The European Council said Wednesday that it has adopted new cybersecurity rules to make networks and information services across the European Union safer and more secure. The EU cyber security strategy sets out the EU’s plan for preventing and responding to disruptions and attacks affecting Europe’s telecommunications systems.
The proposed directive would impose a minimum level of security for digital technologies, networks and services across all member states. It also proposes to make it compulsory for certain businesses and organizations to report significant cyber incidents. The list includes search engines, cloud providers, social networks, public administrations, online payment platforms like PayPal, and major ecommerce websites, such as Amazon.
The EU cyber security strategy sets out the EU’s approach on best preventing and responding to cyber disruptions and attacks. It details a series of actions to enhance the cyber resilience of IT systems, reduce cybercrime and strengthen EU international cyber security policy and cyber defense.
The strategy sets out plans to address challenges under five priority areas:
- Achieving cyber resilience
- Drastically reducing cybercrime
- Developing cyber defense policy and capabilities related to the EU’s common security and defense policy (CSDP)developing the industrial and technological resources for cyber security
- Establishing a coherent international cyberspace policy for the EU
One of the main actions under the strategy is the draft directive on network and information security.
This move is not surprising considering the alarming spate of cyber-attacks in the recent past. Today’s IT systems can be seriously affected by security incidents, such as technical failures and viruses. These kinds of incidents, often called network information security (NIS) incidents, are becoming more frequent and difficult to deal with.
The draft directive on network and information security (NIS) is an important element of the cyber security strategy. It would require all EU member states, key internet companies and infrastructure operators, such as e-commerce platforms, social networks and transport, banking and healthcare services, to ensure a secure and trustworthy digital environment throughout the EU. As the current approach to NIS is based on voluntary action, national capability and the levels of private sector involvement and preparedness vary considerably between member states. The draft directive aims to level the playing field by introducing harmonized rules to apply in all EU countries.
The proposed measures include:
- A requirement for EU member states to adopt an NIS strategy and designate a national NIS authority with adequate resources to prevent, handle and respond to NIS risks and incidents
- The creation of a cooperation mechanism among member states and the Commission to share early warnings on risks and incidents, exchange information, and counter NIS threats and incidents
- A requirement for certain digital companies and services to adopt risk management practices and report major IT security incidents to the competent national authority.
- A requirement to report IT security incidents aims to help develop a culture of risk management and make sure that information is shared between private and public sectors.
It covers:
- critical infrastructure operators in sectors such as financial services, transport, energy and health
- IT service companies, including app stores, e-commerce platforms, internet payment platforms, cloud computing platforms, search engines and social networks
- public administrations
By introducing more consistent risk management measures and systematic reporting of incidents the proposed directive would help sectors depending on IT systems to be more reliable and stable.
Once in force, member states will have 21 months to adopt the measures with a further six months to identify essential service operators. That all means that starting in 2017, Europe’s overall cybersecurity will increase, with all measures in place by the middle of 2019.