Companies which supply essential services – such as energy, transport, banking, health or digital services such as cloud services and search engines – will be required to achieve minimum standards of cyber-security under new EU-wide rules adopted by the EU Parliament today.
The EU network and information security (NIS) directive sets common cyber-security standards and aims to step up cooperation among EU countries and service providers. According to its supporters, it will help prevent attacks on EU countries' interconnected infrastructure.
"Cyber-security incidents very often have a cross-border element and therefore concern more than one EU member state. Fragmentary cyber-security protection makes us all vulnerable and poses a big security risk for Europe as a whole,” said Parliament's rapporteur Andreas Schwab, MEP for Germany. “This directive will establish a common level of network and information security and enhance cooperation among EU member states, which will help prevent cyberattacks on Europe's important interconnected infrastructures in the future.”
He added: "[NIS] is also one of the first legislative frameworks that applies to platforms. In line with the Digital Single Market strategy, it establishes harmonised requirements for platforms and ensures that they can expect similar rules wherever they operate in the EU. This is a huge success and a big first step to establishing a comprehensive regulatory framework for platforms in the EU.”
It lays down cyber-security and reporting requirements for “operators of essential services” which includes energy, transport, health, banking and drinking water. Individual member states are responsible for identifying the organisations which will fall under the directive in their respective jurisdictions.
Digital service providers such as cloud services and search engines have a new obligation to report major incidents to a national computer security incident response team (CSIRT). The European Network and Information Security Agency (ENISA) will help member states in cross-border cooperation.
The directive will be published in the EU Official Journal. Member states will have 21 months to adopt the directive into national laws and six additional months to identify critical infrastructure operators.