Incident notification for DSPs in the context of the NIS Directive
On February 27th, 2017, the European Union Agency for Network and Information Security (ENISA), has published the Guidelines on “Incident notification for DSPs in the context of the NIS Directive”.
As stated by the ENISA, “[t]his report provides preliminary guidelines on how incident notification provisions for Digital Service Providers could be effectively implemented across the EU. Based on valuable input from Member States and companies directly impacted by the Directive, this guideline arises from their good practices in matters such as identifying types of incidents, parameters and thresholds. The overall result is an outline technical proposal that can tentatively be used in the implementation process“.
This is an important step in the enforcement of the Network & Information Security (NIS) Directive.
As indicated in the Executive Summary, “[t]he NIS Directive is the first piece of EU legislation specifically aimed at improving cybersecurity throughout the Union. By ratifying a definite number of obligations across the EU, the Directive will help ensure a con-sistent approach to cybersecurity “with a view to achieving a high common level of security of networks and information systems within the Union so as to improve the functioning of the internal market”. The main points of the NIS Directive can be summarised as follows: improved cybersecurity capabilities at national level, increased EU-level cooperation, security measures and incident reporting obligations for Operators of Essential Services (OES) and Digital Service Providers (DSP). The scope of this study is limited to relevant provisions of the NIS Directive on Digital Service Providers (DSPs) and their current activities in this field“.