European Union (EU) negotiators from the European Parliament, the Council of the European Union, and the European Commission agreed on the first union-wide legislation to improve member cybersecurity, the Commission said Dec. 8.
The three EU governing institutions making up the legislative (European Parliament and Council of the European Union) and executive (European Commission) bodies agreed on draft legislation based on a 2013 Commission proposal for a directive to ensure a common high level of network and information security (NIS) across the EU.
The agreed rules aim to improve cybersecurity capabilities in member states, improve member states’ cooperation on cybersecurity, and require operators of essential services in certain key sectors and key digital service providers (DSP), like search engines and cloud computing, to take appropriate security measures and report incidents to national authorities. The key sectors include energy, transport, banking, and healthcare.
The European Parliament voted on the first reading of the draft legislation in March 2014 while the Council adopted a negotiating mandate under the current Luxembourg Council Presidency on Dec. 4.
This joint agreement has been under development for years. One of the first announcements of the early stages was a statement by the head of the European Commission for Home Affairs over 3 years ago.
The agreed NIS Directive requires member states to specifically adopt a nation NIS strategy that defines the strategic objectives and appropriate policy and regulatory measures in relation to cybersecurity. They would also have to designate national competent authorities for the implementation and enforcement of the directive as well as Computer Security Incident Response Teams (CSIRTs) responsible for managing incidents and risks.
The legislation seeks to improve cooperation by creating a ‘Cooperation Group’ between member states to support and facilitate strategic cooperation and the exchange of information among members. The group would also work to develop trust and confidence among the member states. The Commission would provide the group’s secretariat.
The CSIRTs are planned to be organized into a network (the CSIRTs Network) “in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks,” the Commission said. The EU Agency for Network and Information Security (ENISA) would provide the secretariat for the CSIRTs Network.
Essential service operators covered by the directive include the sectors of electricity; oil and gas; banking credit institutions; financial market infrastructures of trading venues and central counterparties; healthcare providers, drinking water supply and distribution; and digital infrastructure like internet exchange points, domain name system service providers, and top level domain name registries.
Operators that fall under the legislation are to be identified by individual member states on the basis of a criteria, like whether the service is essential for the maintenance of critical societal/economic activities.
Key DSPs required by the agreement to also take security measures include those that operate online marketplaces, cloud computing services, and search engines. The directive seeks to establish a “harmonized set of requirements for digital service providers, so that they can expect similar rules wherever they operate in the EU,” the Commission said.
High level EU officials welcomed the agreement.
“Trust and security are the very foundations of a Digital Single Market. If we want people and businesses to use and make the most of connected digital services, they need to trust them to be secure in the case of attack or failure,” Andrus Ansip, European Commission Vice-President for the Digital Single Market, said in a statement.
“Last night’s agreement is an important step in this direction, but we cannot stop here: we plan an ambitious partnership with the industry in the coming months to develop more secure products and services,” Ansip added.
Günther Oettinger, Commissioner for the Digital Economy and Society, also welcomed the agreement.
“The agreement constitutes a major step in improving the resilience of our network and information systems in Europe, one of the objectives of the EU cybersecurity strategy and a cornerstone of our efforts towards creating a Digital Single Market. Improving cooperation and information exchange between Member States is a key element of the agreed rules and will help us tackle the increasing number of cyber-attacks,” Oettinger said in the same statement..
Independent experts highlighted the agreed directive as an EU milestone. “It is the first time that the European Parliament and national governments have agreed on wording on the rules for cyber security…it is a major advance in improving Europe’s cyber security,” Ray Nulty, head of the Berkeley Research Group’s international financial services advisory practice in Europe, said in a statement.
Nulty also noted the challenges in putting the law into place.
“Regulators will need to ensure that organizations which provide essential services including their supply chains and wider ecosystems are fully aligned in terms of cyber policies, practices and processes. For the directive to work, weak points such as those exposed by the Target breach must be eliminated.”
The next step following this agreement is having the European Parliament and the Council formally approve the legislation text. The text has not yet been released to the public.
Subsequently, the agreement will be published in the EU Official Journal and officially enter into force. Member states then have 21 months to implement the directive into their national laws plus six months to identify essential services operators.
The Commission plans to build on the agreement by launching a public-private partnership on cybersecurity in the areas of technologies and solutions for online network security in 2016. The partnership’s proposal is expected in the first half of 2016, Oettinger said.