The new NIS directive should enable cyber-security improvements in Europe as it will force critical operators to report on major security incidents.
Reporting on critical incidents in order to standardize cyber-security…
The NIS directive will allow the European Union to set a standard for security. In order to achieve this, it will require Operators of Essential Services (OES) to report major security breaches to the appropriate authorities. Where the recent military program legislation in France applied only to a specific group of “vital” operators (OIVs), the NIS directive covers a far greater range of actors, including:
- Industrial energy production sites ;
- Telecommunications operators ;
- Transport agencies ;
- Hospitals, etc.
The list is not yet fully defined and may eventually apply to companies such as Amazon, Google, Ebay and other large internet companies, though not to social networks like Facebook.
Establishing a database…
Thanks to this directive, major European security incidents will be recorded and analyzed. The definition of what constitutes a major incident remains vague though and more precision will be needed in order to fully define the process. A key advantage will be the ability to access industry-specific databases. Until now, these vital actors had no obligation to share information regarding critical security incidents. This made it very difficult to identify weaknesses in their cyber-defenses. The NIS directive will significantly improve the entire community’s cyber-security due to this increased transparency. With reliable and centralized information, European cyber-security players will now be capable of:
- Identifying recurring security problems
- Proposing actions to address them
- Creating a cyber-security map to better fight against attacks
NIS: Cyber-security and competitiveness
Will this directive need adjustment?
The AFDEL (French Association of Software and IT Solutions Providers) is concerned that the NIS directive will threaten SMB competitiveness as it would decree identical rules regardless of size. Small companies would be at a disadvantage based on financial capabilities and some might not even have a dedicated IT team. In its current state, the directive would force such companies to dedicate specific resources to this at the expense of their competitiveness. In order to ensure efficiency and compliance, the directive will need to differentiate according to company size. This will result in improving innovation and preventing a perception that the directive is invasive and counterproductive. How can a startup maintain its image and credibility if it has to report all cyber-security issues?
Military program legislation and OIVs
The military program legislation adopted in 2013 in France already forces OIVs to implement a number of actions for cyber-security. The objective of this action plan is to strengthen the protection of the country’s vital infrastructures against cyber-attacks. The NIS thus becomes the perfect complement to this law by forcing companies to report in addition to improving protection levels.
The NIS directive clearly constitutes a step in the right direction by forcing companies to report on their major security incidents. It will facilitate the centralization of data gathering and thus improve the quality of the analyses that help to improve the cyber-security of critical infrastructures. In order to prevent damage to competitiveness though this directive will need to adapt its application to companies of different sizes.