Brussels, 08/12/2015 (Agence Europe) - The European Union should be better prepared for confronting cyber attacks as from 2019. After two and a half years of negotiations, representatives from the EU Parliament and Council concluded a provisional agreement on Monday 7 December on a draft directive that makes essential and digital service operators and providers responsible for providing certain guarantees. The text has to be formally endorsed by the two institutions before it can be adopted.
Services affected. The new directive sets out the sectors in which service providers will have to provide guarantees for their ability to resist cyber attacks. These involve the energy, transport, banking, financial markets, health and water supply sectors. The text calls on member states to identify which are the “essential” service operators in these sectors and to achieve this task, it sets out a number of different concrete criteria: if the service is essential for society and the economy, if it depends on networks and information systems, if an incident can have a significant impact on the service provided and public security etc. The directive also cover certain Internet providers such as the online markets (eBay, Amazon), search engines (e.g. Google) and computer cloud systems, even though the latter are subject to much less stringent requirements and surveillance. The co-legislators justify this decision because they believe it “reflects the degree of risk that any interruption of their services could represent to society and the economy”. The informal agreement also includes exemptions for micro and small digital companies.
Cooperation between member states. The compromise also sets up a strategic cooperation group for exchanging information and best practices and drawing up guidelines on helping member states strengthen cyber security capacity. Each EU country will be expected to appoint one or several national authorities and define a strategy for tackling cyber security questions. A network of intervention teams will also be set up in the event of information security incidents occurring. These will be set up in each member state and will manage the incidents in question, discuss cross-border security questions and identify coordinated responses.
Once the agreement is formally endorsed by the co-legislators, member states will have twenty one months to transpose the directive into their respective national law. They will then have another six months to identify the service operators they consider “essential”. (Original version in French by Sophie Petitjean)