The EU’s Network and Information Security (NIS) Directive Goes Live Amidst Range of Expanding Cybe

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Yesterday was the “go live” date for the EU’s Network and Information Security (NIS) Directive. The NIS Directive was adopted in 2016, and as a directive, it sets out objectives and policies to be attained through legislation at an EU member state level within a certain timeframe (a process called transposition). Member states were required to transpose the NIS Directive into national law by May 9, 2018.

As the first EU law specifically focused on cybersecurity, the NIS Directive has three parts, affecting both industry and member state governments.

  • Requirements on organisations: The directive establishes security and incident notification requirements for “operators of essential services” (OES) (e.g., providers of energy, transportation, healthcare, drinking water, some financial services) and, to a less stringent extent, “digital service providers” (DSP) (online marketplaces, online search engines, and cloud service providers). The NIS Directive requires these companies “to have regard to the state of the art technologies” to manage risks posed to the security of the networks and information systems used to provide the covered services, and take appropriate measures to prevent and minimise the impact of incidents. Security incidents of certain magnitudes must be reported to national competent authorities. The above obligations apply whether the OES or DSP manages its own network and information systems or outsources them.
  • National activities: The directive requires member states to adopt national cybersecurity strategies; to designate national competent authorities; and to have one or more computer security incident response teams (CSIRTs), corresponding at least to the sectors covered by the directive, to detect, prevent, and respond to cyber incidents and risks.
  • EU-wide collaboration: The directive emphasises coordination among member states, setting up a CSIRT network (also to include CERT-EU) to promote swift and effective operational cooperation regarding threats and incidents, and a strategic NIS “cooperation group” to support and facilitate cooperation and information exchange among member states.

Officials in Brussels and other EU capitals have worked hard to make NIS successful. Many countries have updated or issued, for the first time, their national cybersecurity strategies. CSIRTs have been established, and legislation has been readied to transpose NIS. The European Commission has issued guidance to countries on effective implementation of NIS.  ENISA – the EU Agency for Network and Information Security – has also issued a range of guidance, including recommendations on the use and management of CSIRTs and recommendations regarding the security and incident notification measures for DSPs. .  The NIS cooperation group –  composed of representatives of member states, the Commission, and ENISA– reportedly meets regularly to coordinate efforts among EU countries, including sharing information about how to implement NIS as consistently as possible. To that end, the cooperation group has issued  non-binding guidelines on security measures and incident notification for OESs. The EU member states that have held the EU Presidency since NIS was adopted- Slovakia, Malta, Estonia, and now Bulgaria—have all made NIS implementation a priority, driving NIS-related activity including in the Cooperation Group.

Of course, steps remain. Some countries need to finish transposing NIS (not all countries made the deadline). Per the directive, they also have another six months to identify the operators of essential services established in their territories (this information might not be made public for security reasons).  And equally importantly, organisations covered by NIS will be determining if they must change their security practices to meet its requirements, and if so, how. The European Commission understands that more needs to be done, and announced May 4 that, to help member states rapidly transpose the NIS Directive and build their capabilities, the Connecting Europe Facility programme is providing €38 million in funding until 2020 to support national CSIRTs as well as other NIS Directive stakeholders, such as the operators of essential services and digital service providers.

As part of the May 4 announcement above, European Commission Vice-President Andrus Ansip, responsible for the Digital Single Market, Commissioner for Migration, Home Affairs and Citizenship Dimitris Avramopoulos, Commissioner for the Security Union Julian King and Commissioner Mariya Gabriel, in charge of Digital Economy and Society, issued a statement, noting that “The adoption of the NIS Directive two years ago was a turning point for the EU’s efforts to step up its cybersecurity capacities.” This is true.  However, NIS is just one of an expanding list of activities driven out of Brussels to improve cybersecurity. Many people close to the action in Brussels reported that attention to cybersecurity rose quickly among senior policymakers in the wake of the May 2017 WannaCry ransomware attack. In September 2017, EU President Jean-Paul Juncker made cybersecurity a major theme – for the first time ever — of the “State of the EU” address, highlighting the need for the EU to better protect Europeans in the digital age. That same month, the European Commission issued a package of cybersecurity legislative and other proposals. This included a new EU cybersecurity strategy, “Resilience, Deterrence and Defence: Building Strong Cybersecurity for the EU,” with a focus on protection and prevention of cyberattacks. Further, the Commission announced the intention to set up a “cybersecurity competence network” and a “European Cybersecurity Research and Competence Centre,” and a recommendation to establish an EU-wide “Coordinated Response to Large Scale Cybersecurity Incidents and Crises.” It also proposed a new law – the Cybersecurity Act — to increase and make permanent ENISA’s mandate, as well as develop an EU-wide certification scheme. This Act is currently being debated in Parliament and the European Council.

All these EU efforts are essential. They include important plans and activities: increasing cybersecurity-related education and training, stepping up law enforcement activities, and accelerating cyberthreat information sharing, to name a few. They also, of course, complement an array of actions being taken by the member states individually.

Palo Alto Networks commends European policymakers for putting cybersecurity front and center.  The NIS Directive hits a key milestone today, but today is simply a stage on a journey. The EU understands that cybersecurity is essential to economic activity and growth as well as to the user confidence in online activities that underpins it.  Companies in Europe, across all sectors, must ensure their business are resilient to cyberattacks as they embrace the digital world, EU governments need secure online operations, and consumers need trust in their online experiences. Ultimately, the more all EU member states can raise the collective bar the more the global digital infrastructure will benefit.  Palo Alto Networks looks forward to continuing to contribute to Europe’s efforts.

The post The EU’s Network and Information Security (NIS) Directive Goes Live Amidst Range of Expanding Cybersecurity Efforts appeared first on Palo Alto Networks Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Palo Alto Networks
Palo Alto Networks is the next-generation security company maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. With our deep cybersecurity expertise, commitment to innovation, and game-changing Next-Generation Security Platform, customers can confidently pursue a digital-first strategy and embark on new technology initiatives, such as cloud and mobility. This kind of thinking and know-how helps customer organizations grow their business and empower employees all while maintaining complete visibility and the control needed to protect their critical control systems and most valued data assets. Our platform was built from the ground up for breach prevention, with threat information shared across security functions system-wide, and designed to operate in increasingly mobile, modern networks. By combining network, cloud and endpoint security with advanced threat intelligence in a natively integrated security platform, we safely enable all applications and deliver highly automated, preventive protection against cyberthreats at all stages in the attack lifecycle without compromising performance. Customers benefit from superior security to what legacy or point products provide and realize a better total cost of ownership.
Promoted Content
Unit 42 Report - Ransomware: Unlocking the Lucrative Criminal Business Model
Ransomware, specifically cryptographic ransomware, has quickly become one of the greatest cyber threats facing organizations around the world. This criminal business model has proven to be highly effective in generating revenue for cyber criminals in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning across the globe and affecting all major industry verticals. Small organizations, large enterprises, individual home users – everyone is a potential target. Ransomware has existed in various forms for decades, but in the last several years criminals have perfected the key components of these attacks. This has led to an explosion of new malware families and has drawn new actors into participating in these lucrative schemes.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?