In 2013, the European Commission put forward a proposal for a Directive to introduce measures ensuring a high common level of network and information security across the Union. The Network and Information Systems (NIS) Directive is the first piece of EU-wide legislation on cyber-security. The Directive came into force on August 2016 and is in the process of being transposed in national law.
What does it do?
The NIS contains a number of legal measures to boost the overall level of cyber-security in the EU by ensuring:
- requiring member states to be appropriately equipped to deal with an incident by creating a competent national NIS authority and a Computer Security Incident Response team (CSIRT);
- creating a group to support and facilitate strategic cooperation and exchange of information among member states. A CSIRT Network will also be required to promote swift and effective operational cooperation on specific cyber-security incidents and sharing information about risks;
- create a culture of security across those sectors which are vital for our economy and rely heavily upon, among other things, banking and financial market infrastructures. Businesses in these sectors identified by Member States as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority; and
- key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with new security and notification requirements.
Will it affect me?
It will be of interest as it establishes security and notification requirements for operators of essential services which will include financial services firms. Each member state is required to identify their operators of essential services by 9 November 2018, and to review and update their list at least every two years after 9 May 2018.
Member states have until April 2018 to transpose the Directive into their national laws.