The European Parliament has adopted the Directive on Security of Network and Information Systems (the ‘NIS Directive’), which will be coming into force in August of this year, and which will give Member States 21 months to successfully transpose the Directive into their national laws.
The NIS Directive is a part of the cybersecurity strategy for ‘An Open, Safe and Secure Cyberspace’, first published by the European Commission in February of 2013, with the aim of mapping out a best practice for preventing and responding to cyber-attacks and increase cooperation between EU Member States on cybersecurity issues. The Directive targets critical sectors including energy, transportation, baning, financial markets, health, water and digital infrastructure.
To achieve the objective behind it, the Directive imposes certain obligations on Member States, such as, inter alia, adopting a national strategy on the security of the network and information systems, designating a competent authority to monitor the implementation of the Directive, and designating one or more Computer Security Incident Response Team/s.
Additionally, a cooperation group composed of representatives of the Member States will be appointed to provide guidance and sharing information on network security.
At a company level, digital service providers and operators of essential services must now draw up risk management and incident reports to be given to national authorities. The targeted digital service providers include online marketplaces, cloud computing services and search engines.
Essential services will be identified based on the following criteria:
1. If the entity provides a service which is essential for the maintenance of critical societal or economic activities;
2. If the provision of that service depends on network and information systems; and
3. If a security incident would have significant disruptive effects on the provision of the essential service.
Incidents requiring notification will be assessed according to users affect, duration of incident, geographic spread, extent of disruption of service and impact on economic and societal activites.
The next step for the European Commission is to adopt implementing acts with respect to security requirements and notifications obligations of digital service providers, to be in place within one year of the adoption of the NIS Directive.