The European Union has agreed on a new Directive on common rules for the security of network and information systems across the EU. The directive was passed on July 6th at a plenary session of the European Parliament, where MEPs agreed to adopt the directive as it had been agreed by the European Council.
The directive states that all EU member states will have specific requirements regarding their national cyber security capabilities. These requirements are laid out in the directive.
Firstly, each nation must have a national strategy to combat cybercrime. This strategy will state its objectives and the policy and regulations it is putting in place to meet them. The overall objective all strategies much reach is for all networks and IT systems to have a high level of security.
The directive then requires each nation to identify at least one body to oversee the security of networks and IT infrastructure, and to ensure that the requirements of the directive are being adhered to. There must also be a point of contact to allow EU nations to liaise with each other about this issue.
And finally, each member state must have a designated Computer Security Incident Response Team (CSIRTs) to both identify risks and deal with incidents.
It is intended that the directive will lead to closer cooperating between EU nations on the issue of cyber-crime and how different member states are tackling it. As with most EU policy, the long-term objective is to bring everything together as a single policy to be applied across the entire EU.
The individual national CSIRTs are expected to forge close working relationships with each other and build trust and operational relations between member state. A network of these teams will be set up, with the European Council present as an observer
In addition to these requirements for member states, there is also a raft of new requirements for businesses working within the sector, namely operators of essential services and digital service providers.
The EU definition of an essential service is a broad one, to say the least, and encompasses energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution and digital infrastructure.
The definition of digital service providers is online marketplaces, online search engines, and cloud computing services.
Any business which falls within these categories will have to comply with the new directive. It requires them to take all necessary steps to protect their networks and IT systems, and to ensure that any incidents that do occur have a minimal impact on their delivery of essential services.
They will also be required to notify their national CSIRT of any incident which meets the criteria for a significant incident (as defined in the directive). These are defined less rigorously for digital service providers than for essential services.
The directive will come into effective just 20 days after its publication in the Official Journal of the European Union, and is expected to be transposed into national legislation within 21 months. This timeframe means that whilst it will apply in the UK, to begin with, it is unlikely to have a significant long-term impact in the UK (as we will be well down the Brexit road in 21 months’ time) unless it is one of the pieces of EU regulation that the Government chooses to retain on the British statute book.