NIS Directive: a higher common level of network and IT system security within the EU

The different strategies in place at a European level are a good place to start when it comes to raising awareness of cybersecurity within the European Union. The Network and Information Security (NIS) Directive, adopted in July 2016, is a perfect example of this. Member States have until May 9, 2018, to transpose the legislation into their national law.

“Cybersecurity incidents often cross borders and affect more than one EU Member State. A fragmented approach to cybersecurity leaves us all vulnerable and poses a high security risk to Europe as a whole” Guillaume Poupard, Director General of the French National Cybersecurity Agency (ANSSI)

Europe strengthens its cybersecurity policy

The NIS Directive aims to introduce measures designed to provide a higher common level of network and IT system security for every country in the EU. “Network and information systems and services play a vital role in society,” according to the legislation. “Their reliability and security are essential to economic and societal activities, and in particular to the functioning of the internal market.” Under the legislation, there are new security requirements which a large number of private sector businesses as well as “operators of essential services” must comply with.

The new EU law is based on four major points:

• National frameworks on the security of network and information systems
• Cooperation
• Security of the networks and information systems of operators of essential services
• Security of the networks and information systems of digital service providers

Building national capacities

The directive first seeks to help Member States build their own national capacities in cybersecurity. Each country must implement a national strategy setting out its strategic objectives, political measures, and appropriate regulations, with a view to “achieving a higher level of security of network and information systems”. EU Member States are also obligated to designate a national competent authority for cybersecurity (such as ANSSI in France) and national computer security incident response teams or CSIRTs (such as CERT-FR in France).

Closer cooperation between Member States

Cooperation is also a pivotal theme in the NIS Directive. Member States must be willing to cooperate on cybersecurity, something which will be ensured through the creation of a cooperation group and a European network of CSIRTs. The cooperation group is primarily responsible for promoting good practice on sharing information on incidents, as well as awareness and training. The network of national CSIRTs, on the other hand, will be charged with sharing technical information on risks and vulnerabilities.

Protecting operators of essential services and digital service providers

Operators of essential services (entities which provide a service essential to maintaining vital societal and/or economic activities such as energy, transport, banking, and healthcare) and digital service providers (such as online marketplaces, search engines, and cloud service providers) are subject to specific rules on managing security risks and reporting serious incidents.

For operators of essential services, the legislation states that an incident could significantly disrupt the ability to provide those services. In order to comply with the requirements of the new EU directive, Member States must therefore ensure that these operators “take appropriate and proportionate technical and organizational measures to manage the risks” posed to the security of networks and information systems. These entities must also notify national authorities about any incident that has a significant impact on the continuity of essential services that they provide.

Reinforcing the Military Programming Act

In France, issues related to the security of critical operators have already been addressed. The NIS Directive lays down provisions similar to France’s Military Programming Act (Loi de Programmation Militaire or LPM), but at a European level. The act establishes the security rules necessary for protecting essential operators. “The list of essential operators covered by the NIS Directive is more comprehensive than the list of those in France set out by the LPM, which is something we welcome,” declared Guillaume Poupard at the International Cybersecurity Forum in 2016. “There are many essential operators which don’t appear on the list in the French act, and it’s good that the European directive casts a wider net.”