The latest resilience news from around the world

European MEPs approve new cyber resilience and security requirements

Organizations supplying essential services will have to improve their ability to withstand cyber-attacks under the first EU-wide rules on cyber resilience and security. These were approved by MEPs on July 6th 2016.

"Cybersecurity incidents very often have a cross-border element and therefore concern more than one EU member state. Fragmentary cyber security protection makes us all vulnerable and poses a big security risk for Europe as a whole. This directive will establish a common level of network and information security and enhance cooperation among EU member states, which will help prevent cyberattacks on Europe’s important interconnected infrastructures in the future", said Parliament's rapporteur Andreas Schwab (EPP, DE).

The EU network and information security (NIS) directive "is also one of the first legislative frameworks that applies to platforms. In line with the Digital Single Market strategy, it establishes harmonised requirements for platforms and ensures that they can expect similar rules wherever they operate in the EU. This is a huge success and a big first step to establishing a comprehensive regulatory framework for platforms in the EU", Schwab added.

The new EU law lays down security and reporting obligations for ‘operators of essential services’ in sectors such as energy, transport, health, banking and drinking water supply.  EU member states will have to identify entities in these fields using specific criteria, e.g. whether the service is critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service. Some digital service providers - online marketplaces, search engines and cloud services - will also have to take measures to ensure the safety of their infrastructure and will have to report major incidents to national authorities. The security and notification requirements are, however, lighter for these providers. Micro- and small digital companies will be exempted from these requirements.

The new rules provide for a strategic ‘cooperation group’ to exchange information and assist member states in cybersecurity capacity-building. Each EU country will be required to adopt a national NIS strategy.

Member states will also have to set up a network of Computer Security Incident Response Teams (CSIRTs) to handle incidents and risks, discuss cross-border security issues and identify coordinated responses. The European Network and Information Security Agency (ENISA) will play a key role in implementing the directive, particularly in relation to cooperation. The need to respect data protection rules is reiterated throughout the directive.

Next steps

The NIS directive will soon be published in the EU Official Journal and will enter into force on the twentieth day after publication. Member states will then have 21 months to transpose the directive into their national laws and six additional months to identify operators of essential services.


Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

   

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.