European Union - Cyber-SecurityCyber-security
Network and Information Systems (NIS) Security Directive
The European Network and Information Systems (NIS) Security Directive, applicable since 2016, sets a minimum baseline of requirements to ensure better protection of critical infrastructures in Europe. The legislation sets basic principles for Member States for common minimum capacity building and strategic cooperation. It also directs operators of essential services (OES) and digital service providers (DSP) to ensure they apply basic common security requirements.
DSPs are broadly defined to include: online/e-commerce marketplace (including app stores); online search engine (with the exclusion of search function limited to a specific website); and Cloud computing services. NIS systems are considered the e-communications network, connected devices and digital data. Among obligations for both OES and DSP are, to take technical and organizational measures to NIS risk management; to prevent and minimize the impact of NIS security incidents; to notify, without undue delay, incidents having a significant impact on the continuity of the essential services they provide.
More information on the legislation:
https://www.export.gov/article?id=New-EU-Cyber-Security-legislation
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN
More information on the state of play of transposition in Member States:
https://ec.europa.eu/digital-single-market/en/state-play-transposition-nis-directive
Cybersecurity Act
The EU adopted the Cybersecurity Act in March 2019 to set up a mechanism to develop voluntary EU certification schemes for ICT security products, processes and services. The Cybersecurity Act does not set out requirements in details but lays out elements that should be in any given scheme to provide assurance on security requirements for all ICT products, services and processes. The areas that would benefit from certification schemes will either be proposed by the European Commission through an annual work program or by stakeholder group. Product manufacturers and service providers are encouraged to monitor the development of these schemes.
More information:
https://ec.europa.eu/commission/news/cybersecurity-act-2018-dec-11_en
https://www.enisa.europa.eu/topics/standards/certification