New EU-wide rules for essential services including banking, market infrastructures and cloud computing have moved closer with agreements between MEPs and Member States. Under the new rules, firms such as banks and exchanges but also energy and transport providers that are captured under the ‘essential services’ test will have to meet tougher standards for cyber-security. Member States will be required to identify essential services firms, cooperate on common guidelines and work together to raise overall EU capabilities.
The cyber rules, formally called the Network and Information Services (NIS) Directive, are part of a focus by the EU on the digital agenda and recognition of the economic and social impact that would arise from serious outages of essential services. A network across Member States of incident response teams will be supported by the European Union Agency for Network and Information Security (ENISA) to promote swift operational cooperation and sharing of intelligence on risks. ENISA estimates that €340 billion is lost across the EU by security incidents caused by human error, technical failures or malicious attacks.
For banks and larger firms, the more consistent approach across borders will be welcomed, as will more coordination and support. Meeting tougher requirements might be challenging for some, and the need to demonstrate that high standards are being met, alongside additional reporting requirements, will mean investment in cyber-security capabilities.
Following final approval by MEPs and Member States in the coming months, the new rules are likely to be in place from 2018.