-attacks”. They must also report serious security breaches to public
authorities. Digital Service Providers have similar, albeit less strict,
obligations; they must ensure their infrastructures are “secure” and must
report any major security breaches.
Organisations may also be subject to additional,
country-specific obligations. This is because the Directive sets down
“baseline” obligations, giving Member States the freedom to impose additional
security requirements.
Affected organisations must therefore ensure
they carry out system-wide security reviews, and put procedures in place to
prevent, manage and respond to breaches.
When Does It Come into Force? At present, the Directive still needs to
be formally approved. This is expected to take place 18 December 2015. Once
finalised and published, Member States will have 21 months to transpose the
Directive into their national law. A further six months will be allowed for Member
States to identify which operators provide an “essential service”.
No comments:
Post a Comment