Like most EU directives, it has the somewhat sexy name the Network and Information Security Directive which is shortened to NIS. NIS could mean anything, so everyone can be safely confused, particularly when magazines like ours confuse the matter by calling it the no ignorant stuff-ups directive, which is pretty much what it is.
NIS should be up and running by August 2016 which will mean that if you have an ignorant stuff with your cyber security you will get a visit from a very angry man from Brussels who will make you wish for a referendum so you can escape the consequences.
The cunning plan is to create a harmonized approach to cybersecurity throughout the European Union. All Member States, as well as digital service providers and operators of essential services within them will have to bring about measures to achieve a level of network and information security that is coherent across the European Union.
Each country will have the same rules and people who can handle hacking. The EU will share information on cybersecurity and will improve the security and notification requirements for operators of essential services and for digital service providers.
One thing that companies will have to worry about is that if they are hacked, they will not be allowed to pretend it never happened and point vaguely to the horizon and say “oh look there is a badger with a hand-gun”. Instead they will be required to report the attack to the appropriate authorities and explain how the cock-up happened.
So far there is no mention of penalties for not telling the authorities, but suggestions that the CIO should be burnt at the stake in the company carpark do come to mind.
Like many EU directives this one manages to make itself sound as exciting and relevant as a speech by Matteo Renzi. The only difference is that some of these do actually end up making a hell of a difference, whereas Renzi is a chocolate teapot in all circumstances.
One thing the Directive will define are essential services and there will be national laws requiring operators to obey certain things connected to security. Obviously the key issue is that the essential service has to actually work and be fit for the purpose something that many operators have not quite got the hang of. Try to use a mobile phone in the countryside and you will see what I mean.
But also in areas like Energy, Transportation, Banking and Financial Markets, Health care, Drinking water supply and distribution; and Digital infrastructure will have to beef up their security act.