EU Enacts New Law to Improve Critical Infrastructure Cybersecurity

Firms supplying essential services – such as energy, transport, banking and health, or digital services – such as search engines and cloud services, will have to improve their ability to withstand cyber attacks under the first EU-wide rules on cybersecurity, approved by the European Parliament in July.

The EU network and information security (NIS) directive is one of the first legislative frameworks that applies to platforms. In line with the Digital Single Market strategy, it establishes harmonised requirements for platforms and ensures that they can expect similar rules wherever they operate in the EU.

The new EU law lays down security and reporting obligations for “operators of essential services” in sectors such as energy, transport, health, banking and drinking water supply. EU member states will have to identify entities in these fields using specific criteria, for example, whether the service is critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service.

Some digital service providers including online marketplaces, search engines and cloud services will also have to take measures to ensure the safety of their infrastructure and will have to report major incidents to national authorities. The security and notification requirements are, however, lighter for these providers. Micro and small digital companies will be exempt from these requirements.

The new rules provide for a strategic “cooperation group” to exchange information and assist member states in cybersecurity capacity-building. Each EU country will be required to adopt a national NIS strategy.

Member states will also have to set up a network of Computer Security Incident Response Teams (CSIRTs) to handle incidents and risks, discuss cross-border security issues and identify coordinated responses. The European Network and Information Security Agency will play a key role in implementing the directive, particularly in relation to cooperation. The need to respect data protection rules is reiterated throughout the directive.

EU member states have 21 months to transpose the directive into their national laws and six additional months to identify operators of essential services.

Kylie Bull began her career in television news at ITN in the UK before moving to print journalism. She has been an editor at IHS Jane's for sixteen years, where she continues today, and was recently the managing editor at Homeland Security Today. Bull has reported on a wide variety of security, geopolitical and counterterrorism subjects and has interviewed world leaders such as Russian President Vladimir Putin and UK Prime Minister Theresa May.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.

EU Enacts New Law to Improve Critical Infrastructure Cybersecurity

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

EU Enacts New Law to Improve Critical Infrastructure Cybersecurity

Share This Story

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.