Passage of EU NIS Directive Is a Milestone, But Next Steps Matter Even More

Today, with a plenary vote in the European Parliament, the EU took the near-final step in enacting its groundbreaking cybersecurity legislation, the Network and Information Security (NIS) Directive. This is the result of more than three years of effort by the European Commission, Council and Parliament, working with stakeholders from Europe and around the world. Proposed in response to growing concerns about cyberthreats, and in an attempt to raise the cybersecurity and resilience of network and information systems in EU member states, this is the first time the EU has legislated specifically on cybersecurity. Notably, the Directive frames cybersecurity in an economic and societal context, observing its importance in underpinning economic activities and growth as well as user confidence in online activities, and thus also in facilitating the internal EU market. The Directive will soon be published in the Official Journal of the European Union and will come into force 20 days after that. EU member states will then have 21 months to transpose it into national laws.

With implications for both industry and member states, the Directive establishes security and incident notification requirements for “operators of essential services” (e.g., providers of energy, transportation, healthcare services) and, to a less stringent extent, “digital service providers” (online marketplaces, online search engines, and cloud service providers). It requires member states to adopt national NIS strategies; to designate national competent authorities; and to have “well-functioning” computer security incident response teams (CSIRTs) to detect, prevent, and respond to cyber incidents and risks. It emphasizes coordination among member states, setting up a CSIRT network (also to include CERT-EU) to promote swift and effective operational cooperation, and a “cooperation group” to support and facilitate strategic cooperation and information exchange.

Although today’s vote is a milestone, the next steps matter more. In turning the Directive’s prose into action through national implementation, member states must prioritize consistency. Operators of essential services and digital service providers need a sense of regulatory predictability. Under the Directive, member states determine which entities meet the criteria for “operators of essential services.” The Directive provides a common methodology to do so and directs member states to consult with each other when looking at companies serving multiple EU markets, which so many do. This is key—disparate methodologies or divergent views of what constitutes an “operator of essential service” could lead to confusion and possible misallocation of security resources. The same goes for member states’ authority to further define the security and incident notification requirements for operators of essential services: despite the flexible implementation allowed for by the Directive, consistency should be the goal.

Harmonized approaches to cybersecurity are an essential ingredient in improving cybersecurity worldwide. Cybersecurity resources are scarce in both government and industry and any redundant or inconsistent activities or requirements could divert resources from where security is needed and from the ability to develop responses to constantly evolving cybersecurity threats. Coordination is needed not just within the EU. We urge member states, the Commission, Parliament, and the EU Agency for Network and Information Security (ENISA) to continue to engage with governments and industry outside of Europe to ensure maximum alignment as the NIS Directive is fleshed out.

Many actions EU member states must take in terms of their own strategies and activities would, if implemented and resourced sufficiently, have great potential in raising the cybersecurity bar. For example, the CSIRT network is an important addition to the international CSIRT (CERT) community. Palo Alto Networks works with many CSIRTs across the EU and NATO. We look forward to working with others as they get up and running and to helping them start off strongly. Significantly, the Directive encourages member states’ CSIRTS to participate in international cooperation networks in addition to the CSIRT network established in the Directive. Cybersecurity threats are global, and cooperation among CSIRTs around the world helps pool knowledge and resources to address these common threats. In another example, the Directive requires member states to have national NIS strategies that include cyber education and raising awareness, which plays an important role in helping companies to assess and manage their cyber risks and citizens to better protect themselves when online.

The Directive instructs member states to ensure competent authorities have adequate technical, financial, and human resources to carry out their tasks effectively and efficiently. Cybersecurity resources are tight for governments everywhere, but we hope member states allocate what they can. To this end, partnerships are key. The Directive gives ENISA a variety of roles, such as, if needed, helping member states develop their strategies and establish CSIRTs. If member states also take advantage of the considerable industry expertise that exists, we can all improve cybersecurity more quickly.

We commend European policymakers for taking steps to put cybersecurity front and center. Moving forward, member states’ activities to implement the Directive will vary, given their different levels of preparedness. Some, notably Germany, France and the Netherlands, have worked on cybersecurity for years and introduced or passed their own cybersecurity laws in advance of the NIS Directive. They may need only to make small adjustments to align with the Directive’s minimum requirements, if at all. Other member states will benefit more substantively from the Directive’s guidance. Ultimately, the more all EU member states can raise the collective bar the more the global digital infrastructure will benefit.