Last week we introduced the new European Cyber-security strategy and the impetus behind the changes. In 2013 the European Commission announced it had proposed a new directive aiming at ensuring a high common level of network and information security across the EU. The directive aims to do so by improving the security of the internet and the private networks and information systems underpinning the functioning of our societies and economies.
On 7 December 2015, the European Parliament and the Luxembourg Presidency of the EU Council of Ministers announced that they had agreed the text of the directive. Although the text has not yet been published, the draft proposals provide us with a good idea as to the aims and function of the directive.
The Proposed Directive
One of the key provisions of the draft directive is a requirement for member states to adopt a national Network and Information System (“NIS”) strategy defining the strategic objectives and concrete policy and regulatory measures to achieve and maintain a high level of network and information security. Additionally, each member state will designate a national competent authority on the security of network and information systems, to prevent, handle and respond to any network information security risks and incidents. A computer emergency response team should be established under the national competent authority’s supervision. The competent authorities will also monitor the application of the directive at national level and contribute to its consistent application throughout the European Union.
Each national competent authority and the European Commission are to form a co-operation network, to cooperate against risks and incidents affecting network and information systems. This will operate an early warning system for certain incidents, including those that could grow rapidly in scale, exceed national response capacity or affect more than one member state. The national competent authorities should also publish on a website information about early warning on incidents and co-ordinated responses.
Each member state will also ensure public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. A market operator is defined as:
(a) provider of information society services which enable the provision of other information society services, (a non-exhaustive list of is set out in Annex II of the directive);
(b) operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health, (a non-exhaustive list of is set out in Annex II of the directive).
The measures should guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems. Public administrations and market operators will be required to notify to the competent authority incidents having a significant impact on the security of the core services they provide. The competent authority may inform the public, or require the public administrations and market operators to do so, where it determines that disclosure of the incident is in the public interest.
The competent authorities should report any incidents of a suspected serious criminal nature to law enforcement authorities. They will also work with personal data protection authorities when addressing incidents that have resulted in personal data breaches.
Whilst the proposed text does not set out any specified technical standards, member states are encouraged to use standards and specifications relevant to networks and information security.
Finally, member states must adopt rules on sanctions applicable to infringements of the national provisions adopted pursuant to the directive and must take all measures necessary to ensure that they are implemented. The sanctions provided for must be effective, proportionate and dissuasive.