The EU’s New Network Security Strategy
In addition to the General Data Protection Regulation, the Directive concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) is another important component of the EU’s new network security strategy. It will also take effect in May 2018, and the Member States will have to implement the requirements laid out in the Directive into their national legislation by this time.
Unlike the EU GDPR, this Directive allows Member States some flexibility in the interest of minimum harmonization with national legislation as it can be adapted to regulations that fall below the level of protection included in the NIS Directive. This means States that already have higher statutory safety requirements will not have to make any adjustments to reduce them. In Germany, for example, only parts of the IT security law that took effect in 2015 will need to be adjusted.
The NIS Directive aims to reduce the increasingly dangerous impact of attacks by hackers and technical failures by enhancing security standards and ensuring closer international cooperation in this area. Such problems currently cause damages around 260-340 billion euros per year (source: ENISA).
Who Is Bound by the New Policy?
Two groups are affected by the new policy:
- Operators of what is called “essential services” and
- Digital services providers
Essential services within the meaning of the NIS Directive are services that are essential for the seamless provision of critical social and economic activities, such as for example energy operators, drinking water utilities, hospitals, but also operators of financial market infrastructures. These providers must be specifically named by Member States before the Directive enters into effect, and they will then have to comply with strict safety requirements according to the state of the art and record any incidents and errors based on precise guidelines.
The Directive describes digital services as online market places, search engines as well as cloud computing services. In addition, from now on they must implement more stringent security measures and also report any incidents; however, they will be subject to less uniform and weaker regulations than providers of essential services. The requirements apply only to companies with more than 50 employees.
A major challenge for some companies in this group, however, will be to find out whether they belong by definition to the category of providers of digital infrastructure and thus essential services or to that of digital services providers. Here’s to hoping that the transfer to national legislation will bring a clearer distinction between the two designations.
Nonetheless, all companies listed in these sectors should learn more as soon as possible about the security requirements that can be expected as to ensure that they can adjust their systems and procedures to the new standards in a timely manner.