The EU Parliament has this week agreed the details of the new Network and Information Security Directive. This directive, the first of its kind within the EU, is a suite of cyber security regulations that will require Internet service providers, large internet firms and critical service companies to report serious cyber security breaches or face penalties.
The Network and Information Security Directive is designed to ensure that the digital infrastructure used by critical sectors—energy, transport, banking, financial market, health, and water supply—to deliver essential services such as traffic control or electricity grid management, is robust enough to withstand cyber attacks.
Under this directive each member state will be required to identify ‘operators of essential services’ from sectors considered part of their national critical infrastructure, using certain criteria: whether the service is critical for society and the economy, whether it depends on network and information systems, and whether an incident could have significant disruptive effects on its provisions or public safety within each state.
Additionally, the directive will require the major Internet service providers—like online marketplaces, search engines, and clouds—to ensure the safety and security of their infrastructure located within EU states and to report on major incidents. Amazon, eBay, and Google were specifically named as U.S. companies that will also be subject to these requirements.
If companies in these sectors experience a serious cyber security breach, they also must be prepared to report the breach to EU authorities.
This directive is considered as the first step in the building of co-ordinated cyber security capacity and response structures within all EU member states.