A European cybersecurity directive is upcoming and will lead to considerable obligations, but also more certainty that might support the growth of the IoT.The Council of the European Union reached an informal agreement with the European Parliament on the approval of the network and information security directive (the so called NIS Directive) setting EU-wide rules on cybersecurity.
The NIS Directive
The NIS Directive provides cybersecurity obligations on operators of essential services and digital service providers. The operators of essential services include those active in critical sectors such as
- finance and
The EU member states will have to identify within 6 months from the implementation of the NIS Directive the operators providing essential services in these sectors according to the criteria set our in the directive.
But the NIS Directive also applies to providers of digital services that include
- e-commerce platforms,
- Internet payment gateways,
- social networks,
- search engines,
- cloud computing services and
- application stores
The cybersecurity obligations set forth in the NIS Directive
The NIS Directive will provide a stricter level of compliance for essential services operators than for providers of digital services. The minimum obligations on the EU Member States are to put in place
- a strategy for the prevention, handing and response to cyber risks and accidents impacting networks and information services,
- cyber security obligations and notification obligations of data breaches and risks on providers of essential services and of digital services also through the development of common standards and
- a cooperation mechanism at the European level to identify risks and assess the impacts of potential incidents also through the identification of a competent authority.
The NIS Directive shall now be formally approved by the European Parliament and then EU Member States will have 21 months from its entry into force to implement it.
Can this change help the IoT?
As discussed in a previous post, the European Commission is planning to adopt a plan on the Internet of Things by mid-2016 and standardization (also of cybersecurity) is one of the items on the agenda. This will be an essential step to support the growth of the Internet of Things (IoT) in Europe since the current uncertainty on the security standards is posing considerable risks on businesses.
The above provisions shall be coordinated with the provisions of the upcoming EU Data Protection Regulation that, among others, set out stringent security requirements, notification obligations of data breaches and fines of 2%/5% of the global turnover for privacy violations. And indeed the NIS Directive states that its sanctions shall be consistent with those provided by the EU Data Protection Regulation in case of breaches involving personal data.