EU Agrees To Strong Cybersecurity Rules For 'Essential Services,' Cloud, And More

Members of the EU Parliament, Commission and Council agreed last night to EU-wide cybersecurity rules that would impact industries such as energy, transportation, banking, health, but also some major service providers such as Google, Microsoft, Amazon, eBay and others.

The rules will define the new Network and Information Security directive, which will apply to all 28 EU countries, but each country can implement its own laws and regulations to correspond with the directive. For instance, the countries themselves will be the ones to decide which organizations they deem to be operating "essential services," where the strictest cybersecurity rules will apply.

These organizations will need to ensure that their data is "cyberattack-proof." Although nothing truly is hacking proof, it should give them enough incentive to always strive for the best security money can buy. This should prevent situations, such as in Sony’s case, where the manager in charge of IT security of the company didn’t think it’s worth investing too much in security.

Hacking may often seem like a random act, which is why many companies may allow themselves to be more careless with the security of their services, even if they operate important infrastructure or handle databases with sensitive data of millions, or tens of millions, of customers. Strict rules that bring with them hefty fines for getting hacked could be the necessary incentive to reduce the possibility of hacking and minimize the damage of that data breach.

Major digital service providers, including cloud computing companies, will be subject to a lighter regulatory regime. Until last year, the NIS draft said that such services were supposed to implement the same type of strong security that “essential services” would need to have, but about half of the EU countries, led by the UK, opposed the plan. These companies will also be required to report the security breaches to local authorities.

Small businesses will be completely exempt from these new rules, mainly because they may not be able to afford qualified security experts or security equipment that would be more attainable by large companies. However, this doesn’t mean small businesses shouldn’t treat security seriously. Even if they don’t get fined by the European Commission for data breaches, such hacks could still put their business in peril before they even get a chance to get off the ground.

The new NIS directive will also require that each country has its own Computer Security Incidents Response Team (CSIRT), which should coordinate with each other and provide companies with assistance during major security incidents.

European Commission Vice-President Andrus Ansip also said that trust is paramount for the security of digital services and that governments should stop trying to push backdoors, no matter how tempting they may sound. Such proposals could hurt not just the security of digital services, but also economic growth, as fewer people would trust those services.

"We are all concerned by the spread of hate speech, online radical content and how terrorists increasingly exploit communication channels for their own purposes. The Commission is doing all it can to counter this, on its own and with others.But in this light, we should not demonise the Internet. The Internet itself is not to blame.All rules should certainly be directed at protecting our people and their freedoms, while defending their security. But we must always ensure a proportionate balance. So-called 'backdoors to Internet' may sound tempting to ensure security, but would ultimately erode trust."

What seems to be lacking so far from these new directives is an encouragement to use open source software for security-critical systems. Open source software can be more easily audited and can also be seen by a larger community of security experts at once. Recent studies by the research committees of the European Parliament have already recommended that the EU should finance key open source tools and use software such as Qubes OS, OpenBSD, TAILS and end-to-end encrypted messaging solutions for increased security and privacy.

The NIS directive draft still needs approval from national governments and the European Parliament. The vote is expected to take place in spring next year, and then national governments will have around two years to implement it with their own laws. The NIS directive should become official by the end of 2018.


Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • nikolajj
    Sad that this is needed, but good news!
  • hammereditor
    Finally, one politician truly understands the Internet and doesn't go crazy with backdoors and killing encryption.
  • vudtmere
    More government, more laws, more regulations... This is never the answer. If property rights were the only thing protected then enterprise organizations would be liable for loss of data that adversely effected their customers. It is no wonder that the entirety of leading nations are in inescapable debt. We have allowed the central planners to take our money and waste it. And this too will be a waste.