What is the EU
cyber security strategy?
The EU cyber security strategy
sets out the EU's strategy for preventing
and responding to disruptions and attacks affecting Europe's telecommunications
systems.
The proposed directive would
impose a minimum level of
security for digital
technologies, networks and services across all member states. It also proposes to
make it compulsory for certain businesses and organisations to report significant cyber incidents.
The list includes search engines, cloud providers, social networks, public
administrations, online payment platforms like PayPal, and major eCommerce websites,
such as Amazon.
The proposal was published in two
parts on 7 February 2013. The first part is a communication from the Commission
and the EU's High Representative for foreign affairs and security policy
outlining an EU cyber security strategy. This is supported by the second
element of the strategy - a European Commission proposal for a directive on
network and information security.
Why do we need
it?
Today's IT systems can be
seriously affected by security incidents, such as
technical failures and viruses. These kinds of incidents, often called network
information security (NIS) incidents, are becoming more frequent and difficult
to deal with.
Many businesses and governments
across the EU rely on digital networks and infrastructure to provide their
essential services. This means that when NIS incidents occur, they can have a
huge impact by compromising services and stopping
businesses working properly. In addition, with the development of the EU's
internal market, many network and information systems work across borders. An
NIS incident in one country can therefore have an effect in others and even
across the whole EU. Security incidents also undermine consumer confidence in online payment systems and IT networks.
By introducing more consistent risk management measures and systematic reporting of incidentsthe proposed directive would help
sectors depending on IT systems to be more reliable and stable.
In detail
EU cyber security strategy: An
open, safe and secure cyberspace
The EU cyber security strategy
sets out the EU's approach on best preventing and responding to cyber
disruptions and attacks. It details a series of actions to enhance the cyber
resilience of IT systems, reduce cybercrime and strengthen EU international
cyber security policy and cyber defence.
The strategy sets out plans to
address challenges under five priority areas:
·
achieving cyber resilience
·
drastically reducing cybercrime
·
developing cyber defence policy and capabilities
related to the EU's common security and defence policy (CSDP)
·
developing the industrial and technological resources
for cyber security
·
establishing a coherent international cyberspace
policy for the EU
One of the main actions under the
strategy is the draft directive on network and information security.
Proposal for a directive on
measures to ensure a high level of network and information security across the
EU - 2013/0027(COD)
The draft directive on network and
information security (NIS) is an important element of the cyber security
strategy. It would require all EU member states, key internet companies and
infrastructure operators, such as e-commerce platforms, social networks and
transport, banking and healthcare services, to ensure a secure and trustworthy digital
environment throughout the EU. As the current
approach to NIS is based on voluntary action, national capability and the
levels of private sector involvement and preparedness vary considerably between
member states. The draft directive aims to level the playing field by
introducing harmonised rules to apply in all EU countries.
The proposed measures include:
·
the requirement for EU member states to adopt an NIS strategy and designate a national NIS authority with adequate resources to prevent,
handle and respond to NIS risks and incidents
·
the creation of a cooperation
mechanism among member states
and the Commission to share early warnings on risks and incidents, exchange
information, and counter NIS threats and incidents
·
the requirement for certain digital companies and
services to adopt risk
management practices and report major IT security incidents to the competent national authority.
The requirement to report IT
security incidents aims to help develop a culture of risk management and make
sure that information is shared between private and public sectors. It covers:
·
critical infrastructure operators in sectors such as
financial services, transport, energy and health
·
IT service companies, including app stores, e-commerce
platforms, internet payment platforms, cloud computing platforms, search
engines and social networks
·
public administrations
In the Council
Following
preparatory work by the Working Group on Telecommunications and the Information
Society (WP TELE), the Council held an initialorientation debate on
the draft directive on 6 June 2013.
At a TTE
Council meeting on 5 December 2013, ministers took note of a progress
report on the directive. The report highlighted ongoing preparatory
work on issues such as the scope of the directive, the terminology used, the
set-up of the cooperation network, and the requirements for the national NIS
strategies.
The
Council discussed a further progress report at the TTE meeting on
6 June 2014. In particular, ministers looked at the best way to cooperate
to improve the preparedness and reactions to cyber security threats. They
concluded that the NIS directive should focus on high-level strategic and
policy cooperation. However, ministers also want it to give more direction to
the operational cooperation that already takes place in several bodies. They
agreed that discussions should continue on the practical arrangements for
cooperation.
At a TTE
Council meeting on 27 November 2014, the presidency briefed
ministers on the state of play of work on the draft NIS directive. At the end
of 2014, the Council held two trilogue meetings on the
directive with the European Parliament. A third trilogue meeting took
place on 30 April 2015. Although progress was made during the
trilogue, important differences remained between the Council
and European Parliament positions. The trilogue was therefore useful in further
clarifying their respective concerns.
At a
fourth trilogue meeting on 29 June 2015, the Council reached an
understanding with the European Parliament on the main principles to
be included in the draft NIS directive. These principles will now have to be
turned into legal provisions to allow for a final deal on the directive at a
later stage.
On 18
December 2015, the Coreper endorsed an informal deal with the
European Parliament. Once the agreed text is finalised, it needs to be formally
approved first by the Council and then by the Parliament.
On 17 May
2016, the Council approved its position at first reading ,
which confirmed the agreement reached with the European Parliament in December
2015. The next step is approval of the legal act by the European
Parliament at second reading. The directive is expected to enter into
force in August 2016.
Related documents and publications
No comments:
Post a Comment