On 17 May 2016, the European Union Council formally adopted the new Network and Information Security (NIS) Directive. The legal act must still be approved by the European Parliament but it is expected to enter into force in August 2016.
The NIS directive is the fruit of a rather long process stemming from the publication of the Cybersecurity Strategy of the European Union in 2013. The strategy articulated five priorities: achieving cyber resilience, drastically reducing cybercrime, developing cyber defense policy and capabilities related to the Common Security and Defence policy, developing industrial and technological resources for cybersecurity, and establishing a coherent international cyberspace policy for the EU (and promoting EU core values).
The strategy is accompanied by proposals for legislation (the NIS Directive), for the creation of national Computer Emergency Response Teams (CERTs) and an EU-wide CERT. The European Union Agency for Network and Information Security (ENISA) is tasked with examining this opportunity, as well as the feasibility of implementing an ICS-CSIRT (for industrial control systems). Most interestingly, the strategy recognizes the role played by private sector operators within critical infrastructure.
The NIS Directive proposal concerned the establishment of measures to “ensure a high common level of network and information security across the Union.” The proposal recognized the shortcomings of a purely voluntary approach by the private sector to tackle cybersecurity in a meaningful way, as well as the vastly disparate levels of cybersecurity preparedness at the member state level. The NIS Directive therefore aims to harmonize cybersecurity capabilities across the Union. Three distinct objectives are put forward for the Directive:
• The establishment of a national NIS strategy, an NIS cooperation plan, an NIS competent authority, and a CERT
• Information sharing and cooperation for national competent authorities within a coordinated framework at the EU level
• Private sector (market) operators of specific critical sectors and public administrations will be required to assess security risks and adopt appropriate NIS measures to counter those risks and report serious incidents to national competent authorities
Member states will be required by the NIS Directive to draft these objectives into law, with appropriate sanctions for non-compliance by both market operators and public administrations. Both the NIS Directive and the Strategy call on the dedicated involvement of ENISA and the CERT for EU institutions (CERT-EU). The NIS Directive also recognizes the role that standardization plays in driving cybersecurity awareness and developing market economies. Article 16 will require member states to encourage the use of standards and specifications relevant to NIS in order to ensure the application of Article 14 on security requirements and incident notification for public administrations and market operators.
The final text of the NIS Directive will be available once adopted by the EU Parliament.