The Directive on Security of Network and Information Systems (NIS) is the first European Union-wide legislation on cybersecurity, which aims to raise the overall level of cyber security in the EU.
To achieve this goal, the NIS directive establishes two cooperation groups among the member states, assigns member states to adopt cybersecurity strategies and appropriately tasked computer security incident response team (CSIRT) teams, defines operators of essential services and digital service providers, introduces mandatory incident reporting for these operators and providers and promotes information sharing about cross border incidents.
The NIS directive was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. There are several challenges the NIS directive is tackling.
From the CSIRT point of view, the main one is how to ensure that all EU member states have adequately staffed CSIRT teams that are capable of responding to cyber threats. And how to make sure that there is sufficient collaboration and information exchange among those teams.
This challenge is addressed by the mandatory requirements towards the member states in the directive as well as by establishing mechanisms for CSIRT collaboration at the European level – the NIS CSIRT network. This group started its activities in 2017 and is working on establishing communication and information exchange channels as well as initiatives to raise the maturity level of all CSIRT teams to be better prepared to respond to cyber threats.
The NIS directive also establishes Cooperation groups for strategic-level information exchanges. This group is operational and working together with NIS CSIRT network on various issues in order to tackle cybersecurity challenges.
Most countries are currently working on necessary legislative changes. In some cases it involves only changes in the existing regulations. In other cases, it includes adoption of new cyber security laws.
The NIS directive brings not only challenges, but also opportunities. One example is the “Connecting Europe Facility in Telecom (CEF Telecom) in 2016 and 2017,” which provides funding for CSIRTs to improve their capacity and maturity.
Nationally, all countries have to transpose the NIS directive to the national legislation by 9 May 2018. Considering how long the legislative process takes, the deadline is very close.
Most countries are currently working on necessary legislative changes.
In some cases it involves only changes in the existing regulations. In other cases, it includes adoption of new cyber security laws.
In Latvia, the responsible ministry – the Ministry of Defense – is working closely with CERT.LV (the Latvian national and governmental CSIRT) and with other stakeholders both from state and private sectors to find the most appropriate way of implementing the NIS directive.
In October 2017, CERT.LV organized its annual cybersecurity conference. One of the sessions of this conference had a discussion panel on the NIS directive implementation challenges. Representatives from the Netherlands, Estonia and Latvia participated in the discussion.
Several challenges were identified during the discussion:
The NIS directive implementation deadline is coming up next year and then it will be possible to start observing practical implementation issues – how many incident reports are coming in, how much information CSIRT teams share among them and how it influences the overall cybersecurity.