Last week the European Union (EU) parliament approved regulations to improve the bloc’s cybersecurity. The move will help set standards for critical infrastructure firms responsible for services in sectors such as energy, transportation, public health, finance, and drinking water supply.
According to an official EU statement, under the Network and Information Security (NIS) directive, member states will have to identify companies in these fields using specific criteria, for example, “whether the service is critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service.” Some “digital service providers” such as search engines and e-commerce websites will be required to adopt security standards to protect their infrastructure and report significant cybersecurity incidents to national authorities.
Current cybersecurity regulations in EU member states differ by state and most simply require entities to report cyber breaches. The new measures take into account that disruptions in critical infrastructure in one EU country could have devastating effects across the region. “Cybersecurity incidents very often have a cross-border element and therefore concern more than one EU member state. Fragmentary cybersecurity protection makes us all vulnerable and poses a big security risk for Europe as a whole. This directive will establish a common level of network and information security and enhance cooperation among EU member states, which will help prevent cyberattacks on Europe’s important interconnected infrastructures in the future,” said EU spokesman Andreas Schwab.
In addition to its regulatory ambitions on cybersecurity, the EU is investing $500 million to fund research and has asked the private sector to contribute three times that amount. The $2 billion contractual Public-Private Partnership (cPPP) on cybersecurity will boost cross-border research on cybersecurity and support development of security products and services for critical infrastructure firms. The cPPP is expected to announce first call for proposals in the first quarter of 2017
The NIS directive will soon be published in the Official Journal of the European Union and will be binding on the twentieth day after publication (August 2016). Member states will then have twenty-one months to transpose the directive into their national laws and six additional months to identify operators of critical infrastructure or “essential services.” EU member states will also be required to adopt a national NIS strategy, but will be able to exchange information and receive support on cybersecurity capacity building as members of a NIS directive strategic “cooperation group.”