by Bharat Mistry
It’s been a long time coming, but Europe finally looks set to get a harmonized cyber security law fit for the 21st century. On Monday, MEPs and the Council of Ministers agreed on the wording of the Network and Information Security Directive (NIS). It promises to mandate that “operators of essential services” take “appropriate” security measures, and that any breaches are notified to the authorities.
The proposed directive will be overwhelmingly positive in the long run – for improving Europe’s information security, information sharing and incident response. But it also signals the start of an intensely busy time for CISOs all over the region as they scramble to meet a whole new set of requirements.
A long time coming
NIS has been several years in the making. Over that time we’ve never experienced a truly catastrophic IT-related critical infrastructure security incident. But the warning signs are there. Nation states, financially motivated cybercriminals and hacktivists all have the tools at their disposal to launch successful targeted attacks aimed at disrupting operations, or stealing valuable IP and customer information. Then there are the incidents that come from human mistakes and technical failures. EU NIS agency ENISA estimates these combined threats result in annual losses of around €260-€340 billion (£189-£247bn).
The financial services sector is perhaps the most regularly targeted by hackers, given the wealth of sensitive data it holds. But others are at risk too. That’s why the NIS directive aims to improve security standards among essential operators in the energy, transport, banking, financial, health and water supply sectors, alongside some providers of online marketplaces, search engines and cloud platforms. Smaller firms will be exempt, although the details are still being worked out.
What happens next?
- The provisionally-agreed text needs to be formally approved by Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives
- Member states will then have 21 months to implement the Directive into national laws
- Member states will also have to identify concrete “operators of essential services” from these sectors
- A “strategic cooperation group” will be set up to exchange info and best practices, draw up guidelines and help member states with “cybersecurity capacity building”
- A network of Computer Security Incidents Response Teams (CSIRTs) will be set up to co-ordinate responses to cross-border and internal threats
- Data breaches will have to be reported to the relevant public authorities
As with any kind of proposed legislation, the devil is in the detail. But it’s likely that NIS will apply to a large swathe of organisations in the sectors mentioned above. The question CISOs must ask themselves now is “do I have an appropriate level of security in place?” In many cases, breach detection, response and reporting will need to improve. The very fact that notifications are to be mandated will focus CEO minds on data security. This is in combination with the European General Data Protection Regulation, which is mooting fines of up to 5% of revenue for serious infractions.
Cyber security has never had a higher profile at a European policy-making level and boards will be forced also to raise it up their agendas. This will mean more work, but also potentially more resources, for the under pressure CISO. The message is simple: start planning now to ensure you’re not left with too much to do come deadline day.