My project topic in my European Union: House Divided class was the introduction and implementation of the Network and Information System Security Directive. The following is an abridged version of the research paper.
In May of 2018, the European Union will have fully taken on a new directive on security of network and information systems (NIS) as a law. Life for this directive started off in February of 2013, when the commission put forward a proposal to impose high levels of security across the bloc. Then, a month later, the directive was negotiated by the council and the parliament. After three years of going through the political process, the directive was finally entered into force. Member states were given twenty-one months to adopt the new provisions. This period of twenty-one months ends in May 2018.
This is an important step forward for Europe to become a large player in the digital world. Every year incidents resulting from lack of security and resilience cause losses from 260 to 340 billion euros. The NIS Directive will push a minimum standard of security for networks, digital services, and technologies to each member state. Nearly every government and private organizations now use information systems to operate. Whether it is to make transactions, hold employment information, or control infrastructure they all can be targeted by an attack with wide reaching and potentially life threatening effects. The NIS Directive aims to mitigate any damage to essential services and services provided digitally. More specifically this includes essential services such as energy, transportation, banking and financial infrastructure, telecommunications, health, and water supply. It will also include services hosted digitally such as online marketplaces, search engines, and cloud computing solution services.
In addition to meeting the new security standards, organizations are also required to report security incidents to the appropriate authorities. After reporting the incident, an assessment to determine any cross-border impact will be made. If another member state is affected, the member state will be informed of the incident. This allows for the incident to be handled in a much faster manner which could prevent further damage. The organization will then get support from the authority to help handle the incident, including public disclosure if necessary to assist with the impact of the incident
Since each member state will have to adopt the NIS strategy, they each have a lot of requirements to fulfill. Each member state must define national cybersecurity agencies, points of contact, and incident response teams. In addition to these, each member state must enact a NIS cooperation plan. The state must designate at least one competent authority to be the authority in charge of networking and information systems. That authority will then be in charge of monitoring the application of the directive on the national level. As for the incident response teams, each state has to develop a computer security incident response team (CSIRT) and ensure they have the resources and capability to run effectively. Each member must also identify their operators of essential services. Then after which the state must assess the disruptive effect of each service and account for “cross-sectoral factors.”
Another part of this directive is cooperation between the member states. In order to do this the directive sets up a strategic cooperation group. This will be made up of representatives from the commission for each member state. The group will also be made up of representatives from the European Union Agency for Network and Information Security. The objective for the team will be to develop guidelines for the CSIRT network that will exist across the bloc. Below the Cooperation Group is the previously mentioned CSIRT Network. This section will deal with the support of states involved in cross border incidents, exchanging security practices, and support states with building capacity in NIS.
The organization Palo Alto Networks sponsored a white paper on the NIS Directive. Within the paper there are several statistics from organizations on the new directive. Some of the statistics include the question “Do you think that the NIS Directive applies to your organization?” several organizations did not understand the applicability to them. When a designated (applicable) organizations were asked, 91% understood that the NIS directive applied to them. The other 9% were either unsure or said no. When a non-designated organization was asked the same question 72% said no (correct) while the other 28% said yes or unsure.
This is an important step towards a more secure nation. The NIS directive can be improved upon, but it is still robust enough to make a large impact.