Information systems, essential networks and services, such as online banking, electricity grids or airport control, can be affected by security incidents caused by human mistakes, technical failures or malicious attacks. These incidents result in annual losses of €260 - €340 billion, ENISA estimates. The EU has no common approach on cyber-security and reporting – however, that is all about to change.
Under new EU rules approved by the majority of Internal Market MEPs (34 votes to 2) on 14 January, firms supplying essential services, e.g. for energy, transport, banking and health, or digital ones, such as search engines and cloud computing, will have to take action to improve their ability to withstand cyber-attacks. The draft NIS directive will now be checked by lawyer-linguists before being endorsed by both Council and the full Parliament. It will then be published in the EU Official Journal and will enter into force on the twentieth day after publication. Member states will then have 21 months to transpose the directive into their national laws and six additional months to identify operators of essential services.
Network Security a Priority
The new directive for a high common level of security of network and information systems (NIS) across the Union aims to end the current fragmentation of 28 national cybersecurity systems, by listing sectors in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These will also be required to report serious security breaches to national authorities.
"Parliament has pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields, which will have to fulfil security measures and notify significant cyber incidents. Member states will also have to cooperate more on cybersecurity – which is even more important in light of the current security situation in Europe", said rapporteur Andreas Schwab (EPP, DE), after a deal was reached last month on the NIS directive.
EU countries to list “essential service” firms
Under the new rules, EU member states will have to identify concrete "operators of essential services" in these fields, using set criteria: whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on service provision or public safety.
Some digital service providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to take measures to ensure the safety of their infrastructure and will have to report major incidents to national authorities.
According to Stephen Bailey, Cyber Security Lead at technical security practice 7Safe, the effects could be far-reaching: “Large organisations should ask important questions now. For example, are digital services providers and ‘clouds’ ready to step into line yet? And will national governments be able to look the other way if any of their “essential services” organisations are involved in a serious incident? Especially if serious data protection violations are involved, following the recent adoption of the EU’s General Data Protection Regulation (GDPR)? Each EU member state will have to set up a network of Computer Security Incident Response Teams (CSIRTs), to handle incidents and risks, discuss cross-border security issues and identify coordinated responses. The European Network and Information Security Agency (ENISA) will also play a key role in implementing the directive, particularly when it comes to organisations co-operating with this new EU-wide approach to cyber security. Despite all this, 7Safe has found that few senior managers are aware of the likely impact, especially when it comes to respecting GDPR data protection rules, reiterated throughout the text.”
Steve’s best advice:
Talk to a cybersecurity expert now about the best ways to harden your systems, set up more effective response and internal/external reporting mechanisms to deal with cyber incidents, and appoint a Data Protection Officer to start the process of evaluating the risks to confidential data.
Visit: https://www.7safe.com/cyber-security-services - and make contact with the 7Safe consultancy team.