The first-ever European Union-wide rules on cybersecurity have been adopted, specifying risk management and incident-reporting obligations for companies.
The Directive on Security of Network and Information Systems (NIS Directive) says that digital service providers and companies “that provide a service which is essential for the maintenance of critical societal/economic activities” will be responsible for ensuring a level of security of network and information systems to prevent and minimize the impact of incidents on the IT systems used to provide their services.
This includes operators in the energy sector; transport companies using air, rail, water and roads; financial services; healthcare; drinking water supply and distribution; and internet exchange points, domain name system service providers, top level domain name registries and others.
The Directive does not define a threshold of what is a significant incident requiring notification to national authorities, but it does define three parameters which should be taken into consideration. Those are the number of users affected; the duration of the incident; and the geographic spread.
“The EU NIS directive will have a fundamental impact on the way that most organizations in European Union member states implement security policies and report breaches,” said Adam Palmer, director of International Government Affairs, FireEye, via email. “Organizations of all sizes will now need to adopt mitigation measures that will manage risk stemming from zero-day exploits and never-seen-before malware as these attacks constitute the majority of advanced attacks in today’s threat environment.”
The law will come into effect in May 2018. Recent research carried out by FireEye shows that many organizations are not fully prepared for the implementation of the legislation.
“It is critical to react now to be in compliance and not be caught unprepared as the 21-month timeframe kicks in,” said Palmer.
In the wake of Brexit, in practical terms UK organizations should, of course, still look to be compliant with this new European legislative measure, bearing in mind that the timeline for UK withdrawal from the EU is at least two years. Also, the UK will still be subject to this legislation where UK companies process EU citizens’ personal data in connection with their offer of goods or services, or if they provide "monitoring” activities. The same applies if a group company is located in the EU or have staff operating within any EU member state, Palmer added.
“Long-term, the UK will need to ensure it finds a way to be considered as a country with an adequate level of data protection, so that neither data storage or data transfer will prove problematic,” he said. “The UK Data Protection Authority would also do well to encourage the UK government to align with EU data protection laws in order to safeguard the trust of global customers."
The NIS Directive also said that each EU member state is expected to adopt a national strategy on the security of network and information systems, defining the strategic objectives and appropriate policy and regulatory measures. They’re also expected to select an authority for the NIS Directive, to monitor the application of the Directive at national level.
In addition, countries will designate one or more Computer Security Incident Response Teams (CSIRTs), which will coordinate monitoring, threat intelligence, and response to incidents. And, an EU-wide “Cooperation Group” will provide guidance to the CSIRTS and provide the EU-level umbrella for the member states’ efforts.
Photo © Guttzemberg