Close Menu
    Latest Category
    • Finance
    • Tech
    • EU Law
    • Energy
    • fx
    • About
    • Contact
    EUbusiness.com | EU news, business and politicsEUbusiness.com | EU news, business and politics
    Login
    • EU News
    • Focus
    • Guides
    • Press
    • Jobs
    • Events
    • Directory
    EUbusiness.com | EU news, business and politicsEUbusiness.com | EU news, business and politics
    Home»internet

    Directive on Security of Network and Information Systems

    eub2By eub27 July 2016Updated:9 July 2024 internet No Comments7 Mins Read
    Share
    Facebook Twitter LinkedIn Pinterest Email
    — last modified 07 July 2016

    The European Parliament adopted on 6 July the Directive on Security of Network and Information Systems.


    Advertisement


    The Directive on Security of Network and Information Systems (‘NIS Directive’) represents the first EU-wide rules on cybersecurity. The objective of the Directive is to achieve a high common level of security of network and information systems within the EU, by means of:

    1. Improved cybersecurity capabilities at national level
    2. Inreased EU-level cooperation
    3. Risk management and incident reporting obligations for operators of essential services and digital service providers

    1.  Improved cybersecurity capabilities at national level

    What will Member States do to increase their national cybersecurity capabilities?

    Each Member State will adopt a national strategy on the security of network and information systems defining the strategic objectives and appropriate policy and regulatory measures. The strategy should include:

    • Strategic objectives, priorities and governance framework
    • Identification of measures on preparedness, response and recovery
    • Cooperation methods between the public and private sectors
    • Awareness raising, training and education
    • Research & development plans related to NIS Strategy
    • Risk assessment plan
    • List of actors involved in the strategy implementation

    Member States will designate one or more national competent authorities for the NIS Directive, to monitor the application of the Directive at national level.

    Member States will also designate a single point of contact, which will exercise a liaison function to ensure cross–border cooperation with the relevant authorities in other Member States and with the cooperation mechanisms created by the Directive itself.

    Member States will designate one or more Computer Security Incident Response Teams (CSIRTs). CSIRTs will be responsible for, at least:

    • monitoring incidents at a national level
    • providing early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents
    • responding to incidents
    • providing dynamic risk and incident analysis and situational awareness
    • participating in the network of the national CSIRTs (CSIRTs network)

    2.  Increased EU-level cooperation

    How will Member States cooperate?

    The NIS Directive establishes a Cooperation Group, to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence.

    It also establishes a network of the national CSIRTs, in order to contribute to the development of confidence and trust between the Member States and to promote swift and effective operational cooperation.

    What will the Cooperation Group do?

    The Cooperation Group will be composed of representatives of Member States, the Commission and ENISA (the European Union Agency for Network and Information Security), with the European Commission acting as secretariat. The procedural arrangements necessary for the functioning of the Cooperation Group will be adopted by the Commission through implementing acts.

    The Cooperation Group will work on the basis of biennial Work Programmes, in four different areas:

    Planning:

    • Establish a Work Programme 18 months after entry into force (i.e. February 2018)
    • Prepare a Work Programme every two years thereafter

    Steering:

    • Provide guidance for CSIRTs Network
    • Assist Member States in NIS capacity building
    • Support Member States in the identification of operators of essential services
    • Discuss incident notification practices
    • Discuss standards
    • Engage with relevant EU institutions and bodies
    • Evaluate national NIS strategies and CSIRTs (on voluntary basis)

    Sharing information and best practices on:

    • Risks
    • Incidents
    • Awareness-raising
    • Training
    • R&D

    Reporting:

    • Every 1.5 years provide a report assessing the experience gained with cooperation. The report will be sent to the Commission as a contribution to the review of the functioning of the Directive.

    What will the CSIRTs Network do?

    The CSIRTs Network will be composed of representatives of the Member States’ CSIRTs and CERT–EU (the Computer Emergency Response Team for the EU institutions, agencies and bodies). The Commission will participate in the CSIRTs network as an observer. ENISA will provide the secretariat and actively support the cooperation among the CSIRTs.

    The CSIRTs Network will have the following tasks:

    • exchanging information on CSIRTs services, operations and cooperation capabilities
    • exchanging and discussing information related to incidents (on request and voluntary)
    • identifying a coordinated response to an incident (on request and voluntary)
    • support cross-border incident handling (voluntary)
    • exploring further forms of operational cooperation
    • informing the Cooperation Group of its activities and requesting guidance
    • discussing lessons learnt from NIS exercises
    • discussing issues relating to an individual CSIRT (on request)
    • issuing guidelines on operational cooperation

    Two years after entry into force of the NIS Directive, and every 18 months thereafter, the CSIRTs Network will produce a report assessing the experience gained with operational cooperation, including conclusions and recommendations. The report will be sent to the Commission as a contribution to the review of the functioning of the Directive.

    3.  Risk management and incident reporting obligations for operators of essential services and digital service providers

    What are operators of essential services, and what will they be required to do?

    Operators of essential services are private businesses or public entities with an important role for the society and economy.

    Under the NIS Directive, identified operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority.

    The security measures include:

    • Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.
    • Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
    • Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.

    How will Member States identify operators of essential services?

    Each Member State will identify the entities who have to take appropriate security measures and to notify significant incidents by applying these criteria:

    (1) The entity provides a service which is essential for the maintance of critical societal/economic activities;

    (2) The provision of that service depends on network and information systems; and

    (3) A security incident would have significant disruptive effects on the provision of the essential service.

    Which sectors does the Directive cover?

    The Directive will cover such operators in the following sectors:

    • Energy: electricity, oil and gas
    • Transport: air, rail, water and road
    • Banking: credit institutions
    • Financial market infrastructures: trading venues, central counterparties
    • Health: healthcare settings
    • Water: drinking water supply and distribution
    • Digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries

    What kind of incidents will be notifiable by the operators of essential services?

    The Directive does not define threshold of what is an significant incident requiring notification to the relevant national authority. It defines 3 parameters which should be taken into consideration:

    • Number of users affected
    • Duration of incident
    • Geographic spread

    These parameters may be further clarified by means of guidelines adopted by the national competent authorities acting together within the Cooperation Group.

    What are digital service providers (DSPs), and what will they be required to do?

    Important digital businesses, referred to in the Directive as “digital service providers” (DSPs), will also be required to take appropriate security measures and to notify substantial incidents to the competent authority.

    Security measures cover the following:

    • Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.
    • Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
    • Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.

    The security measures taken by DSPs should also take into account some specific factors, to be further specified in a Commission implementing act:

    • security of systems and facilities
    • incident handling
    • business continuity management
    • monitoring, auditing and testing
    • compliance with international standards

    What kind of incidents will be notifiable by the DSPs?

    The Directive does not define thresholds of what is a substantial incident requiring notification to the relevant national authority. It defines 5 parameters which should be taken into consideration:

    • Number of users affected
    • Duration of incident
    • Geographic spread
    • The extent of the disruption of the service
    • The impact on economic and social activities

    These parameters will be further specified by the Commission by means of implementing acts.

    Which Digital Service Providers does the Directive cover?

    The Directives covers:

    • Online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online)
    • Cloud computing services
    • Search engines

    All entities meeting the definitions will be automatically subject to the security and notification requirements under the NIS Directive. Micro and small enterprises (as defined in Commission Recommendation 2003/361/EC) do not fall under the scope of the Directive.

    How will a light-touch and harmonised approach for DSPs be achieved?

    The Commission will adopt implementing acts with regard to security requirements and notifications obligations of DSPs within one year from the adoption of the Directive. Member States will not be able to impose additional more stringent security and notification requirements on DSPs. In addition, the competent authorities will be able to exercise supervisory activities only when provided with evidence that a DSP is not complying with its obligations under the Directive

    Add A Comment

    Leave A Reply Cancel Reply

    You must be logged in to post a comment.

    eub2
    • Website

    eub2 is the default publisher for EUbusiness.

    Related Content

    EU calls on Apple to end geo-blocking on media services

    Apple on notice to comply with EU digital market rules

    EU launches legal action against Temu over sale of illegal products

    EU boosts cyber resilience in Europe’s critical digital infrastructure

    EU adopts new cybersecurity law for connected devices

    EU set to invest EUR 865m in 5G, gigabit connectivity

    LATEST EU NEWS

    EU approves EUR 300m for common defence procurement projects

    14 November 2024

    EU proposes e-declaration for the posting of workers

    14 November 2024

    EU calls on Apple to end geo-blocking on media services

    14 November 2024

    EUR/USD touches one year low as Trump takes control of Congress – Euro currency news daily

    14 November 2024

    EU artificial intelligence factories set for 2025

    13 November 2024
    BRIEFING

    Agenda

    This week, COP29 begins in Azerbaijan; finance ministers discuss the EU's annual budget for 2025; and MEPs hold a plenary session on EU-US relations, EU summits, deforestation and COP 29...

    EUbusiness Week

    This week competitiveness and environment ministers will hold informal meetings…

    Eurozone Economic Calendar

    Key economic calendar events for the week 11 to 16 November 2024

    The Week's Top Stories

    This week competitiveness and environment ministers will hold informal meetings…

    Advertisement

    Subscribe to EUbusiness Week

    Get the latest EU news

    Latest Posts

    EU approves EUR 300m for common defence procurement projects

    14 November 2024

    EU proposes e-declaration for the posting of workers

    14 November 2024

    EU calls on Apple to end geo-blocking on media services

    14 November 2024

    EUR/USD touches one year low as Trump takes control of Congress – Euro currency news daily

    14 November 2024

    CONTACT INFO

    • EUbusiness Ltd 117 High Street, Chesham Buckinghamshire, HP5 1DE United Kingdom
    • +44(0)20 8058 8232
    • service@eubusiness.com

    INFORMATION

    • About Us
    • Advertising
    • Contact Info

    Services

    • Privacy Policy
    • Tems
    • EU News

    SOCIAL MEDIA

    Facebook
    eubusiness.com © EUbusiness Ltd 2025
    Design and developed by : Dotsquares

    Type above and press Enter to search. Press Esc to cancel.

    Sign In or Register

    Welcome Back!

    Login below or Register Now.

    Lost password?

    Register Now!

    Already registered? Login.

    A password will be e-mailed to you.

    We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok