A challenge that applies to all stakeholders is to understand the overlap between legislations and consistently apply it throughout the Union. While the GDPR focuses on the rights of the data subjects and the obligations of relevant actors in processing activities, the NIS Directive concerns the national critical infrastructure of Member States and focuses on the main economic sectors.
The first EU-wide legislation on cybersecurity, the Directive on Security of Network and Information Systems (the ‘NIS Directive’), entered into force in 2016 after 3 years of negotiations. It marked a step change in cybersecurity as for the first time a common approach to increase the level of security of network and information systems across the Union was established. This law therefore constitutes the primary anchor for the EU cybersecurity architecture.
The first challenge of the NIS Directive is that this is the first complete effort of the European Union to harmonise the cyber-security of critical infrastructure by increasing the common level of security in all Member States.
To date 25 EU Member States have notified full transposition of the Directive (all apart from LU-BE-HU). Prima facie checks have not revealed major gaps in the national transposition. The Directive requires Member States to get equipped with at least a minimum set of capabilities (a national strategy, national competent authority/ies, a national Computer Security Incident Response Team/ CSIRT). It also requires Member States to ensure that operators in critical sectors, as well as digital service providers, take appropriate security measures and notify significant incidents affecting their network and information systems to the national authorities.
In addition, Member States benefit from the work of the two cooperation fora established by the Directive, the NIS Cooperation Group (The Group) and the network of national Computer Security Incident Response Teams (CSIRTs Network).
As a result of the above, coordination between Member States is vital in order for Member States to be compliant with the NIS Directive. This requires not only cooperation nationally between the single point of contact of each Member State and the CSIRTs but also among Member States’ governments and enforcement agencies. The cooperation is expected on many levels: firstly, between the CSIRTs, which will create a CSIRTs network to effectively exchange information and support one another, but also between national competent authorities that need to assess the compliance of operations of essential services.
Lastly, the legal instrument utilised by the European Union legislators - a Directive, means that even though it is a legally binding act, it requires each Member State to implement the set of objectives and further specifications in its national legislation. Unavoidably, this represents a further level of difficulty in the harmonisation of a high common level of security of network and information systems across the European Union.
What is sure is that the NIS Directive planted the seeds for enforcing risk management practices and increasing the capabilities to prevent and react to incidents thanks to a better knowledge basis. The adoption of the NIS Directive has been received as a major improvement by a wide variety of stakeholders and will have to be reviewed at the latest in 2021. At the present stage, it can be argued that the resilience of the EU critical infrastructures will continue to be an important area of work and that some areas for improvement can already be identified