By Baiba Kaskina

The Directive on Security of Network and Information Systems (NIS) is the first European Union-wide legislation on cybersecurity, which aims to raise the overall level of cyber security in the EU.

To achieve this goal, the NIS directive establishes two cooperation groups among the member states, assigns member states to adopt cybersecurity strategies and appropriately tasked computer security incident response team (CSIRT) teams, defines operators of essential services and digital service providers, introduces mandatory incident reporting for these operators and providers and promotes information sharing about cross border incidents.

The NIS directive was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. There are several challenges the NIS directive is tackling.

From the CSIRT point of view, the main one is how to ensure that all EU member states have adequately staffed CSIRT teams that are capable of responding to cyber threats. And how to make sure that there is sufficient collaboration and information exchange among those teams.

This challenge is addressed by the mandatory requirements towards the member states in the directive as well as by establishing mechanisms for CSIRT collaboration at the European level – the NIS CSIRT network. This group started its activities in 2017 and is working on establishing communication and information exchange channels as well as initiatives to raise the maturity level of all CSIRT teams to be better prepared to respond to cyber threats.

The NIS directive also establishes Cooperation groups for strategic-level information exchanges. This group is operational and working together with NIS CSIRT network on various issues in order to tackle cybersecurity challenges.

Most countries are currently working on necessary legislative changes. In some cases it involves only changes in the existing regulations. In other cases, it includes adoption of new cyber security laws.

The NIS directive brings not only challenges, but also opportunities. One example is the “Connecting Europe Facility in Telecom (CEF Telecom) in 2016 and 2017,” which provides funding for CSIRTs to improve their capacity and maturity.

Nationally, all countries have to transpose the NIS directive to the national legislation by 9 May 2018. Considering how long the legislative process takes, the deadline is very close.

Most countries are currently working on necessary legislative changes.

In some cases it involves only changes in the existing regulations. In other cases, it includes adoption of new cyber security laws.

In Latvia, the responsible ministry – the Ministry of Defense – is working closely with CERT.LV (the Latvian national and governmental CSIRT) and with other stakeholders both from state and private sectors to find the most appropriate way of implementing the NIS directive.

In October 2017, CERT.LV organized its annual cybersecurity conference. One of the sessions of this conference had a discussion panel on the NIS directive implementation challenges. Representatives from the Netherlands, Estonia and Latvia participated in the discussion.

Several challenges were identified during the discussion:

• Identification of operators of essential services – Every country is responsible for defining operators within sectors set out in the NIS directive. For some sectors (e.g. health care, water supply) setting definition criteria is difficult and either too many organizations are included or very few.
• The directive covers digital service providers. The parameters are such that small countries like Latvia or Estonia most likely will not have many digital service providers as subjects of the NIS directive.
• Another threshold mechanism has to be defined for incidents that the NIS subjects will have to report to their CSIRT teams. Several guidelines exist, but still every country has to find out the best definitions to ensure sufficient information about incidents to their CSIRT teams at the same time not overloading the NIS subjects with extensive mandatory reporting.
• Identification of the cross-border dependencies among the countries is a very challenging task which is very hard to accomplish by the state or CSIRT team. Only private entities have information on how their services depend on data or connectivity to another country. And sometimes even the companies themselves do not have clear picture on how disruptions in their services might affect other parties in other member states.

The NIS directive implementation deadline is coming up next year and then it will be possible to start observing practical implementation issues – how many incident reports are coming in, how much information CSIRT teams share among them and how it influences the overall cybersecurity.

Baiba Kaskina is the general manager of CERT.LV managing all activities including incident response, awareness raising and liaison with the constituencies.