Cybersecurity of network and information systems

SUMMARY OF:

Directive (EU) 2016/1148 — cybersecurity of network and information systems

WHAT IS THE AIM OF THE DIRECTIVE?

It proposes a wide-ranging set of measures to boost the level of security of network and information systems (cybersecurity*) to secure services vital to the EU economy and society. It aims to ensure that EU countries are well-prepared and are ready to handle and respond to cyberattacks through:

• the designation of competent authorities,
• the set-up of computer-security incident response teams (CSIRTs), and
• the adoption of national cybersecurity strategies.

It also establishes EU-level cooperation both at strategic and technical level.

Lastly, it introduces the obligation on essential-services providers and digital service providers to take the appropriate security measures and to notify the relevant national authorities about serious incidents.

KEY POINTS

Improving national cybersecurity capabilities

EU countries must:

• designate one or more national competent authorities and CSIRTs and identify a single point of contact (in case there is more than one competent authority);
• identify providers of essential services in critical sectors such as energy, transport, finance, banking, health, water and digital infrastructure where a cyberattack could disrupt an essential service.

EU countries must also put in place a national cybersecurity strategy for network and information systems*, covering the following issues:

• being prepared and ready to handle and respond to cyberattacks;
• roles, responsibilities and cooperation of government and other parties;
• education, awareness-raising and training programmes;
• research and development planning;
• planning to identify risks.

The national competent authorities monitor the application of the directive by:

• assessing the cybersecurity and security policies of providers of essential services;
• supervising digital service providers;
• participating in the work of the cooperation group (comprising network and information security (NIS) competent authorities from each of the EU countries, the European Commission and the European Union Agency for Network and Information Security (ENISA));
• informing the public where necessary to prevent an incident or to deal with an ongoing incident, while respecting confidentiality;
• issuing binding instructions to remedy cybersecurity deficiencies.

The CSIRTs are responsible for:

• monitoring and responding to cybersecurity incidents;
• providing risk analysis and incident analysis and situational awareness;
• participating in the CSIRTs network;
• cooperating with the private sector;
• promoting the use of standardised practices for incident and risk-handling and information classification.

Security and notification requirements

The directive aims to promote a culture of risk management. Businesses operating in key sectors must evaluate the risks they run and adopt measures to ensure cybersecurity. These companies must notify the competent authorities or CSIRTs of any relevant incident, such as hacking or theft of data, that seriously compromises cybersecurity and has a significant disruptive effect on the continuity of critical services and the supply of goods.

To determine incidents to be notified by providers of essential services*, EU countries should take into account an incident’s duration and geographical spread, as well as other factors, such as the number of users relying on that service.

Key digital service providers (search engines, cloud computing services and online marketplaces) will also have to comply with the security and notification requirements.

Improving EU-level cooperation

The directive sets up the cooperation group whose tasks include:

• providing guidance to the CSIRTs network;
• exchange best practice on the identification of providers of essential services;
• assisting EU countries in building cybersecurity capabilities;
• sharing information and best practice on awareness-raising and training, research and development;
• sharing information and collecting best practice on risks and incidents;
• discussing modalities of incident notification.

It also sets up the CSIRT network comprising representatives of EU countries’ CSIRTS and the Computer Emergency Response Team (CERT-EU). Its tasks include:

• sharing information on CSIRT services;
• sharing information concerning cybersecurity incidents;
• supporting EU countries in the response to cross-border incidents;
• discussing and identifying a coordinated response to an incident reported by an EU country;
• discussing, exploring and identifying further forms of operational cooperation, including:
  • categories of risks and incidents;
  • early warnings;
  • mutual assistance;
  • co-ordination between countries responding to risks and incidents which affect more than one EU country;
• informing the cooperation group of its activities and requesting guidance;
• discussing lessons learnt from cybersecurity exercises;
• discussing the capabilities of individual CSIRTs at their request;
• issuing guidelines on operational cooperation.

Penalties

EU countries must apply effective, proportionate and dissuasive penalties to ensure that the terms of this directive are applied.

FROM WHEN DOES THIS DIRECTIVE APPLY?

It applies from 8 August 2016. EU countries have to incorporate it into national law by 9 May 2018, and identify providers of essential services by 9 November 2018.

BACKGROUND

• Cybersecurity (European Commission)
• Cybersecurity: The Commission scales up its response to cyber attacks — press release (European Commission)
• Directive on Security of Network and Information Systems — press release (European Commission)
• Resilience, Deterrence and Defence: Building strong cybersecurity in Europe — factsheet (European Commission).

KEY TERMS

MAIN DOCUMENT

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, pp. 1-30)

RELATED DOCUMENTS

Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact (OJ L 26, 31.1.2018, pp. 48-51)

Commission Implementing Decision (EU) 2017/179 of 1 February 2017 laying down procedural arrangements necessary for the functioning of the Cooperation Group pursuant to Article 11(5) of the Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (OJ L 28, 2.2.2017, p. 73-77)

Communication from the Commission to the European Parliament and the Council: Making the most of NIS – towards the effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (COM(2017) 476 final 2, 4.10.2017)

Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, pp. 36-58)

Joint communication to the European Parliament and the Council — Resilience, Deterrence and Defence: Building strong cybersecurity for the EU (JOIN(2017) 450 final, 13.9.2017)

Commission staff working document — Assessment of the EU 2013 cybersecurity strategy (SWD(2017) 295 final, 13.9.2017)

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, pp. 73-114)

Council Decision 2013/488/EU of 23 September 2013 on the security rules for protecting EU classified information (OJ L 274, 15.10.2013, pp. 1-50).

Successive amendments to Decision 2013/488/EU have been incorporated into the original document. This consolidated version is of documentary value only.

Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, pp. 8-14)

Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 (OJ L 165, 18.6.2013, pp. 41-58)

Joint communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions — Cybersecurity Strategy of the European Union: An open, Safe and Secure Cyberspace (JOIN(2013) 1 final, 7.2.2013)

last update 01.03.2018