EU Network and Information Security Directive sets legal requirement to report breaches

The EU have just passed a new directive, the Network and Information Security Directive, which was approved in December of 2015 and passed through last week. The directive comes into force in August of this year, with a 21 month limit to implement it, by transposing it into national law.

The EU commissioner Gunther H. Oettinger said in his statement ‘The adoption of the first EU-wide legislation on cybersecurity will support and facilitate strategic cooperation between Member States as well as the exchange of information…I signed a partnership with the private sector that will trigger €1.8 billion of investment to foster cross-border research and development cooperation of the cybersecurity industrial players in Europe. All these initiatives reinforce each other and are vital if we want our digital economy and society to thrive.’

This is the first EU-wide piece of legislation regarding cybersecurity, designed to strengthen strategic cooperation and information sharing. It requires companies to establish risk management procedures and to report any data breaches. To coincide with the launch, the EU have also announced a €450m investment in the new European public-private partnership on cybersecurity. So in two deft steps, the EU have shown their commitment to cybersecurity, adding the two most common measures for strengthening it; breach reporting and cooperation between private and public sector organisations. We’ve seen this same approach in US, UK and Australian cybersecurity measures (or proposed measures) within the 12 months so it’s no surprise the EU has followed suit.

There is some question over whether the UK will adopt this new directive, considering they’ve just voted to leave the EU. However, they have yet to instigate their withdrawal, which is unlikely to be completed before the 21 month deadline. As the current UK cybersecurity legislation, the National Cyber Security Strategy, which was rolled out in 2011 comes to an end this year we would expect to see a new agenda coming forward and likely covering the items from the Network and Information Security Directive as a matter of course, but this remains to be seen, especially as the cabinet has just undergone a major reshuffle.

For a number of countries, these might be the very first cybersecurity laws they’re putting in place and as such will place new demands on their service providers and government agencies. New infrastrastructure will need to be put in place and new cybersecurity measures put in place, including significant investment in technologies, such as Acunetix, to address the ‘appropriate security measures’. For all countries who are required to transpose the new law, the following are the key requirements:

Identify essential service providers:

‘By 9 November 2018, for each sector and subsector referred to in Annex II, Member States shall identify the operators of essential services with an establishment on their territory.’ This includes industries such as energy, finance, health and transport. Once identified, appropriate security measures must be identified and put in place.
Article 5

Adopt a national security strategy:

‘Each Member State shall adopt a national strategy on the security of network and information systems defining the strategic objectives and appropriate policy and regulatory measures with a view to achieving and maintaining a high level of security of network and information systems’. This strategy must address its own objectives and priorities, establish a governance framework, identify response and cooperative measures, education relating to the strategy, a risk assessment plan and a list of all agencies and actors involved in the strategy. Once established, this strategy must be communicated within three months of it being put in place.
Article 7

Designate competent authorities:

‘Each Member State shall designate one or more national competent authorities on the security of network and information systems’. Basically, appropriate authorities to monitor the application of the security directive must be named and a single point of authority selected to liaise with cross border agencies on matters of cyber security cooperation.
Article 8

Establish ‘Computer Security Incident Response Team(s)’ (CSIRTs):

‘Each Member State shall designate one or more CSIRTs which shall comply with the requirements [of services outlined in the directive]’. Each country must identify these teams and ensure they are adequately resourced to carry out the duties required by the directive and have access to the necessary infrastructure.
Article 9

Cooperation between established actors:

‘Where they are separate, the competent authority, the single point of contact and the CSIRT of the same Member State shall cooperate with regard to the fulfilment of the obligations laid down in this Directive.’ A straightforward reminder that the agencies identified or newly established must cooperate with each other to ensure a smooth delivery of the strategy.
Article 10

To assist EU countries with all the requirements of establishing the strategy within their own territories, the EU has outlined the remit of their ‘Cooperation Group’ and a ‘CSIRTs Network Group’, where information will be shared.

Finally, there are sections laying out specific security requirements which countries must demand of their essential service providers and ‘digital service providers’. Herein lie some vague references to ‘appropriate and proportionate technical and organisational measures’ regarding risks and reducing the impact of any security incidents, along with the requirement for these providers to report any incidents ‘without undue delay’. Following this, the CSIRT(s) must inform any other affected member states and potentially the public. The requirements here are vague and contain no specific technological requirements or timescales for action to be taken, these elements are something left to EU member states to establish for themselves.

In some ways, this new directive may force the hands of EU countries who have yet to establish their own cyber security legislation and we should hear of their specific legal transpositions of this directive in the months to come, along with an increased demand for cybersecurity products and services to meet the requirement for ‘appropriate security measures’. Tools such as Acunetix will no doubt form part of a new security arsenal, now legally required across Europe.

Share this post

Leave a Reply

Your email address will not be published.