The Directive provides legal measures to boost the overall level of cyber security in the EU.
The European Parliament adopted the directive on the security of network and information systems on July 6, 2016 and it entered into force in August 2016. Member states had to transpose the Directive into their national laws by May 9, 2018. One of the key activities of member states was to identify operators of essential services by November 9, 2018.
Vital role of IT
According to the EU Commission, network and information systems and services play a vital role in society: “Their reliability and security are essential to economic and societal activities, and in particular to the functioning of the internal market. The magnitude, frequency and impact of security incidents are increasing, and represent a major threat to the functioning of network and information systems. Those systems may also become a target for deliberate harmful actions intended to damage or interrupt the operation of the systems. Such incidents can impede the pursuit of economic activities, generate substantial financial losses, undermine user confidence and cause major damage to the economy of the Union.”
One of the measures to foster security is to boost collaboration between Computer Security Incident Response Teams (CSIRT) that all member states should set up. Member states should also implement a CSIRT Network, in order to promote swift and effective operational cooperation on specific cyber security incidents and share information about risks. They must also promote a culture of security across sectors that are vital for the European economy and society, including energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
The Directive requires from businesses in these sectors that are identified by the member states as operators of essential services to take appropriate security measures and to notify serious incidents to the relevant national authority. Also, key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new Directive.
The new NIS Directive is an important next step in protecting Europe´s digital infrastructure. Nevertheless, the sense of urgency might have been stronger. The Directive allows much room for discussion on upcoming deadlines, unfortunately time is not on the EU´s side. We will need to speed up, as cyber-criminals are not wasting time in developing a continuous flow of new means to attack critical infrastructures. One of the ways to accelerate is to look at best practices in other parts of the world, including the US and Singapore. Both countries have developed coherent cyber security policies that may well provide a basis for the EU to move forward.
In the end, it is all about the right technology approach. The more the level of security is key – to for example essential services, as defined by the Directive – the more advanced the technology, such as unidirectional networks secured with data diodes will be required.