The new directive for a high common level of security of network and information systems (NIS) across the Union aims to end the current fragmentation of 28 national cybersecurity systems, by listing sectors in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These will also be required to report serious security breaches to national authorities.
EU member states will have to identify concrete operators of essential services in these fields, using set criteria: whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on service provision or public safety.
Some digital service providers, such as online marketplaces, search engines and clouds, will also have to take measures to ensure the safety of their infrastructure and will have to report major incidents to national authorities. Micro and small digital companies will be excluded from the scope of the directive.
Each EU member state will also have to set up a network of Computer Security Incident Response Teams (CSIRTs), to handle incidents and risks, discuss cross-border security issues and identify coordinated responses. The European Network and Information Security Agency (ENISA) will also play a key role in implementing the directive, particularly in relation to cooperation.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now