Progress in the Network and Information Security (NIS) Platform

The NIS Directive (also known as the Cybersecurity Directive) was first proposed in February 2013 by the European Commission as a significant part of EU Cybersecurity Strategy.

The draft Directive passed the European Parliament by a large majority on 13 March 2014, and the final text of the Directive will now be negotiated in the EU legislative bodies. An ambitious aim to reach a final agreement by the end of 2014 was expressed by Neelie Kroes, former EU Commissioner for the Digital Agenda, before EU elections.

As the objective of the NIS (Network and Information Security) Platform is to contribute to the Commission Recommendations on good cybersecurity practices, the European Commission organized on 25th November the 4th plenary meeting of the Network and Information Security (NIS) Platform to advance the issue and some progress was presented by the 3 working groups of the Platform:

1.-risk management best practices,
2.-information sharing and incident handling best practices
3.-secure ICT Research & Innovation best practices

Nevertheless, the outputs of the discussions were pretty general and patchy. The Commission did not give an impression of having a clear roadmap. On the contrary, the day before during the “Preliminary Workshop comparing U.S. Cybersecurity framework and EU NIS Platform approaches”. On its side, it was clear that the US had already set up and drafted a set of benchmarks. The basic issue is how to create a fair regulatory framework, to give protection to society that it was independent of the technology and the services.

On 27th November, at the Council of Telecom Ministers the Italian Presidency briefed Ministers on the state of play of the proposed Directive to improve Network and Information Security (NIS). The Council is currently negotiating the terms of the proposed Directive with the European Parliament, and the next meeting was planned for December.

The most contested aspect of the Directive relates to the scope of private companies which fall under the proposed security and reporting requirements. The main outstanding issue between the two Institutions concerns the scope of the proposal and the inclusion of the so called Internet enablers within the scope. The Latvian Presidency presented its work programme, which states that the Latvian Presidency will work towards the timely adoption and implementation of the NIS Directive.