European lawmakers and ministers from member states have agreed on a text for the first ever region-wide cybersecurity directive, which will introduce mandatory breach notifications for a range of critical infrastructure companies.
The Network and Information Security (NIS) Directive has been years in the making, but finally got the green light from MEPs and the EU Council of Ministers on Monday.
It will set out to harmonize and improve security standards among large providers in the energy, transport, banking, financial, health and water supply sectors, as well as some providers of online marketplaces, search engines and cloud platforms.
Member states will be required to identify these “operators of essential services” first, although “micro and small businesses” will be exempt.
A strategic group will be set up to facilitate better sharing of information and best practices, as will a network of national Computer Security Incidents Response Teams (CSIRTs) to respond to breaking threats in a co-ordinated manner.
"Today, a milestone has been achieved: we have agreed on first ever EU-wide cyber-security rules, which the Parliament has advocated for years,” said the European Parliament's rapporteur, Andreas Schwab, in a statement.
"Parliament has pushed hard for a harmonized identification of critical operators in energy, transport, health or banking fields, which will have to fulfill security measures and notify significant cyber incidents. Member states will have to cooperate more on cybersecurity—which is even more important in light of the current security situation in Europe."
Although the text of NIS has been provisionally agreed, it must now be formally approved by the parliament’s Internal Market Committee and the Council Committee of Permanent Representatives.
Piers Wilson, head of product management at Huntsman, argued that to be effective, the new directive must ensure that organizations are robust enough to withstand 21st century threats.
“Withstanding cyber-attacks doesn’t just mean preventing them. It also means knowing when an attack has happened, and reacting quickly to prevent any damage,” he added.
“Currently, the average time to detect an attack is over 200 days; meaning that by the time a successful attack is spotted and the relevant authorities notified, the damage is well and truly done. Organizations need to be sure that they are alerted as soon as their defenses are penetrated so that they can respond to prevent widespread data loss or disruption of services.”
Photo © underverse