{"id":74579,"date":"2018-05-10T05:00:32","date_gmt":"2018-05-10T12:00:32","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=74579"},"modified":"2019-05-23T12:25:34","modified_gmt":"2019-05-23T19:25:34","slug":"gov-eus-network-information-security-nis-directive-goes-live-amidst-range-expanding-cybersecurity-efforts","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2018\/05\/gov-eus-network-information-security-nis-directive-goes-live-amidst-range-expanding-cybersecurity-efforts\/","title":{"rendered":"The EU\u2019s Network and Information Security (NIS) Directive Goes Live Amidst Range of Expanding Cybersecurity Efforts"},"content":{"rendered":"<p>Yesterday was the \u201cgo live\u201d date for the EU\u2019s <a href=\"http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:52016AG0010(01)&amp;from=EN\" rel=\"nofollow,noopener\" >Network and Information Security (NIS) Directive<\/a>. The NIS Directive was adopted in 2016, and as a directive, it sets out objectives and policies to be attained through legislation at an EU member state level within a certain timeframe (a process called transposition). Member states were required to transpose the NIS Directive into national law by May 9, 2018.<\/p>\n<p>As the first EU law specifically focused on cybersecurity, the NIS Directive has three parts, affecting both industry and member state governments.<\/p>\n<ul>\n<li><strong>Requirements on organisations:<\/strong> The directive establishes security and incident notification requirements for \u201coperators of essential services\u201d (OES) (e.g., providers of energy, transportation, healthcare, drinking water, some financial services) and, to a less stringent extent, \u201cdigital service providers\u201d (DSP) (online marketplaces, online search engines, and cloud service providers). The NIS Directive requires these companies \u201cto have regard to the state of the art technologies\u201d to manage risks posed to the security of the networks and information systems used to provide the covered services, and take appropriate measures to prevent and minimise the impact of incidents. Security incidents of certain magnitudes must be reported to national competent authorities. The above obligations apply whether the OES or DSP manages its own network and information systems or outsources them.<\/li>\n<li><strong>National activities:<\/strong> The directive requires member states to adopt national cybersecurity strategies; to designate national competent authorities; and to have one or more computer security incident response teams (CSIRTs), corresponding at least to the sectors covered by the directive, to detect, prevent, and respond to cyber incidents and risks.<\/li>\n<li><strong>EU-wide collaboration:<\/strong> The directive emphasises coordination among member states, setting up a CSIRT network (also to include CERT-EU) to promote swift and effective operational cooperation regarding threats and incidents, and a strategic NIS \u201ccooperation group\u201d to support and facilitate cooperation and information exchange among member states.<\/li>\n<\/ul>\n<p>Officials in Brussels and other EU capitals have worked hard to make NIS successful. Many countries have updated or issued, for the first time, their national cybersecurity strategies. CSIRTs have been established, and legislation has been readied to transpose NIS. The European Commission has issued guidance to countries on effective implementation of NIS.\u00a0 ENISA - the EU Agency for Network and Information Security \u2013 has also issued a range of guidance, including recommendations on the use and management of CSIRTs and recommendations regarding the security and incident notification measures for DSPs. The NIS cooperation group \u2013\u00a0 composed of representatives of member states, the Commission, and ENISA-- reportedly meets regularly to coordinate efforts among EU countries, including sharing information about how to implement NIS as consistently as possible. To that end, the cooperation group has issued \u00a0non-binding guidelines on security measures and incident notification for OESs. The EU member states that have held the EU Presidency since NIS was adopted- Slovakia, Malta, Estonia, and now Bulgaria\u2014have all made NIS implementation a priority, driving NIS-related activity including in the cooperation group.<\/p>\n<p>Of course, steps remain. Some countries need to finish transposing NIS (not all countries made the deadline). Per the directive, they also have another six months to identify the operators of essential services established in their territories (this information might not be made public for security reasons).\u00a0 And equally importantly, organisations covered by NIS will be determining if they must change their security practices to meet its requirements, and if so, how. The European Commission understands that more needs to be done, and <a href=\"http:\/\/europa.eu\/rapid\/press-release_STATEMENT-18-3650_en.htm\" rel=\"nofollow,noopener\" >announced May 4<\/a> that, to help member states rapidly transpose the NIS Directive and build their capabilities, the Connecting Europe Facility programme is providing \u20ac38 million in funding until 2020 to support national CSIRTs as well as other NIS Directive stakeholders, such as the operators of essential services and digital service providers.<\/p>\n<p>As part of the May 4 announcement above, European Commission Vice-President Andrus Ansip, responsible for the Digital Single Market, Commissioner for Migration, Home Affairs and Citizenship Dimitris Avramopoulos, Commissioner for the Security Union Julian King and Commissioner Mariya Gabriel, in charge of Digital Economy and Society, <a href=\"http:\/\/europa.eu\/rapid\/press-release_STATEMENT-18-3650_en.htm\" rel=\"nofollow,noopener\" >issued a statement<\/a>, noting that \u201cThe adoption of the NIS Directive two years ago was a turning point for the EU's efforts to step up its cybersecurity capacities.\u201d This is true.\u00a0 However, NIS is just one of an expanding list of activities driven out of Brussels to improve cybersecurity. Many people close to the action in Brussels reported that attention to cybersecurity rose quickly among senior policymakers in the wake of the May 2017 WannaCry ransomware attack. In September 2017, EU President Jean-Paul Juncker made cybersecurity a major theme \u2013 for the first time ever -- of the \u201c<a href=\"http:\/\/europa.eu\/rapid\/press-release_SPEECH-17-3165_en.htm\" rel=\"nofollow,noopener\" >State of the EU\u201d address<\/a>, highlighting the need for the EU to better protect Europeans in the digital age. That same month, the European Commission issued a package of cybersecurity legislative and other proposals. This included a <a href=\"http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?qid=1505294563214&amp;uri=JOIN:2017:450:FIN\" rel=\"nofollow,noopener\" >new EU cybersecurity strategy<\/a>, \u201cResilience, Deterrence and Defence: Building Strong Cybersecurity for the EU,\u201d with a focus on protection and prevention of cyberattacks.\u00a0Further, the Commission announced the intention to set up a \u201ccybersecurity competence network\u201d and a \u201cEuropean Cybersecurity Research and Competence Centre,\u201d and a recommendation to establish an EU-wide \u201c<a href=\"http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=uriserv:OJ.L_.2017.239.01.0036.01.ENG&amp;toc=OJ:L:2017:239:TOC\" rel=\"nofollow,noopener\" >Coordinated Response to Large Scale Cybersecurity Incidents and Crises<\/a>.\u201d It also <a href=\"https:\/\/ec.europa.eu\/info\/law\/better-regulation\/initiatives\/com-2017-477_en\" rel=\"nofollow,noopener\" >proposed a new law<\/a> \u2013 the Cybersecurity Act -- to increase and make permanent ENISA\u2019s mandate, as well as develop an EU-wide certification scheme. This Act is currently being debated in Parliament and the European Council.<\/p>\n<p>All these EU efforts are essential. They include important plans and activities: increasing cybersecurity-related education and training, stepping up law enforcement activities, and accelerating cyberthreat information sharing, to name a few. They also, of course, complement an array of actions being taken by the member states individually.<\/p>\n<p>Palo Alto Networks commends European policymakers for putting cybersecurity front and center.\u00a0 The NIS Directive hits a key milestone today, but today is simply a stage on a journey. The EU understands that cybersecurity is essential to economic activity and growth as well as to the user confidence in online activities that underpins it.\u00a0 Companies in Europe, across all sectors, must ensure their business are resilient to cyberattacks as they embrace the digital world, EU governments need secure online operations, and consumers need trust in their online experiences.\u00a0Ultimately, the more all EU member states can raise the collective bar the more the global digital infrastructure will benefit.\u00a0 Palo Alto Networks looks forward to continuing to contribute to Europe\u2019s efforts.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Danielle Kriz shares important updates on the EU's NIS directive<\/p>\n","protected":false},"author":182,"featured_media":70925,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[484,6724,6769],"tags":[120,5873,2681],"coauthors":[1873],"class_list":["post-74579","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-government","category-points-of-view","category-public-sector","tag-cybersecurity","tag-network-and-information-security","tag-nis"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2018\/04\/government-news-social-media-blog-600x300-1.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/74579","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/182"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=74579"}],"version-history":[{"count":3,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/74579\/revisions"}],"predecessor-version":[{"id":74711,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/74579\/revisions\/74711"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/70925"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=74579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=74579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=74579"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=74579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}