Legal Alert – EU Institutions Agreed on EU Wide Rules on Cybersecurity – Implications for Finnish Companies
After extensive negotiations, the European Parliament and the Council reached an agreement on December 7 on the upcoming Directive on Network and Information Security (NIS). The agreement is considered as a milestone, as the NIS Directive provides first ever EU rules on cybersecurity. The proposed NIS Directive followed the 2013 EU Cybersecurity Strategy, and it is instrumental in establishing the European Digital Single Market. Information systems, essential networks and services, such as electricity grids or traffic control are vulnerable to security incidents that are due to technical failures, mistakes or attacks. The principal aim of the Directive is to achieve a high level of network and information security and to improve cybersecurity across Europe by increasing preparedness to handle security incidents and risks.
The Directive requires all Member States to adopt a national cybersecurity strategy and to appoint a competent national authority to handle NIS matters. Also, the NIS Directive aims at improving collaboration among Member States as well as public and private sectors. Under the new rules, Member States shall establish national Computer Security Incident Response Teams (CSIRTs) which will deal with incidents and risks. Cooperation between Member States will be strengthened by establishing a CSIRT network, and a strategic “Cooperation group”, consisting of members of national competent authorities, the EU Commission and the EU Agency for Network and Information Security (ENISA). These mechanisms enable Member States to exchange information and best practices and to discuss cross border NIS issues.
The NIS Directive will affect particularly Finnish companies operating in critical sectors, such as transport, finance, energy and healthcare. In addition, the rules may apply to operators of online marketplaces, search engines and cloud computing services. Due to the new rules, companies providing essential services need to take appropriate measures to ensure that their digital infrastructure is secured against cyberattacks. Furthermore, the Directive obligates such companies to report major cyber-incidents to the national authorities. The operators of essential services will be identified by Member States according to certain criteria. However, it is provided in the agreement that there will be an exemption for micro and small digital companies.
The provisional agreement is expected to be formally approved by the Parliament and the Council on December by December 18. Following approval, NIS Directive shall be implemented in Finland by autumn 2017.