The European Parliament has approved the Network and Information Security Directive which aims to improve the security of information communications and technology systems across the EU.
According to EU Commissioner Neelie Kroes, MEPs will now work with the EU Council on a final text for the directive, with the aim of reaching agreement by end-2014.
The European Commission published its original proposals for a directive on Network Information Security on 7th February 2013. The Directive intends to boost trust and smooth the functioning of the European internal market. Regulatory obligations would create a level playing field and close existing legislative loopholes.
The Directive promotes robust network and information security for all critical national infrastructure. Its objectives include establishing national authorities to collate and share information regarding threats and attacks; introducing mandatory reporting of significant breaches, which may be made public at the discretion of the national authority; and imposing sanctions for failure to meet required standards.
The Directive has proven controversial. Stakeholders have challenged its scope and overlap with existing regulation, sought greater clarity on which breaches must be reported and resisted the principle of mandatory reporting and the risk of subsequent publicity.
Network Information Security Directive - key proposals
- Member States will have to put in place a minimum level of national capabilities by establishing NIS national competent authorities, by setting up well-functioning Computer Emergency Response Teams (CERTs), and by adopting national NIS strategies and national NIS cooperation plans;
- NIS national competent authorities will have to exchange information and to cooperate so as to counter NIS threats and incidents;
- operators of critical infrastructure (such as energy, transport, banking, stock exchange, healthcare), key Internet enablers (e-commerce platforms, social networks, etc) and public administrations will be required to assess the risks they face and to adopt appropriate and proportionate measures to ensure NIS. These entities will also be required to report to competent authorities incidents with a significant impact on core services provided.
EU Parliamentary revisions
The European Parliament's revisions to the Network Information Security Directive included to:
- focus the Directive’s scope on infrastructure operators, including certain financial institutions, and removing ‘key internet enablers’ such as social media and e-commerce platforms;
- propose greater clarity for when a cyber incident would be sufficiently ‘significant’ to trigger an obligation to report it to a designated national authority; and
- propose some degree of comfort for companies that do report an incident by limiting the circumstances in which they would be subject to a legal penalty.
Following approval of the Network Information Security Directive on 13th March 2014, Commission Kroes said
"Now we must all engage closely with the Member States, make sure that they realise the importance of this issue, and aim for a final agreement by the end of 2014.
But speed should not be at the expense of substance. People need to regain trust in technology, with the legal safeguards that protect their interests.
My ambition is to make Europe the world's safest online space. I hope that the European Parliament and national Governments share this ambition."