Reform of cyber security in Europe
What is the EU cyber security strategy?
The EU cyber security strategy sets out the EU's strategy for preventing and responding to disruptions and attacks affecting Europe's telecommunications systems.
The proposed directive would impose a minimum level of security for digital technologies, networks and services across all member states. It also proposes to make it compulsory for certain businesses and organisations to report significant cyber incidents. The list includes search engines, cloud providers, social networks, public administrations, online payment platforms like PayPal, and major eCommerce websites, such as Amazon.
The proposal was published in two parts on 7 February 2013. The first part is a communication from the Commission and the EU's High Representative for foreign affairs and security policy outlining an EU cyber security strategy. This is supported by the second element of the strategy - a European Commission proposal for a directive on network and information security.
Why do we need it?
The cyber security strategy and proposed directive supports the digital agenda for Europe, which aims to help Europe's citizens and businesses to get the most out of digital technologies.
Today's IT systems can be seriously affected by security incidents, such as technical failures and viruses. These kinds of incidents, often called network information security (NIS) incidents, are becoming more frequent and difficult to deal with.
Many businesses and governments across the EU rely on digital networks and infrastructure to provide their essential services. This means that when NIS incidents occur, they can have a huge impact by compromising services and stopping businesses working properly. In addition, with the development of the EU's internal market, many network and information systems work across borders. An NIS incident in one country can therefore have an effect in others and even across the whole EU. Security incidents also undermine consumer confidence in online payment systems and IT networks.
By introducing more consistent risk management measures and systematic reporting of incidents the proposed directive would help sectors depending on IT systems to be more reliable and stable.
EU cyber security strategy: An open, safe and secure cyberspace
The EU cyber security strategy sets out the EU's approach on best preventing and responding to cyber disruptions and attacks. It details a series of actions to enhance the cyber resilience of IT systems, reduce cybercrime and strengthen EU international cyber security policy and cyber defence.
The strategy sets out plans to address challenges under five priority areas:
- achieving cyber resilience
- drastically reducing cybercrime
- developing cyber defence policy and capabilities related to the EU's common security and defence policy (CSDP)
- developing the industrial and technological resources for cyber security
- establishing a coherent international cyberspace policy for the EU
One of the main actions under the strategy is the draft directive on network and information security.
Proposal for a directive on measures to ensure a high level of network and information security across the EU - 2013/0027(COD)
The draft directive on network and information security (NIS) is an important element of the cyber security strategy. It would require all EU member states, key internet companies and infrastructure operators, such as e-commerce platforms, social networks and transport, banking and healthcare services, to ensure a secure and trustworthy digital environment throughout the EU. As the current approach to NIS is based on voluntary action, national capability and the levels of private sector involvement and preparedness vary considerably between member states. The draft directive aims to level the playing field by introducing harmonised rules to apply in all EU countries.
The proposed measures include:
- the requirement for EU member states to adopt an NIS strategy and designate a national NIS authority with adequate resources to prevent, handle and respond to NIS risks and incidents
- the creation of a cooperation mechanism among member states and the Commission to share early warnings on risks and incidents, exchange information, and counter NIS threats and incidents
- the requirement for certain digital companies and services to adopt risk management practices and report major IT security incidents to the competent national authority.
The requirement to report IT security incidents aims to help develop a culture of risk management and make sure that information is shared between private and public sectors. It covers:
- critical infrastructure operators in sectors such as financial services, transport, energy and health
- IT service companies, including app stores, e-commerce platforms, internet payment platforms, cloud computing platforms, search engines and social networks
- public administrations
In the Council
The European Parliament adopted its position at first reading on 13 March 2014 on the proposed network and information security directive.
Following preparatory work by the Working Group on Telecommunications and the Information Society (WP TELE), the Council held an initial orientation debate on the draft directive on 6 June 2013.
At a TTE Council meeting on 5 December 2013, ministers took note of a progress report on the directive. The report highlighted ongoing preparatory work on issues such as the scope of the directive, the terminology used, the set-up of the cooperation network, and the requirements for the national NIS strategies.
On 17 May 2016, the Council formally adopted new rules to step up the cybersecurity across the EU.
The Council discussed a further progress report at the TTE meeting on 6 June 2014. In particular, ministers looked at the best way to cooperate to improve the preparedness and reactions to cyber security threats. They concluded that the NIS directive should focus on high-level strategic and policy cooperation. However, ministers also want it to give more direction to the operational cooperation that already takes place in several bodies. They agreed that discussions should continue on the practical arrangements for cooperation.
At a TTE Council meeting on 27 November 2014, the presidency briefed ministers on the state of play of work on the draft NIS directive. At the end of 2014, the Council held two trilogue meetings on the directive with the European Parliament. A third trilogue meeting took place on 30 April 2015. Although progress was made during the trilogue, important differences remained between the Council and European Parliament positions. The trilogue was therefore useful in further clarifying their respective concerns.
At a fourth trilogue meeting on 29 June 2015, the Council reached an understanding with the European Parliament on the main principles to be included in the draft NIS directive. These principles will now have to be turned into legal provisions to allow for a final deal on the directive at a later stage.
On 18 December 2015, the Coreper endorsed an informal deal with the European Parliament. Once the agreed text is finalised, it needs to be formally approved first by the Council and then by the Parliament.
On 17 May 2016, the Council approved its position at first reading , which confirmed the agreement reached with the European Parliament in December 2015. The next step is approval of the legal act by the European Parliament at second reading. The directive entered into force in August 2016.