The first EU cybersecurity law went into effect on Wednesday (9 May), as negotiators continue to hammer out details of a second bill that will create even more rules in the area.
The new law will require firms running “essential” services, including water, energy, transport, health and banking operations, to inform national authorities if they are hit with serious cybersecurity breaches. Providers of cloud computing services, search engines and online marketplaces will also need to report those incidents.
Companies will face fines if they don’t report breaches. So far, only the UK government has announced the level of its fines under the law—up to £17 million, or €19 million. A European Commission official said last week that Brussels expects other countries to introduce similarly high sanctions.
The ink on the so-called network and information security, or NIS, directive is not dry yet. While most measures of the law took effect on Wednesday, some elements will kick in later this autumn.
EU countries are moving to enforce the law at different paces—and not all were ready to finalise their versions of the rules shortly before Wednesday’s deadline, an official said.
But Commission officials are already trying to use the momentum from the bloc’s first cybersecurity law to push for a quick breakthrough on the pending cybersecurity bill that is currently still making its way through negotiations.
That draft legislation, known as the cybersecurity act, will give the bloc’s cybersecurity agency ENISA more money and power, and create an EU-wide system for certifying the security level of internet-connected devices.
Andrus Ansip, the EU Vice-President in charge of the bloc’s digital policies, called the NIS directive ”a strong basis we need to build on” before the new law took effect on Wednesday.
The 1st EU-wide #cybersecurity rules apply as of 9 May. It's a strong basis we need to build on: I call @Europarl_EN & @EUCouncil to adopt asap our proposal to strengthen @enisa_eu & set up EU cybersecurity certification framework.
➡️ joint statement: https://t.co/YqMQ5wxEtZ pic.twitter.com/Xxou0zaCTE
— Andrus Ansip (@Ansip_EU) May 4, 2018
The Commission has vowed to broker agreement during the current administration’s term on all open policy files that it proposed since 2015, under its flagship digital single market programme. Time is running out: the current Commission’s mandate ends next year and a number of bills are still stuck in negotiating limbo.
EU officials have said that their plan to propose the cybersecurity act last September was not prompted by the massive WannaCry and NotPetya attacks that caused damage to European companies just months earlier. But the incidents grabbed headlines and created a sense of political urgency around cybersecurity.
MEPs and national governments have not yet agreed on their separate versions of the pending cybersecurity act. The legislation can only go into effect once a compromise is sealed between the European Parliament, national diplomats and the Commission.
Cybersecurity is a sensitive area for national governments that are cautious about how much information they share with other countries. But in Brussels negotiations, the NIS directive and the cybersecurity act have been less divisive than other backlogged EU digital files—like the fraught bill to reform the bloc’s copyright rules, or the draft ePrivacy regulation. Negotiations on both pieces of legislation are moving slowly.
A Commission spokeswoman said before Wednesday’s deadline that “most member states are making good progress” on implementing the NIS directive into their national laws.
In addition to the requirement for companies to report cybersecurity incidents if they operate essential and digital services, the new legislation requires EU countries to set up expert groups that can respond to breaches and coordinate with similar units in other member states in case of a serious attack.
All EU countries have already appointed those experts to comply with the law. The Commission has pointed out that the network of national cybersecurity experts was already in place after the WannaCry attack in May 2017. Authorities from different EU countries shared information about their strategies and coordinated their responses to the breach.
The UK was one of the countries whose cybersecurity response experts communicated with other European units after WannaCry.
Julian King, the British Commissioner in charge of the bloc’s security union, has called for the United Kingdom to continue cooperating with the EU on cybersecurity issues even after Brexit. The UK government has emphasised that it wants to maintain close ties to the EU regarding security issues.
King wrote in an op-ed published last weekend on the New Statesman, “cyber risks are not targeted against any one European nation, but against all of us, and the values we share; they travel easily across borders”.
He named the NIS directive and the draft cybersecurity act as examples of EU legislation aimed at improving the bloc’s abilities to protect companies and public offices from hackers.
“So ongoing cross-border cooperation will continue to be the best way to manage a cross-border threat – something which both sides in the current Brexit negotiations have recognised,” he wrote.