The European Parliament has passed the new network and information security (NIS) directive that establishes minimum requirements for cyber-security on critical infrastructure operators.
The NIS directive has a significant impact on all the businesses that supply essential services and operate critical infrastructures in different industries, including energy, transport, banking, health or digital services. Those companies are required to be compliant with minimum standards of cyber-security.
The NIS directive is the response to the threat represented by cyber attacks against critical infrastructure services, this is the EU’s first ever cyber security rules. MEPs voted in favor of them on Wednesday 6 July.
“On 6 July MEPs approved on the Network and Information Security directive, which sets out a common EU approach on cyber security. It list critical sectors such as energy, transport and banking where companies would have to ensure they are able to resist a cyber attack. They would be obliged to report serious security incidents to national authorities, while digital service providers such as Amazon and Goole would also have to notify them of major attacks. In addition the directive aims to boost cooperation on cyber security between EU countries.” states the press release issued by the European Parlament.
The EU network and information security (NIS) directive sets common cyber-security standards and aims to step up cooperation among EU countries and service providers. According to its supporters, it will help prevent attacks on EU countries’ interconnected infrastructure.
“Cyber-security incidents very often have a cross-border element and therefore concern more than one EU member state. Fragmentary cyber-security protection makes us all vulnerable and poses a big security risk for Europe as a whole,” said Parliament’s rapporteur Andreas Schwab, MEP for Germany. “This directive will establish a common level of network and information security and enhance cooperation among EU member states, which will help prevent cyberattacks on Europe’s important interconnected infrastructures in the future.”
“[NIS] is also one of the first legislative frameworks that applies to platforms. In line with the Digital Single Market strategy, it establishes harmonised requirements for platforms and ensures that they can expect similar rules wherever they operate in the EU. This is a huge success and a big first step to establishing a comprehensive regulatory framework for platforms in the EU.”
Member states will have 21 months to be compliant with the directive and six additional months to identify the operators behind the national critical infrastructure .
The NIS directive states that each state is responsible for identifying the organisations have to be compliant to the directive.
The information sharing among the states is a pillar of the NIS directive, organisations under the new law have a new obligation to report major incidents to a national computer security incident response team (CSIRT).
A crucial role will be covered by the European Network and Information Security Agency (ENISA) that will work as a facilitator among the state members of the EU.
The directive will be published in the EU Official Journal.
(Security Affairs –NIS Directive, cyber security)