EU Digital Commissioner Günther Oettinger said yesterday (9 November) that an agreement on new, long-awaited cybersecurity legislation is only “days or weeks” away.
European Commission, Parliament and Council officials are about to sign off on a compromise deal on the network and security information (NIS) directive, according to Oettinger.
“We cannot wait any longer to have it in place,” Oettinger said during the EU cybersecurity agency ENISA’s annual conference in Brussels.
Negotiations over the directive have stumbled along since the Commission proposed the legislation in 2013. Member states have butted heads over what sectors will be required under the directive to report attacks on their systems, raising sensitivities over private companies and national authorities that want to make sure there is a clear limit to the information that’s shared between EU countries.
Luxembourg, the current holder of the 6-month rotating Council presidency, is now trying to push through an agreement in the last weeks before its term ends on 31 December.
“I’m making sure the Commission does its utmost to assist the current legislators to reach an agreement in the coming days or weeks,” Oettinger said.
Officials working on cybersecurity policy say Oettinger wants an agreement on the directive now ? even though many security experts grumble that it is still too watered down.
After the directive clears the so-called trialogue negotiations between Parliament, Commission and Council and is rubberstamped, ENISA will step in to guide member states on how they should apply the law.
Yesterday, Oettinger said the agency would take on an “even more prominent role” as the directive’s secretariat.
“ENISA may be requested by member states to provide assistance in building up their own cybersecurity capabilities. In particular member states may call upon ENISA to help develop the national cyber incident response teams,” the Commissioner said, referring to the groups of experts already set up in some member states to react to security breaches. The NIS directive would require all EU member states to put together those security teams.
Insiders say it’s still unclear whether ENISA’s new role will mean the agency will host meetings with member states to parse out the directive, or rather be more administrative.
ENISA has been operating on a shoestring budget and will likely hire new staff to manage its new role as secretariat of the NIS directive.
Oettinger announced that the Commission would present an industrial strategy in the first half of 2016 as part of a broader effort to boost Europe’s now “significantly fragmented” cybersecurity industry and make companies focused on security and privacy more competitive.
The Commission is expected to launch a public consultation within the next few weeks on its strategy to boost the cybersecurity industry.
An EU cyber security strategy was presented by the Commission and in 2013, covering the internal market, justice and home affairs and foreign policy angles of cyberspace.
The European Commission shortly after proposed a Directive with measures to ensure harmonised network and information security across the EU.
The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”
The directive also suggests that market operators will be liable regardless of whether or not they carry out the maintenance of their network internally or if they outsource it.
The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking and healthcare services.
All member states would be required to adopt network and information security strategies and set up teams to respond to incidents. Cooperation networks would be created at EU level.
>> Read our LinksDossier: Cybersecurity: Protecting the digital economy
- 9 Nov. 2015: EU Commissioner Günther Oettinger said negotiations on the NIS directive should conclude in "days or weeks"