Client Alerts
Mandatory EU cybersecurity standards in critical business sectors and in digital services
The NIS Directive pursues a high common level of security of network and information systems within the EU and therefore uniform protection against incidents. It is considered "the first comprehensive piece of EU legislation on cybersecurity2".
Who is directly impacted by the NIS directive?
providers, which are subject to separate specific security requirements. Moreover, at least equivalent special rules in specific and/or regulated sectors, such as financial markets and banking will continue to apply. What new obligations for those entities acting in these industries?
swift and effective operational cooperation. The CSIRTs network must submit a report to the Cooperation Group, assessing the experience gained through the operational cooperation, including conclusions and recommendations. Romania has a draft cybersecurity law in public debate, which has been preliminarily approved by the Ministry of Communications (http://www.mcsi.ro/Transparentadecizionala/Proiecte-2016). It remains to be seen how this project will progress considering the partial overlapping with the NIS Directive.
- Operators of an essential service (presumed to be vital for our economy and society and, moreover, relying heavily on ICTs): energy, transport, banking, financial market infrastructures (e.g. stock exchanges, central counterparties), health services, drinking water supply and distribution and digital infrastructure – as listed in Annex II to the NIS Directive. The competent authorities to be appointed by each Member State will prepare the list of the entities in these sectors with an establishment on their territory by 9 November 2018 (six months after the transposing deadline), which will be periodically updated thereafter.
- Digital service providers: online marketplaces, online search engines, cloud computing providers.
providers, which are subject to separate specific security requirements. Moreover, at least equivalent special rules in specific and/or regulated sectors, such as financial markets and banking will continue to apply. What new obligations for those entities acting in these industries?
- Implementation of Preventive Security Measures
- Reporting Obligations
- designate one or more competent national authorities on the security of network and information systems, which shall monitor the application of the NIS Directive at the national level ("competent authority");
- designate a single point of contact on the security of network and information systems, which shall exercise a liaison function to ensure cross-border cooperation of Member State authorities ("single point of contact");
- designate a computer security incident response teams network ("CSIRT"), which shall monitor incidents at a national level, provide early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents, respond to incidents, provide dynamic risk and incident analysis and situational awareness.
swift and effective operational cooperation. The CSIRTs network must submit a report to the Cooperation Group, assessing the experience gained through the operational cooperation, including conclusions and recommendations. Romania has a draft cybersecurity law in public debate, which has been preliminarily approved by the Ministry of Communications (http://www.mcsi.ro/Transparentadecizionala/Proiecte-2016). It remains to be seen how this project will progress considering the partial overlapping with the NIS Directive.
Read the full text