a. Political challenges
The first EU-wide legislation on cybersecurity, the Directive on Security of Network and Information Systems (the ‘NIS Directive’), which entered into force in 2016 after 3 years of negotiations, marked a step change in cybersecurity as for the first time it was established a common approach to increase the level of security of network and information systems across the Union. This law therefore constitutes the primary anchor for the EU cybersecurity architecture.
To date 25 EU Member States have notified full transposition of the Directive (all apart from LU-BE-HU). Prima facie checks have not revealed major gaps in the national transposition. The Directive requires Member States to get equipped with at least a minimum set of
capabilities (a national strategy, national competent authority/ies, a national Computer Security Incident Response Team/ CSIRT). It also requires Member States to ensure that operators in critical sectors, as well as digital service providers, take appropriate security
measures and notify significant incidents affecting their network and information systems to the national authorities. The NIS Directive planted the seeds for enforcing risk management practices and increasing the capabilities to prevent and react to incidents thanks to a better knowledge basis.
In addition, Member States benefit from the work of the two cooperation fora established by the Directive, the NIS Cooperation Group (The Group) and the network of national Computer Security Incident Response Teams (CSIRTs Network).
While the adoption of the NIS Directive has been received as a major improvement by a wide variety of stakeholders, this being the first legislation in the field it faced lots of resistance during the negotiations.
The NIS Directive will have to be reviewed at the latest in 2021. At the present stage, it can be argued that the resilience of the EU critical infrastructures will continue to be an important area of work and that some areas for improvement can already be identified (see below).
b. Ongoing / open files
The Commission is monitoring the national transposition of the Directive. DG CNECT is currently conducting in-depth compliance checks involving an article-by-article analysis of the transposition in each Member State. As part of the in-depth analysis, the Commission will visit Member States and conduct checks by liaising with the relevant ministries/authorities and stakeholders. As this is the first ever horizontal cybersecurity legislation in Europe it is essential that we make major effort in making sure that the adoption of national transposition measures produces real effect on the ground.
Moreover, by 9th November 2018, Member States had to identify their Operators of Essential Services (OES) and communicate that to the European Commission.
The Cooperation Group – made of national competent authorities, the Commission and ENISA – and the CSIRTs Network – composed of national CSIRTs, ENISA and CERT-EU – are meeting regularly and issuing important deliverables.