Europe adopts new cybersecurity rules for key players
New obligations on providers of essential services
The European Council has adopted new cybersecurity rules to make networks and information services across the European Union safer and more secure.
The network and information security (NIS) directive [PDF] will require providers of essential services – such as energy, transport, health and finance – and "digital service providers" – such as online marketplaces, search engines and cloud services – to take steps to reduce the risk of cyber attacks and to report any major security incidents.
Member states will specifically identify who they believe fits into the essential services group through criteria listed in the directive and they will be subject to stricter rules.
Weaker rules will apply to digital service providers and the rules will apply to anyone in the various identified market sectors with an exemption for small companies. It means Paypal, Amazon and so on will need to meet a new set of minimum security measures devised by the EU.
"This is an important step towards a more coordinated approach in cybersecurity across Europe," said Council president and Luxembourg prime minister Xavier Bettel.
"All actors, public and private, will have to step up their efforts, in particular by increased cooperation between member states and enhanced security requirements."
As part of the agreement, EU member states have agreed to improve cooperation when it comes to cybersecurity. A new group will be created to make that happen, as well as a new network pulling together the national computer security incident response teams (CSIRTs).
The agreement still has to be officially confirmed by member states. It will be formally approved on December 18 – almost exactly one year since the idea was first mooted – and will then also require formal adoption by the Council and Parliament.
Once in force, member states will have 21 months to adopt the measures with a further six months to identify essential service operators. That all means that starting in 2017, Europe's overall cybersecurity will increase, with all measures in place by the middle of 2019. ®