“Over the past few years, the European Commission has adopted a series of measures to raise Europe’s preparedness to ward off cyber incidents. The NIS Directive is the first piece of EU-wide legislation on cybersecurity.”
The Directive on security of network and information systems (the NIS Directive) was adopted by the European Parliament on 6 July 2016. European Commission Vice-President Andrus Ansip, responsible for the Digital Single Market, and Commissioner Günther H. Oettinger, have issued a statement at this occasion. The Directive will enter into force in August 2016. Member States will have 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services.
The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:
- Member States preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority;
- cooperation among all the Member States, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information among Member States. They will also need to set a CSIRT Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks;
- a culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new Directive.
1. What that means for the Bank (and other Critical Infrastructures) ?
1. Proactively, we need to empower our “Incident management” process (and policy) regarding Cyber Security – at group Level:
- record all the incidents related to “network and information systems “;
- doing a risk analysis of incidents;
- establishes security and notification process to the authorities <- in place in certain conditions, to formalize when required;
2. Observing regional directives (BE, LU, FR, SP, CH, .. ) and decisions to determine if there are regional constraints for our current Business or possible blocking points <- Legal screening , 19 Oct. 2018 (to be ready)
In addition to the requirements on Member States to implement the required cybersecurity capabilities and governance models, the NIS Directive sets out certain obligations for two groups of entities, namely “operators of essential services”and “digital service providers.”
“Operators of essential services” are those operators within the energy, transport, banking, financial market infrastructure,health, water, and digital infrastructure sectors that are identified by Member States within 27 months after the date the Directive becomes effective. These businesses will have to take steps to “prevent and minimise” the impact of incidents affecting the network and information systems used by those businesses with a view to “ensuring the continuity of those services.” thereby requiring both preventative and business continuity capabilities and processes. In addition, the operators of essential services will have to notify the relevant competent authority or the CSIRT of incidents having a “significant impact on the continuity of the essential services” that they provide, which shall be determined by reference to high-level parameters set out in the Directive which each Member State will need to further define in order for the parameters to be practically usable.
In certain circumstances, competent authorities or CSIRTs will be required to share details of incidents notified to them by operators of essential services and digital service providers with other Member States. This has raised some concerns among our clients in relation to security, confidentiality and issues of general incident management.