Europe Passes Landmark Cybersecurity LawWhat's New: Minimum Security Standards, Breach Reporting, Coordination
The European Union this week passed legislation that will impose minimum cybersecurity measures on organizations as well as require enterprises across multiple sectors - including the likes of Amazon and Google - to report security breaches to authorities (see EU Hammers Out Cybersecurity Rules).
The new law, known as the Network and Information Security Directive, was approved by the European Council in December 2015 and voted through on Wednesday by the European Parliament in Strasbourg, France. The law is expected to go into force in August, after which EU member states will have 21 months to implement the directive - by transposing it into new, national laws of their own crafting - as well as six months more to identify operators of critical services inside their borders, as the directive requires.
"The adoption of the first EU-wide legislation on cybersecurity will support and facilitate strategic cooperation between member states as well as the exchange of information," says European Commissioner Günther H. Oettinger. "I am now calling on member states to make the most of new cooperation mechanisms."
Seeking Better EU Cybersecurity
Andrus Ansip, the European Commission's vice president for the Digital Single Market - an effort to make the EU more competitive in the online sphere - says the new directive is an essential step toward better online security across all EU countries.
"The Directive on Security of Network and Information Systems ... requires companies in critical sectors - such as energy, transport, banking and health - to adopt risk management practices and report major incidents that can affect the Digital Single Market to their national authorities," Ansip says. "It also obliges online marketplaces, cloud computing services and search engines to take similar security steps."
Under the Network and Information Security Directive, all EU member states must:
- Strategize: Create a national strategy on the security of network and information systems, "defining the strategic objectives and appropriate policy and regulatory measures."
- Define: Identify all public and private operators of "essential services" - across energy, transport, banking, financial market infrastructure, health, water and digital infrastructure sectors - and define "appropriate security measures" as well as thresholds requiring organizations to report any security incidents they suffer to national authorities. The same goes for all online marketplaces, cloud computing services and search engines providers, excepting small businesses.
- Coordinate: Maintain national computer security incident response teams - a.k.a. computer emergency response teams - "to rapidly react to cyber threats and incidents" as well as work closely with other EU member states' CSIRTs. Such activities will be coordinated by the EU agency for Network and Information Security, a.k.a. ENISA.
- Cooperate: Participate in a new "Cooperation Group" between member states designed "to support and facilitate strategic cooperation as well as the exchange of information, and to develop trust and confidence," backed by forthcoming European Commission recommendations on improving cross-border cooperation in the wake of a major online attack.
The Commission says it also plans to conduct a thorough evaluation of ENISA to "assess whether ENISA's mandate and capabilities remain adequate to achieve its mission of supporting EU member states in boosting their own cyber resilience."
Public-Private Partnership on Cybersecurity
Tied to the new directive, and as part of the EU's Horizon 2020 program, which has earmarked €80 billion ($89 million) to support science and innovation, EU officials this week also announced the first-ever European public-private partnership on cybersecurity.
"Without trust and security, there can be no Digital Single Market," Ansip says. "We are proposing concrete measures to strengthen Europe's resilience against such attacks and secure the capacity needed for building and expanding our digital economy."
The cybersecurity partnership will receive €450 million ($499 million) in funding. "This partnership will also include members from national, regional and local public administrations, research centers and academia," according to the European Commission. "The aim of the partnership is to foster cooperation at early stages of the research and innovation process and to build cybersecurity solutions for various sectors, such as energy, health, transport and finance."
The EU is currently made up of 28 member states. But after last month's so-called Brexit referendum, a majority of voters in the United Kingdom voted to leave the EU. So far, however, Britain has yet to invoke Article 50 of the Treaty on European Union, which would launch exit negotiations between the U.K. and the EU that could last up to 24 months, barring extensions.
Until that separation is negotiated, U.K. organizations would likely still be required to comply with EU laws - including the Network and Information Security Directive - although not be able to take advantage of programs such as Horizon 2020.
But it's unclear if Britain's Parliament will transpose the new directive into British law, as is required under EU law, which would thus make it impossible for U.K. organizations to comply with it.
On the other hand, if Britain wants to enjoy continued access to the EU "Single Market," it may be required to demonstrate that it abides by and enforces at a national level not just EU cybersecurity standards, amongst other laws (see UK Must Comply With EU Privacy Law, Watchdog Argues).