[Updated] New EU directive requires critical infrastructure to improve cyber-security

The European Parliament has passed this morning the new network and information security (NIS) directive, placing minimum standards for cyber-security on critical infrastructure operators.

European Parliament in Strasbourg
European Parliament in Strasbourg

Companies which supply essential services – such as energy, transport, banking, health or digital services such as cloud services and search engines – will be required to achieve minimum standards of cyber-security under new EU-wide rules adopted by the EU Parliament today.

The EU network and information security (NIS) directive sets common cyber-security standards and aims to step up cooperation among EU countries and service providers. According to its supporters, it will help prevent attacks on EU countries' interconnected infrastructure.

"Cyber-security incidents very often have a cross-border element and therefore concern more than one EU member state. Fragmentary cyber-security protection makes us all vulnerable and poses a big security risk for Europe as a whole,” said Parliament's rapporteur Andreas Schwab, MEP for Germany. “This directive will establish a common level of network and information security and enhance cooperation among EU member states, which will help prevent cyberattacks on Europe's important interconnected infrastructures in the future.”

He added: "[NIS] is also one of the first legislative frameworks that applies to platforms. In line with the Digital Single Market strategy, it establishes harmonised requirements for platforms and ensures that they can expect similar rules wherever they operate in the EU. This is a huge success and a big first step to establishing a comprehensive regulatory framework for platforms in the EU.”

It lays down cyber-security and reporting requirements for “operators of essential services” which includes energy, transport, health, banking and drinking water. Individual member states are responsible for identifying the organisations which will fall under the directive in their respective jurisdictions.

Digital service providers such as cloud services and search engines have a new obligation to report major incidents to a national computer security incident response team (CSIRT). The European Network and Information Security Agency (ENISA) will help member states in cross-border cooperation.

The directive will be published in the EU Official Journal. Member states will have 21 months to adopt the directive into national laws and six additional months to identify critical infrastructure operators.

Kevin Bocek, chief security strategist at Venafi, commented, “It's good to see the EU increasing funding and making cyber-security a top priority, but sad that given Brexit UK universities and companies will be set to lose out on the investment.”

Norman Shaw, CEO of ExactTrak, told SCMagazineUK.com, “Regardless of Brexit, these standards will still need to be met by anyone doing business in the EU. Furthermore, anything that encourages pooling of resources and sharing knowledge to deal with attacks has got to be a good thing.”

Brian Chappell, director of technical services for EMEAI and APAC at BeyondTrust, said, “This directive provides a reasonable framework from which to build legislation that can be used to ensure our critical infrastructure has taken the appropriate measures to secure itself. Unlike the GDPR, it doesn't carry any mandatory adoption or penalties for failure,” he said. “This action could have been more affirmative but it's a good start to start getting everyone on the same page.”

Justine Cross, regional director at Watchful Software, told SC, “The inclusion of digital services such as cloud hosts is a welcome move as it recognises this digital infrastructure is fast becoming as vital as traditional foundations like finance and transport.”

But she added, “The fact that individual member states are responsible for enforcing the new standard could be a potential failing of the directive. There will need to be strong guidance to ensure that there is no disparity across borders when it comes to identifying what organisations count as critical infrastructure – particularly when it comes to the fast-moving area of digital services.”

Yoni Shohet, CEO and co-founder of SCADAfence, said, “Initiatives such as this from the EU can play a determining factor in raising awareness for industrial companies, who have struggled to identify cyber risks and defend themselves against them… Moving forward, the EU initiative should also focus on improving the quick, thorough distribution of real-time attacks and active threats to industrial networks."

Graham Mann, managing director at Encode UK, commented, “Like all these directives the devil is in the detail but it has to be welcomed. My worry is that from my own personal experience battle-testing clients networks over more than 10 years, organisations simply can't identify advanced cyber-attacks. If they can't identify the attack then defence is impossible. In cases where they do identify an advanced cyber-attack it's usually too late, the damage has been done.”

Amit Ashbel, cyber security evangelist at Checkmarx, told SC, “While this is an important step to enhance EU infrastructure security, it is critical that the EU learn from the industry's past mistakes and enforce security as part of organisations' development efforts.”