At the Plenary Session held today (July 6th, 2016) in Strasbourg, the European Parliament adopted a position agreed with by the Council on a Directive on common rules of security of network and information systems across the EU on its second reading. The main elements of the Directive are:
Member States have certain obligations with regard to their national cybersecurity capabilities.
Firstly, Member States are required to adopt a national strategy defining the strategic objectives and appropriate policy and regulatory measures with a view to achieving and maintaining a high level of security of networks and information systems.
Secondly, Member States shall designate one or more national competent authorities on the security of network and information systems to monitor the application of the Directive at national level.
Thirdly, Member States are also required to designate a national single point of contact on the security of networks and information systems that will exercise a liaison function to ensure cross-border cooperation of Member State authorities and with the relevant authorities in other Member States and with the cooperation group and the CSIRTs network. The single point of contact will also submit a yearly report on notifications received to the Cooperation Group.
Finally, Member States shall designate one or more Computer Security Incident Response Teams (“CSIRTs”) responsible for handling incidents and risks. The Directive sets out the requirements and tasks of CSIRTs in its Annex I.
The Directive establishes a Cooperation Group in order to support and facilitate strategic cooperation among Member States, to develop trust and confidence and with a view to achieving a high common level of security of networks and information systems in the Union. The Group will be composed of representatives from the Member States, the Commission and the European Union Agency for Network and Information Security (‘ENISA’) and will have specific tasks listed in the text, such as exchanging best practices and information on a number of issues or discussing capabilities and preparedness of Member States.
Furthermore, the Directive establishes a network of the national CSIRTs in order to contribute to developing confidence and trust between the Member States and to promote swift and effective operational cooperation. The network will be composed of representatives of the Member States’ CSIRTs and CERT-EU and the Commission will participate in the network as an observer. ENISA will provide the secretariat and actively support the cooperation among the CSIRTs. The text provides for a list of tasks to be carried out by the network, such as exchanging information on CSIRTs services, operations and cooperation capabilities, supporting Member States in addressing cross-border incidents or, under certain conditions, exchanging and discussing information related to incidents and associated risks.
Security and notification requirements
The Directive lays down certain obligations for two sets of market players: operators of essential services and digital service providers.
Annex II of the Directive lists a number of sectors important for society and economy, namely energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution and digital infrastructure. Within these sectors Member States will identify the operators of essential services, based on precise criteria provided for in the Directive.
Annex III of the Directive lists three types of digital services, the providers of which will have to comply with the requirements of the Directive: online market places, online search engines and cloud computing services. All digital service providers providing the listed services will have to comply with the requirements of the Directive with the exclusion of micro and small enterprises.
The two sets of market players will be required to take organisational and technical measures to manage the risks posed to the security of networks and information systems and to prevent and to minimise the impact of incidents affecting the security of those systems. Moreover, incidents having a certain level of impact on the services in question will have to be notified to the national competent authorities or to CSIRTs. The Directive provides for criteria to determine the level of the impact of such incidents.
The Directive takes a differentiated approach with regard to the two categories of players. The security and notification requirements are lighter for digital service providers than for operators of essential services, which reflects the degree of risk that disruption to their services may pose to society and economy. Moreover, taking into account that digital service providers are often active in many Member States and in order to ensure a high level of harmonisation, the Directive prevents Member States from imposing any further security and notification requirements on those providers.
The Directive also provides that entities which have not been identified as operators of essential services and are not digital service providers may notify certain incidents on a voluntary basis.
The Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. Member States will be required to transpose the Directive by 21 months after the date of its entry into force and will have six additional months to identify their operators of essential services.
This article was first published on Hogan Lovells’ Global Media and Communications Watch blog on July 6, 2016.