On 7 December 2015, the Luxembourg Presidency of the Council reached a political agreement with the European Parliament on common rules to strengthen Network and Information Security (NIS) across the European Union.
Following this political agreement, the text will have to be formally approved by the European Parliament and the Council in early 2016. Member States will have 21 months to implement this Directive into their national laws and 6 more months to identify operators of essential services
The new Directive will set out Cybersecurity obligations for operators of essential services(traditional critical infrastructures like energy, transport, health or banking) and digital service providers (like online marketplaces, search engines and cloud providers). These operators will be required to take measures to manage cyber risks and report major security incidents, but the two categories will be subject to different regimes.
The NIS Directive sets an important precedent as for the first time certain “information society service providers” will be regulated similarly as the telecom operators are already for Network and Information Security purposes (art. 13a Framework Directive 2009/140/EC). This is a very important step towards an enhanced level of cybersecurity and a level playing field.
The NIS Directive is the first EU-wide legal instrument addressing Cybersecurity and provides added value for Network and Information Security in each of the three pillars of the Directive:
- National Cybersecurity capabilities will be improved
- An EU-wide approach to cybersecurity will improve the current cooperation amongst Member States
- Key sectors (e.g. digital service providers) will be subject to security obligations providing a level of harmonization within the Digital Single Market
NIS Directive is only a first step and will not solve all the cybersecurity challenges that Europe faces (e.g. unfortunately the Directive does not cover software and hardware manufacturers). The Commission itself considers that NIS is a first step of a wider process towards stronger NIS. But, for the first time, NIS has recognised that a European Digital Single Market on Cybersecurity can properly function only if every link in the value chain is kept intact. This implies that minimum security requirements and reporting obligations should not only apply to certain actors (operators of critical infrastructures or “essential services”) but should rather address a large number of actors that are running the critical infrastructure of tomorrow if not of today (e.g. Cloud, e-commerce platforms, search engines).
Precisely the scope of application of the Directive has been a difficult element in the negotiations between Co-Legislators. The initial Commission proposal already recognized the importance of security throughout the entire value chain. However, the debate took a wrong direction when European Parliament voted in March 2014 the exclusion of “digital service providers” (called at that time “Internet enablers”) from the scope of application. This trend was somehow reflected in negotiations in Council during months. The Latvian Presidency during 1H2015 managed to redress the discussion and to re-introduce “Internet enablers”. Final negotiations led by Luxembourg Presidency have concluded an agreement which aims at enhancing the overall level of trust and security in the EU as recognized by Xavier Bettel, Luxembourg’s Prime Minister and Minister for Communications and the Media, and President of the Council: “This is an important step towards a more coordinated approach in cybersecurity across Europe. All actors, public and private, will have to step up their efforts, in particular by increased cooperation between member states and enhanced security requirements for infrastructure operators and digital services”.
Building on this achievement, European Commission is about to launch a public consultation on the Public-Private Partnership on Cybersecurity. The commercial PPP itself will be launched by summer 2016 as announced by the Digital Single Market (DSM) Strategy. As the European Cyber Security Strategy already did in 2013, DSM Strategy acknowledges the lack of a single market for cybersecurity services and products. Therefore, the PPP aims to improve public-private cooperation in the area of technologies and solutions for online network security. Being such a sensitive issue for Member States (linked to national security), Member States also want to have a key role in the governance of this PPP.