The European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, has today published a CyberSecurity Strategy alongside a Commission proposed Directive on Network and Information Security (“NIS”).
While much of the Strategy and Directive is aimed at Member State governments (e.g., to improve capabilities and cooperation to prevent and respond to cyber-attacks), several proposals target private companies in the energy, transport, financial services and health sectors, as well as “enablers of key internet services” such as providers of cloud computing services, app stores, e-commerce platforms, internet payment gateways, search engines and social networks.
These companies would be required, under the Directive, to implement security measures to “guarantee a level of security appropriate to the risk presented . . . having regard to the state of the art”.
Further, they would have to notify competent national authorities of any security incident that has a significant impact on the continuity of core services they provide — effectively extending current EU incident reporting requirements, which only apply to communication network and service providers, to a broad universe of private sector companies. To be clear, this incident reporting obligation is separate from and additional to the proposal for all companies to report breaches of personal data to national supervisory authorities under the Commission 2012 proposal for a General Data Protection Regulation.
The Commission also intends to launch “a platform on NIS solutions” to develop “incentives for the adoption of secure ICT solutions” — considering technical norms, standards and possibly EU-wide certification schemes — to be applied to ICT products used in Europe, and to make recommendations to ensure cybersecurity across the ICT value chain. The Commission also will examine how major providers of ICT hardware and software could inform national competent authorities on detected vulnerabilities that could have significant security-implications.
The EU institutions will now start to review the Strategy and proposed Directive. The process to adopt the Directive could take two years, at which point Member States will be required to implement the legislation into national laws, which could take another 18 months or more.