After three years of intense negotiations, the EU finally reached agreement on the Network and Information Security (NIS) Directive this past December. Politically, all that remains to be done is for the text to be formally approved by the European Parliament and the Council of the EU in the coming months. Then Member States will have 21 months to implement this landmark legislation. At a technical level, however, there’s still work to be done. But more on that later.
Firstly, I would like to commend governments on finalizing what I am sure at times seemed like an arduous and thankless process. The final text of the Directive is much more likely to increase cybersecurity readiness across the EU, given its tighter focus on outcomes and the effectiveness of the obligations introduced. It is also positive to see that all Member States are adopting a national cybersecurity strategy and establishing new national authorities dedicated to cybersecurity, as well as Computer Security Incident Response Teams (CSIRTs). The commitment to greater international and intra-European coordination is equally encouraging.
The risk-based approach laid out in the Directive rightly concentrates government resources on protecting critical infrastructure (“operators of essential services”), making an important distinction between digital service providers overall and those who support aforementioned essential services, by assigning them different sets of obligations. It is particularly important that the transnational nature of the online environment has been recognized and that governments are committed to greater harmonization of security and reporting requirements for digital services.
However, the extent to which EU Member States are able to harmonize the requirements will set the standard for judging the success of the Directive in years to come. The potential for this law to be replicated internationally hinges on the ability of Member States not only to develop new, complementary requirements, but also to align existing ones. Countries such as Germany, France and the Czech Republic have already adopted their own implementation of the NIS Directive ahead of its adoption.
An additional layer of complexity are the different sectoral requirements that could be developed for the different elements of essential services (i.e. transport vs. healthcare sectors) and how these will play out within a particular country and across the EU.
Designing a framework to address some of those concerns will be done through a combination of guidelines to be developed by the European Network and Information Security Agency (ENISA) and a set of implementing acts by the European Commission. ENISA’s ability to coordinate with both governments and the private sector will be critical in order for this process to yield effective and workable results in a relatively short timeframe. This is particularly true with regards to developing an incident reporting scheme – the first of its kind for the technology sector – and effective security baselines.
However, this will not be the only area the EU will focus on. In late December, the European Commission launched a new consultation on how to establish a public private partnership (PPP) on cybersecurity, which is part of the EU’s Digital Single Market Strategy. The PPP is expected to become operational this year, which is an ambitious timeline. The consultation also includes issues vital to increasing the level of network and information security across Europe: certification, standardization and labelling.
All of this could make 2016 the year that shifts cybersecurity in Europe from a topic of conceptual debate to becoming the concrete foundation that is so urgently needed. It is time to roll-up our sleeves.