The NIS Directive (EU 2016/1148), officially known as the Directive on security of network and information systems, is a significant piece of legislation passed by the European Union. It was adopted on July 6, 2016, and represents the first EU-wide legislation on cybersecurity. The key aspects of the NIS Directive include:
Objective: The directive aims to enhance cybersecurity across the EU, focusing on critical sectors such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure.
National Frameworks: Member states are required to adopt a national framework for cybersecurity, which includes designating national competent authorities, setting up a Computer Security Incident Response Team (CSIRT), and adopting a national strategy for network and information systems security.
Security and Incident Reporting: Operators of essential services (OES) and digital service providers (DSPs) must take appropriate security measures and notify relevant national authorities of serious incidents.
Identification of Operators of Essential Services: Each member state must identify entities within their jurisdiction that qualify as OES based on certain criteria, such as the significance of the service for public safety, its reliance on network and information systems, and the impact of an incident.
Risk Management and Incident Reporting Obligations for DSPs: Digital service providers, such as cloud computing services, online marketplaces, and search engines, are required to implement security measures and report major incidents to the relevant authorities.
Cross-border Collaboration: The directive encourages cooperation and information sharing among member states, including the creation of a Cooperation Group and a network of Computer Security Incident Response Teams.
Enforcement and Penalties: Member states must lay down rules on penalties applicable to infringements of the national provisions adopted pursuant to the directive. These penalties must be effective, proportionate, and dissuasive.
Timeline for Implementation: Member states were required to transpose the directive into their national laws by May 9, 2018.
Review and Updates: The directive is subject to review to ensure it keeps up with the evolving cyber threat landscape. This has led to the development of the NIS2 Directive, which aims to update and broaden the scope of the original NIS Directive.
The NIS Directive represents a foundational step in creating a common level of cybersecurity and response to incidents across the EU, ensuring both preparedness and resilience in facing cyber threats.