First Cybersecurity Law Adopted EU-Wide

The first cybersecurity law, the NIS Directive, has been adopted to improve security across the European Union, the European Commission announced yesterday in a plenary session. EU member states should improve cooperation to set common standards and each member should focus on increasing national security online by coming up with a clear policy and regulatory mechanisms.

As each state will nominate a national competent authority to supervise the NIS Directive, each country”s strategy should cover a clear list of strategic objectives, risk assessment, research and development, among others. The Computer Security Incident Response Teams will be in charge of monitoring, analysis, and announcing risks and incidents.

Cybersecurity incidents very often have a cross-border element and therefore concern more than one EU member state. Fragmentary cybersecurity protection makes us all vulnerable and poses a big security risk for Europe as a whole, said Parliament’s rapporteur Andreas Schwab (EPP, DE). This directive will establish a common level of network and information security and enhance cooperation among EU member states, which will help prevent cyber attacks on Europe”s important interconnected infrastructures in the future.

The directive establishes security commitments for operators in the energy (electricity, oil, and gas), transportation (air, rail, water, and road), healthcare, water (drinking water supply and distribution), banking (credit institutions), and financial market infrastructures (trading venues and central counterparties) sectors. The new law also urges digital service providers to take measures to safeguard their infrastructure.

Two years after adoption of the directive, and every 18 months after that, the Computer Security Incident Response Teams (CSIRTs) are to release a review with recommendations involving risk prevention and how to handle incidents. Notifications should be released on parameters such as number of users affected, duration, geographic spread, disruption extent and economic impact.