The European Parliament adopted on 6 July the Directive on Security of Network and Information Systems.
Advertisement
The Directive on Security of Network and Information Systems (‘NIS Directive’) represents the first EU-wide rules on cybersecurity. The objective of the Directive is to achieve a high common level of security of network and information systems within the EU, by means of:
- Improved cybersecurity capabilities at national level
- Inreased EU-level cooperation
- Risk management and incident reporting obligations for operators of essential services and digital service providers
1. Improved cybersecurity capabilities at national level
What will Member States do to increase their national cybersecurity capabilities?
Each Member State will adopt a national strategy on the security of network and information systems defining the strategic objectives and appropriate policy and regulatory measures. The strategy should include:
- Strategic objectives, priorities and governance framework
- Identification of measures on preparedness, response and recovery
- Cooperation methods between the public and private sectors
- Awareness raising, training and education
- Research & development plans related to NIS Strategy
- Risk assessment plan
- List of actors involved in the strategy implementation
Member States will designate one or more national competent authorities for the NIS Directive, to monitor the application of the Directive at national level.
Member States will also designate a single point of contact, which will exercise a liaison function to ensure crossborder cooperation with the relevant authorities in other Member States and with the cooperation mechanisms created by the Directive itself.
Member States will designate one or more Computer Security Incident Response Teams (CSIRTs). CSIRTs will be responsible for, at least:
- monitoring incidents at a national level
- providing early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents
- responding to incidents
- providing dynamic risk and incident analysis and situational awareness
- participating in the network of the national CSIRTs (CSIRTs network)
2. Increased EU-level cooperation
How will Member States cooperate?
The NIS Directive establishes a Cooperation Group, to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence.
It also establishes a network of the national CSIRTs, in order to contribute to the development of confidence and trust between the Member States and to promote swift and effective operational cooperation.
What will the Cooperation Group do?
The Cooperation Group will be composed of representatives of Member States, the Commission and ENISA (the European Union Agency for Network and Information Security), with the European Commission acting as secretariat. The procedural arrangements necessary for the functioning of the Cooperation Group will be adopted by the Commission through implementing acts.
The Cooperation Group will work on the basis of biennial Work Programmes, in four different areas:
Planning:
- Establish a Work Programme 18 months after entry into force (i.e. February 2018)
- Prepare a Work Programme every two years thereafter
Steering:
- Provide guidance for CSIRTs Network
- Assist Member States in NIS capacity building
- Support Member States in the identification of operators of essential services
- Discuss incident notification practices
- Discuss standards
- Engage with relevant EU institutions and bodies
- Evaluate national NIS strategies and CSIRTs (on voluntary basis)
Sharing information and best practices on:
- Risks
- Incidents
- Awareness-raising
- Training
- R&D
Reporting:
- Every 1.5 years provide a report assessing the experience gained with cooperation. The report will be sent to the Commission as a contribution to the review of the functioning of the Directive.
What will the CSIRTs Network do?
The CSIRTs Network will be composed of representatives of the Member States’ CSIRTs and CERTEU (the Computer Emergency Response Team for the EU institutions, agencies and bodies). The Commission will participate in the CSIRTs network as an observer. ENISA will provide the secretariat and actively support the cooperation among the CSIRTs.
The CSIRTs Network will have the following tasks:
- exchanging information on CSIRTs services, operations and cooperation capabilities
- exchanging and discussing information related to incidents (on request and voluntary)
- identifying a coordinated response to an incident (on request and voluntary)
- support cross-border incident handling (voluntary)
- exploring further forms of operational cooperation
- informing the Cooperation Group of its activities and requesting guidance
- discussing lessons learnt from NIS exercises
- discussing issues relating to an individual CSIRT (on request)
- issuing guidelines on operational cooperation
Two years after entry into force of the NIS Directive, and every 18 months thereafter, the CSIRTs Network will produce a report assessing the experience gained with operational cooperation, including conclusions and recommendations. The report will be sent to the Commission as a contribution to the review of the functioning of the Directive.
3. Risk management and incident reporting obligations for operators of essential services and digital service providers
What are operators of essential services, and what will they be required to do?
Operators of essential services are private businesses or public entities with an important role for the society and economy.
Under the NIS Directive, identified operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority.
The security measures include:
- Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.
- Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
- Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.
How will Member States identify operators of essential services?
Each Member State will identify the entities who have to take appropriate security measures and to notify significant incidents by applying these criteria:
(1) The entity provides a service which is essential for the maintance of critical societal/economic activities;
(2) The provision of that service depends on network and information systems; and
(3) A security incident would have significant disruptive effects on the provision of the essential service.
Which sectors does the Directive cover?
The Directive will cover such operators in the following sectors:
- Energy: electricity, oil and gas
- Transport: air, rail, water and road
- Banking: credit institutions
- Financial market infrastructures: trading venues, central counterparties
- Health: healthcare settings
- Water: drinking water supply and distribution
- Digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries
What kind of incidents will be notifiable by the operators of essential services?
The Directive does not define threshold of what is an significant incident requiring notification to the relevant national authority. It defines 3 parameters which should be taken into consideration:
- Number of users affected
- Duration of incident
- Geographic spread
These parameters may be further clarified by means of guidelines adopted by the national competent authorities acting together within the Cooperation Group.
What are digital service providers (DSPs), and what will they be required to do?
Important digital businesses, referred to in the Directive as “digital service providers” (DSPs), will also be required to take appropriate security measures and to notify substantial incidents to the competent authority.
Security measures cover the following:
- Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.
- Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
- Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.
The security measures taken by DSPs should also take into account some specific factors, to be further specified in a Commission implementing act:
- security of systems and facilities
- incident handling
- business continuity management
- monitoring, auditing and testing
- compliance with international standards
What kind of incidents will be notifiable by the DSPs?
The Directive does not define thresholds of what is a substantial incident requiring notification to the relevant national authority. It defines 5 parameters which should be taken into consideration:
- Number of users affected
- Duration of incident
- Geographic spread
- The extent of the disruption of the service
- The impact on economic and social activities
These parameters will be further specified by the Commission by means of implementing acts.
Which Digital Service Providers does the Directive cover?
The Directives covers:
- Online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online)
- Cloud computing services
- Search engines
All entities meeting the definitions will be automatically subject to the security and notification requirements under the NIS Directive. Micro and small enterprises (as defined in Commission Recommendation 2003/361/EC) do not fall under the scope of the Directive.
How will a light-touch and harmonised approach for DSPs be achieved?
The Commission will adopt implementing acts with regard to security requirements and notifications obligations of DSPs within one year from the adoption of the Directive. Member States will not be able to impose additional more stringent security and notification requirements on DSPs. In addition, the competent authorities will be able to exercise supervisory activities only when provided with evidence that a DSP is not complying with its obligations under the Directive