Directive on Security of Net systems, the first EU-wide
9 May was the deadline for the member states to transpose into national laws the Directive on Security of Network and Information Systems that entered into force in August 2016. The NIS Directive is the first EU-wide legislation on cybersecurity.
The NIS Directive is the first EUwide legislation on cybersecurity. The objective of the Directive is to achieve evenly high level of security of network and information systems across the EU, through:
Improved cybersecurity capabilities at national level; Increased EU-level cooperation; Risk management and incident reporting obligations for operators of essential services and digital service providers.
As part of the cybersecurity package adopted in September 2017, the Commission issued the Communication “Making the Most of the Directive on Security of Network and Information Systems” to assist member states with guidance and best practice examples as well as to ensure a harmonised transposition of the new rules. €18.7m are allocated from the CEF programme for cybersecurity projects increasing capabilities of the CSIRTs between 2017 to 2020 (for example, for purchasing software tools, or covering the costs of training and exercise).
CEF funding is additionally being opened up to other stakeholders concerned by the NIS Directive namely operators of essential services, digital service providers, single points of contact and national competent authorities with a further €13m being available to those who apply under the next call for proposals from May to late November this year.
Howwill member states cooperate under the NIS Directive?
The NIS Directive established a cooperation group that is chaired by the Presidency of the Council of the European Union. The group gathers representatives of the member states, the Commission (acting as secretariat) and the European Union Agency for Network and Information Security (ENISA). This cooperation group facilitates strategic cooperation and exchange of information among member states and helps develop trust and confidence. The cooperation group has met six times to date starting from February 2017.
The Directive also established a Network of the national Computer Security Incident Response Teams (network of CSIRTs), to contribute to the development of confidence and trust between the member states and to promote swift and effective operational cooperation.
How does the cooperation group function? What has it achieved so far?
The group is chaired by a representative of the member state holding the Presidency of the Council of the EU. It operates by consensus and can set up sub-groups to examine specific questions related to its work. The Commission provides the secretariat of the cooperation group.
The group works on the basis of biennial work programmes. Its main tasks are to steer the work of the member states in the implementation of the Directive, by providing guidance to the Computer Security Incident Response Teams (CSIRTs) network and assisting member states in capacity building, sharing information and best practices on key issues, such as risks, incidents and cyber awareness.
The Cooperation Group has so far produced, for example, non-binding guidelines on the security measures and the incident notification for operators of essential services.
Every one-and-a-half years the group will provide a report assessing the benefits of the cooperation. The report will be sent to the Commission as a contribution to the review of the functioning of the Directive.
Howdoes the CSIRTsNetwork function?
The network is composed of representatives of the member states’ CSIRTs (Computer Security Incident Response Teams) and CERTEU (the Computer Emergency Response Team for the EU institutions, agencies and bodies). The Commission participates in the CSIRTs Network as an observer. The European Union Agency for Network and Information (ENISA) provides the secretariat, actively supporting the cooperation among the CSIRTs.
Two years after entry into force of the NIS Directive (by 9 August), and every 18 months thereafter, the CSIRTs Network will produce a report assessing the benefits of operational cooperation, including conclusions and recommendations. The report will be sent to the Commission as a contribution to the review of the functioning of the Directive.
More intense coordination in the network could be seen already mid2017 during the Wannacry and Non-Petya ransonware attacks.
What are operators of essential services, and what will they be required to do?
Operators of essential services are private businesses or public entities with an important role to provide security in healthcare, transport, energy, banking and financial market infrastructure, digital infrastructure and water supply.
Under the NIS Directive, identified operators of essential services will have to take appropriate security measures and to notify serious cyber incidents to the relevant national authority.
The security measures include: • Preventing risks • Ensuring security of network and
information systems • Handling incidents
How will member states identify operators of essential services?
Member states have until 9 November to identify the entities that have to take appropriate security measures and to notify significant incidents according to the following criteria criteria: (1) The entity provides a service which is essential for the maintenance of critical societal and economic activities; (2) The provision of that service depends on network and information systems; and (3) A security incident would have significant disruptive effects on the essential service.
Which sectors does the Directive cover?
The Directive covers operators in the following sectors: • Energy: electricity, oil and gas • Transport: air, rail, water and
road • Banking: credit institutions • Financial market infrastructures: trading venues, central counterparties • Health: healthcare settings • Water: drinking water supply and
distribution • Digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries
What kind of incidents should be notified by the operators of essential services?
The Directive does not define threshold of what is a significant incident requiring notification to the relevant national authority.