The Directive on security of Network and Information Systems (‘NIS Directive’), is the first piece of EU-wide legislation on cybersecurity providing some minimum standards. Member States can always adopt a higher level of security. The NIS Directive entered into force in July 2016 and needed to be implemented by May 2018. It applies to Member States, providers of essential services and digital service providers.
Aim and important provisions
In order to be considered as a ‘provider of essential services’, the following criteria must be met (Art. 4, 4), Art. 5, 2), and Annex II Directive (EU) 2016/1148):
- An entity provides a service which is essential for the maintenance of critical societal and/or economic activities;
- The provision of that service depends on network and information systems; and
- An incident would have significant disruptive effects on the provision of that service.
The NIS Directive was adopted because there was a need for a high common level of security, a harmonised level of protection because there were very different levels of security within the EU and cooperation among all the Member States, by setting up a cooperation group and CSIRT network for sharing information about risks.
Member States need to adopt a national strategy on the security of network and information systems (‘national NIS strategy’) and appoint designated national competent authorities, single points of contact and Computer Security Incident Response Teams (‘CSIRTs’) with tasks related to the security of network and information systems. To improve the cooperation and to exchange information in order to develop trust, the Directive created a Cooperation Group.
The cooperation plan of the NIS Directive includes a competent authority responsible for each of the so-called ‘vital sectors’, such as the healthcare sector. Each country thus must appoint a competent authority to whom cybersecurity incidents in the sector must be notified. For an overview of the different competent authorities in the Member States, see: Link.
Application in the healthcare sector
The NIS Directive imposes different obligations on operators of essential services. Hospitals and healthcare settings will almost always fall under the definition of operator of essential services (Art. 4, 4), Art. 5, 2), and Annex II Directive (EU) 2016/1148) and will thus need to comply with its provisions. They will need to prevent and minimise the impact of disruptions affecting the security of their systems take technical and organisational measures to reduce the risk posed to the security of their network and information systems. They also need to notify every incident that has a significant disruptive effect on the service to the competent authority within the sector.
European Union, European Parliament and the Council. (2016). Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC.
BEUC. (2018). Digital Health Principles and Recommendations. Retrieved from https://www.beuc.eu/publications/beuc-x-2018-090_digital_health_-_principles_and_recommendations.pdf.
NCSC. (2019). NIS Compliance Guidelines for Operators of Essential Services January 2019. Retrieved from https://www.ncsc.gov.ie/pdfs/NIS_Consultation_document.pdf.
Outlaw.com. (2016, January 7). The Network and Information Security Directive – who is in and who is out? (The Register). Retrieved from https://www.theregister.co.uk/2016/01/07/the_network_and_information_security_directive_who_is_in_and_who_is_out/.