On August 3, 2016 U.S. Chamber of Commerce’s Global Cybersecurity Working Group hosted a roundtable briefing on EU CYBERSECURITY POLICY – THE NETWORK AND INFORMTION SYSTEMS (NIS) DIRECTIVE. Adam Sedgewick – Senior IT Policy Advisor, NIST and Wim Nauwelaerts – Partner, Hunton and Williams were speakers facilitating the discussion.
With ongoing cybersecurity breaches, leaks and developing threats it is not surprising that the EU has introduced a new directive stating that “Responding effectively to the challenges of the security of network and information systems requires a global approach at Union level covering common minimum capacity building and planning requirements, exchange of information, cooperation”. In fact, according to presenter Nauwelaerts, 80% of companies in EU had at least one cyber security incident, which also proved the urgency of the issue.
The new Directive covers the minimum requirements and introduces several important agencies. One of these is the Cooperation Group, which will facilitate collaboration between member states. According to the directive, CG will provide strategic guidance, exchange best practices between member states and provide annual summery reports.
Another important institution established is the Security Incident Response Teams Network (CSIRTs Network) – which will promote “swift and effective operational cooperation”. Under the directive the network will be composed of representatives of the EU MS’s CSIRTs and CERT-EU. It will exchange information about services and operations. At the Member States’ request, the network will identify the coordinated response to an incident, explore further forms of cooperation, discuss “lessons learned”, and issue guidelines in order to “facilitate the convergence of operational practices.”
In addition to these agencies, the directive imposes several obligations upon member states. Each MS will adopt a national strategy that will set strategic objectives, policies and regulations to achieve network and information systems security. The strategy will also include provisions related to education, awareness-raising and training. Another important responsibility of Member States under the directive, is designating multiple competent authorities along with a single point of contact on security of network and information systems.
While reading the document, several provisions seemed very familiar and similar to the recently published U.S. Presidential Policy Directive – Cyber Incident Coordination, which established Cyber Unified Coordination Group to facilitate coordination between federal agencies, and it selected several competent agencies (National Cyber Investigative Joint Task Force, National Cybersecurity and Communications Integration Center, Cyber Threat Intelligence Integration Center) to be responsible for cyber incident related issues. Apparently the EU and U.S. are following the same pattern, which leads to the conclusion that this approach is considered to be a current best practice. When asked, Wim Nauwelaerts also confirmed that those countries that are not part of the European Union should consider these provisions while making amendments in their national law with regard to cyber security, he emphasized the need and importance of having more than one institution in charge of cyber security.