The Network and Information Security Directive has been passed by the European Parliament's Internal Markets Committee. Designed to be the first set of EU wide cyber-security rules, it has so far had a lukewarm reception from industry bods.
Brought to life in 2013, the directive was voted on today and won by 34 votes to 2 with no abstentions and will now need to be endorsed by the Council and the full Parliament.
Isabel Teixeira Nadkarni, spokesperson for the European Parliament told SC, "It should be passed without troubles by both institutions, since an agreement has been reached."
The directive lists critical sectors – energy, transport, banking and health – where companies will need to ensure that they are able resist cyber-attacks.
These areas were identified using specific criteria: whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety.
Andrew Barratt, MD of Coalfire Systems, told SCMagazineUK.com, “As it stands, the directive itself is nowhere near as specific as it needs to be in order to cause any meaningful change.”
He added that because of the costs involved, “it risks becoming a paper exercise that will have no real effect”, especially for SMEs who are often too busy to worry about cyber-security.
The directive also sets out guidelines for online marketplaces such as eBay or Amazon, search engines and other cloud-based providers on security measures they will be required to have in place to secure their infrastructure. As more and more of European data moves online, the EU is presumably trying to ensure that networks like Amazon's AWS and the Google Drive aren't compromised and suffer minimal downtime.
A network of Computer Security Incident Response Teams (CSIRTs), set up by each member state, will have to be established to coordinate cross border security.
Designed to bring all 28 member states to the same level, the directive will require companies to report cyber-security breaches, but it is not yet clear who will be responsible for handing out the disciplinarians.
And finally, to ensure a high level of security across the EU and to develop trust and confidence among member states, the draft rules sets up a strategic cooperation group to exchange information and best practices, draw up guidelines and assist member states in cyber-security capacity building.
Acting as a trusted advisor to the likes of Amazon and the PCI DSS on matters of cyber-security, Barratt compared the new European directive to FedRAMP, the strict set of standards US federal agencies have been instructed to use by the Office of Management and Budget to assess and authorise cloud computing products and services.
Andrew explains, “If you read the draft paper which sets out the directive, mostly what it's asking companies to do is conduct a risk assessment and then implement appropriate measures to counter whichever risks are found”. Barratt said that “as the directive isn't specific enough, there is a risk decision makers won't be competent enough to successfully identify the risks”.
Finally Barratt remarked that, "The UK is broadly speaking already there in terms of cyber-security", but added: "Overall, I am doubtful this will increase our cyber-capabilities."
Commenting on the NIS, Nicola Fulford, data protection partner at Kemp Little, said, “The NIS Directive requires companies providing these essential services to have in place appropriate security measures to detect and manage cyber-security risks. Data protection laws already require companies to have adequate security measures when processing personal data, so in a sense the NIS Directive can be seen as an extension of current laws.”
The NIS Directive also requires that companies providing essential services notify the relevant authority if there is a security incident that would significantly impact the services they provide. Most US states have had data breach notification laws for quite a long time. In the US, every single breach has to be reported and notified to individuals. "The risk with this situation is that consumers can get data breach fatigue – they become jaded and stop paying attention to data breach notifications. The likely result here is inaction: after a certain number of warnings consumers fail to follow practical advice from banks or merchants to help mitigate the impact of a data breach," she said.
“There's a ‘boy who cried wolf' element, which is one argument against mandatory breach notifications. By contrast, in the UK for the vast majority of companies there is no mandatory reporting law at present (only public electronic communications service providers or network providers are required to notify the regulator). The Information Commissioner's Office (ICO) has issued guidance which states that if the breach meets certain conditions and is classified as a serious breach then the ICO expects to hear from the company. An organisation's first priority should be to stop breaches from happening in the first place. The mandatory security provisions in the NIS Directive will hopefully encourage companies to bolster their security systems and prevent attacks from happening.”