The Directive on security of network and information systems (the NIS Directive) was adopted by the European Parliament on 6 July 2016. European Commission Vice-President Andrus Ansip, responsible for the Digital Single Market, and Commissioner Günther H. Oettinger, have issued a statement at this occasion. The Directive will enter into force in August 2016. Member States will have 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services.
In 2013 the Commission put forward a proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union. The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:
- Member States preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority;
- cooperation among all the Member States, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information among Member States. They will also need to set a CSIRT Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks;
- a culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new Directive.
Strengthening Europe's cyber resilience
In its Communication of 5 July 2016, the European Commission encourages Member States to make the most of NIS coordination mechanisms. Building on those, the Commission will propose how to enhance cross-border cooperation in case of a major cyber-incident. Given the speed with which the cybersecurity landscape is evolving, the Commission will also bring forward its evaluation of the European Union Agency for Network and Information Security (ENISA), which will possibly lead to the adoption a new mandate.
The Commission is also examining how to strengthen and streamline cybersecurity cooperation across different sectors of the economy, including in cybersecurity training and education.