Yesterday was the “go live” date for the EU’s Network and Information Security (NIS) Directive. The NIS Directive was adopted in 2016, and as a directive, it sets out objectives and policies to be attained through legislation at an EU member state level within a certain timeframe (a process called transposition). Member states were required to transpose the NIS Directive into national law by May 9, 2018.
As the first EU law specifically focused on cybersecurity, the NIS Directive has three parts, affecting both industry and member state governments.
- Requirements on organisations: The directive establishes security and incident notification requirements for “operators of essential services” (OES) (e.g., providers of energy, transportation, healthcare, drinking water, some financial services) and, to a less stringent extent, “digital service providers” (DSP) (online marketplaces, online search engines, and cloud service providers). The NIS Directive requires these companies “to have regard to the state of the art technologies” to manage risks posed to the security of the networks and information systems used to provide the covered services, and take appropriate measures to prevent and minimise the impact of incidents. Security incidents of certain magnitudes must be reported to national competent authorities. The above obligations apply whether the OES or DSP manages its own network and information systems or outsources them.
- National activities: The directive requires member states to adopt national cybersecurity strategies; to designate national competent authorities; and to have one or more computer security incident response teams (CSIRTs), corresponding at least to the sectors covered by the directive, to detect, prevent, and respond to cyber incidents and risks.
- EU-wide collaboration: The directive emphasises coordination among member states, setting up a CSIRT network (also to include CERT-EU) to promote swift and effective operational cooperation regarding threats and incidents, and a strategic NIS “cooperation group” to support and facilitate cooperation and information exchange among member states.
Officials in Brussels and other EU capitals have worked hard to make NIS successful. Many countries have updated or issued, for the first time, their national cybersecurity strategies. CSIRTs have been established, and legislation has been readied to transpose NIS. The European Commission has issued guidance to countries on effective implementation of NIS. ENISA – the EU Agency for Network and Information Security – has also issued a range of guidance, including recommendations on the use and management of CSIRTs and recommendations regarding the security and incident notification measures for DSPs. . The NIS cooperation group – composed of representatives of member states, the Commission, and ENISA– reportedly meets regularly to coordinate efforts among EU countries, including sharing information about how to implement NIS as consistently as possible. To that end, the cooperation group has issued non-binding guidelines on security measures and incident notification for OESs. The EU member states that have held the EU Presidency since NIS was adopted- Slovakia, Malta, Estonia, and now Bulgaria—have all made NIS implementation a priority, driving NIS-related activity including in the Cooperation Group.
Of course, steps remain. Some countries need to finish transposing NIS (not all countries made the deadline). Per the directive, they also have another six months to identify the operators of essential services established in their territories (this information might not be made public for security reasons). And equally importantly, organisations covered by NIS will be determining if they must change their security practices to meet its requirements, and if so, how. The European Commission understands that more needs to be done, and announced May 4 that, to help member states rapidly transpose the NIS Directive and build their capabilities, the Connecting Europe Facility programme is providing €38 million in funding until 2020 to support national CSIRTs as well as other NIS Directive stakeholders, such as the operators of essential services and digital service providers.
As part of the May 4 announcement above, European Commission Vice-President Andrus Ansip, responsible for the Digital Single Market, Commissioner for Migration, Home Affairs and Citizenship Dimitris Avramopoulos, Commissioner for the Security Union Julian King and Commissioner Mariya Gabriel, in charge of Digital Economy and Society, issued a statement, noting that “The adoption of the NIS Directive two years ago was a turning point for the EU’s efforts to step up its cybersecurity capacities.” This is true. However, NIS is just one of an expanding list of activities driven out of Brussels to improve cybersecurity. Many people close to the action in Brussels reported that attention to cybersecurity rose quickly among senior policymakers in the wake of the May 2017 WannaCry ransomware attack. In September 2017, EU President Jean-Paul Juncker made cybersecurity a major theme – for the first time ever — of the “State of the EU” address, highlighting the need for the EU to better protect Europeans in the digital age. That same month, the European Commission issued a package of cybersecurity legislative and other proposals. This included a new EU cybersecurity strategy, “Resilience, Deterrence and Defence: Building Strong Cybersecurity for the EU,” with a focus on protection and prevention of cyberattacks. Further, the Commission announced the intention to set up a “cybersecurity competence network” and a “European Cybersecurity Research and Competence Centre,” and a recommendation to establish an EU-wide “Coordinated Response to Large Scale Cybersecurity Incidents and Crises.” It also proposed a new law – the Cybersecurity Act — to increase and make permanent ENISA’s mandate, as well as develop an EU-wide certification scheme. This Act is currently being debated in Parliament and the European Council.
All these EU efforts are essential. They include important plans and activities: increasing cybersecurity-related education and training, stepping up law enforcement activities, and accelerating cyberthreat information sharing, to name a few. They also, of course, complement an array of actions being taken by the member states individually.
Palo Alto Networks commends European policymakers for putting cybersecurity front and center. The NIS Directive hits a key milestone today, but today is simply a stage on a journey. The EU understands that cybersecurity is essential to economic activity and growth as well as to the user confidence in online activities that underpins it. Companies in Europe, across all sectors, must ensure their business are resilient to cyberattacks as they embrace the digital world, EU governments need secure online operations, and consumers need trust in their online experiences. Ultimately, the more all EU member states can raise the collective bar the more the global digital infrastructure will benefit. Palo Alto Networks looks forward to continuing to contribute to Europe’s efforts.
[Palo Alto Networks Research Center]