The European Parliament has voted to adopt a set of measures aimed at bolstering resilience to digital threats and improving cybersecurity cooperation and info sharing across its 28 Member States.
The Directive on Security of Network and Information Systems (NIS) was proposed back in 2013 but agreed by the European Commission yesterday and adopted by the parliament today.
The directive also places requirements on European companies in critical sectors — including energy, transport, banking and health — and also in “key Internet services” to adopt risk management practices and report major incidents to national authorities.
“Businesses in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority,” the EC notes.
Key digital service providers — such as search engines, cloud computing services and online marketplaces — will also have to comply with the security and notification requirements.
Digital infrastructure entities covered by the directive include Internet exchange points, domain name system service providers and top level domain name registries.
On the cross-border cooperation front, the directive includes a plan to create a network of Computer Security Incident Response Teams across the EU to respond more rapidly to cyber threats and incidents.
A Cooperation Group will also be established to link Member States and support and facilitate “strategic cooperation” as well as fostering information sharing.
The overarching aim of the directive is to offer a more unified approach to dealing with security threats across the region, including by tackling market fragmentation which the EC believes could be hampering European security businesses.
On the market fragmentation issue, the EC is considering whether to establish a common European certification framework for ICT security products to reduce red tape.
It also said it intends to “explore” ways to support security startups scaling up by making it easier to access investment, via the EU investment plan.
Public private partnership focused on security startups
The EC is also aiming to give a big boost to the development of regional technologies to counter cyber threats by taking steps to encourage more security focused startup businesses to be born in Europe — announcing a public-private partnership yesterday focused on injecting funds into cybersecurity research and innovation.
The Commission is set to invest €450 million in the PPP via its research and innovation Horizon 2020 program. But it said it expects “cybersecurity market players” to invest three times more than it’s putting into the PPP — so it’s hoping to trigger a total of €1.8 billion in cyber security investment via the initiative.
As well as startups and the tech industry, it’s hoping to encourage governments, research centers and academia to get involved.
It’s set up a not-for-profit association called the European Cyber Security Organisation to represent the market players.
“The aim of the partnership is to foster cooperation at early stages of the research and innovation process and to build cybersecurity solutions for various sectors, such as energy, health, transport and finance,” it said yesterday.
Some highlighted technical areas where funds may be funneled include:
- Assurance and security / privacy by design
- Identity, access and trust management (e.g. identity and access management, trust management)
- Data security (e.g. data protection techniques, privacy-aware big data analytics, secure data processing, secure storage; user empowerment, operations on encrypted data)
- Protection of the ICT Infrastructure (cyber threats management, network security, system security, cloud security, trusted hardware/end point security/mobile security)
- Cybersecurity services (e.g. auditing, compliance and certification, risk management, cybersecurity operation, security training services)
A number of non-technical areas are also flagged, including education, training and skills development.
“Specific gaps persist in the fast-moving area of technologies and solutions for online network security and a more joined-up approach can help step up the supply of more secure solutions by industry in Europe and stimulate their take-up by enterprises, public authorities, and citizens,” the EC notes in a memo.
The Commission said it expects the first calls for proposals related to the PPP under Horizon 2020 in the first quarter of 2017.
The European Union’s executive body’s focus on cybersecurity is generally aimed at boosting consumer trust in digital services as part of its wider Digital Single Market strategy.
Commenting on the adoption of the NIS directive in a statement today, EC VP Andrus Ansip dubbed it the “first comprehensive piece of EU legislation on cybersecurity and a fundamental building block for our work in this area”.
“The rules adopted today, complemented by the new partnership with the industry on cybersecurity presented yesterday, create the right conditions for people and businesses to use digital tools, networks and services in the EU with confidence,” he added.
The timeline for the implementation of the directive is next month for it to enter into force, with Member States expected to have transposed it into national law by May 2018.
While the cybersecurity Cooperation Group is expected to begin work next February, and Member States are expected to have identified operators of essential services by November 2018.