On December 7, 2015, the Council of the European Union (the Council) reached an informal agreement with the European Parliament on a new EU directive on network and information security (NISD).
The agreement marks the conclusion of two years of work, since the European Commission (the Commission) and the High Representative of the European Union for Foreign Affairs and Security Policy published a strategy for ‘An Open, Safe and Secure Cyberspace’ and proposed a directive in 2013. Once adopted, likely in early 2016, EU Member States will have 21 months to adopt the necessary national provisions to comply with the NISD.
The NISD lays down minimum obligations for all Member States on the prevention and handling of and the response to risks and incidents affecting networks and information systems, creates a cooperation mechanism between Member States, and establishes security requirements for certain market operators and public administrations. The NISD will impose new security-related obligations on market operators providing “essential services” in a wide range of industries. In the words of the European Parliament’s rapporteur, the NISD marks the “beginning of platform regulation” in the EU.
Obligations of market operators
The NISD’s imposition of security-related obligations on market operators has been among the most contentious issues delaying agreement on the NISD. Under the agreed compromise, the NISD will impose obligations only on operators of “essential services” in critical sectors. These sectors, however, include many of the EU’s most important industries:
- Energy: electricity, oil and gas;
- Transport: air, rail, water and road;
- Banking: credit institutions;
- Financial market infrastructures: trading venues and central counterparties;
- Health: healthcare providers;
- Water: drinking water supply and distribution; and
- Digital infrastructure: internet exchange points (which enable interconnection between the internet’s individual networks), domain name system service providers, and top-level domain name registries.
Within these sectors, Member States will identify the operators providing essential services, based on criteria in the NISD, including whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety. These operators will have to take appropriate security measures and notify serious incidents to the relevant national authority.
Providers of digital services will also be caught by the NISD. The following providers will be covered:
- Online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online);
- Cloud computing services; and
- Search engines.
Member State authorities will have six months after the NISD’s implementation deadline to identify their providers of essential services.
National strategies and a cooperation network
The NISD will oblige each EU Member State to designate one or more national authorities and develop a cybersecurity strategy. The NISD will also create a “Cooperation Group” between Member States to support and facilitate strategic cooperation and the exchange of information among Member States. The Commission will provide the secretariat for the Cooperation Group. The Directive will, moreover, create a network of Computer Security Incident Response Teams to promote the swift and effective operational cooperation on specific cybersecurity incidents and the sharing of information about risks.