In December 2015, representatives from the European Parliament, the Council and the Commission agreed on the first EU-wide legislation on cyber security.
Back in 2013, the Commission put forward a proposal for a Directive to ensure a high, common level of network and information security (NIS) across the EU. On 7th December 2015, an agreement on the rules was reached, which will:
- Improve the cyber security capabilities of member states
- Improve member states’ cooperation on cybersecurity issues
- Establish security standards and notification requirements for essential service providers
- Levy financial penalties against companies in the event of a breach
In essence, the NIS directive will require all member states to adopt a national NIS strategy that defines a set of objectives, policies and regulatory measures in relation to cybersecurity. They will also need to establish an authority responsible for enforcing the directive and Computer Incident Response Teams to handle incidents.
One of the key discussion points of the General Data Protection Regulation (GDPR) was the level of fine applicable in the event of a breach. The final figure agreed upon was a maximum of 4% of the company’s turnover. With this level of financial penalty at stake, organisations across the region will be forced to take data security seriously. Expect to see insurance premiums going up and a groundswell of support for robust encryption solutions.
Member states now have 21 months to implement the directive, with a further 6 months in which to identify the operators of “essential services”.
Industries that form a part of the EU critical infrastructure (known as operators of essential services in the directive) will be required to comply with network security standards and notify the national authority of any serious incidents. Operators affected by the directive will include:
- Banking & Finance
- Digital Infrastructure
Important digital enterprises, such as ISPs, cloud service providers, search engines and digital marketplaces will also be required to comply with the same security and notification regulations.
The directive comes on the back of a decade of high profile data breaches and is a recognition of both the importance of the EUs digital infrastructure and the threat posed by individual or state-sponsored cyber-crime.
EU Reaches Agreement on Data Protection Reform
On 15 December 2015, the European Parliament, the Council and the Commission reached agreement on the new data protection rules, establishing a modern and harmonised data protection framework across the EU. The European Parliament’s Civil Liberties committee and the Permanent Representatives Committee (Coreper) of the Council then approved the agreements, signalling a a major step forward in the implementation of the Digital Single Market Strategy.
The new regulations are a step towards strengthening individuals’ rights in the digital age and create a simplified set of rules for companies across the EU. The single directive will eliminate the fragmented landscape of data protection across the region and could save businesses over €2 billion a year.
If you would like further information on the directive, her are some frequently asked questions.
Find out what IDQ is doing to help secure critical infrastructure across the world with our quantum-safe cryptography solutions.