Last 19 July, the Official Journal of the European Union (OJ) published the Directive (UE) 2016/1148 of the European Parliament and of the Council of 6 July, concerning measures for a high common level of security of network and information systems across the European Union.
The text includes 75 legal foundations, 27 articles and 3 annexes. Article 25 establishes that the member states must adopt and publish, by 9 May 2018 at the latest, the legal, regulative and administrative provisions to complement the directive’s requirements and apply the planned measures from 10 May of the same year.
According to article 1, measures to be applied to meet the objective of improving the workings of the internal market, within the framework of achieving a common high level on networks and information systems within the European Union, are the following:
Oblige all member states to adopt a national security strategy for the network and information systems.
Create a cooperation group to provide support and facilitate strategic cooperation and information exchange between the member states and develop trust and security among them.
Create a network of teams to respond to situations involving computer security (the CSIRTnetwork – Computer Security Incident Response Teams) to contribute to the development of trust and safety among member states and promote operational cooperation which is fast and efficient.
Set requirements concerning security and information for essential service operators1) and digital providers.
Set out obligations so that member states can appoint competent national authorities, single points of contact and CSIRT with functions related to network security and information systems.
1) Article 4.4 of the directive defines them as a public or private entity of energy subsectors (electricity, crude oil and gas); transport (air, rail, sea and river, and by road); banking; the infrastructure of financial markets; the healthcare sector; provision and distribution of drinking water, and digital infrastructure.