This directive is aimed at raising the overall level of cybersecurity across the EU, the first of its kind that provides the legal tools necessary. The NIS Directive was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. Member States are required to transpose the Directive into their national laws by 9 May 2018 and identify operators of essential services by 9 November 2018.
The scope of the Slovak Act on Cybersecurity is both public and private, and it distinguishes between two types of organisations: operators of essential services (as required for the NIS Directive); and digital service providers. Operators of essential services are defined as being legal entities from various sectors such as banks and credit providers, financial market infrastructure, healthcare providers, transport providers etc. Digital Service Providers are legal entities that provide a digital service, employ at least 50 employees, and have an annual turnover or overall annual balance of over EUR 10,000,000.
Organisations that qualify as being either an essential or digital service provider are obliged to notify the National Security Agency (NSA) on the date they exceed these criteria, but, at the latest, six months after this Act comes into force, meaning the deadline for notification is October 2018. The NSA will add the appropriate organisations to the list of essential service providers by 9 November 2018, to comply with the NIS Directive. Registered organisations will then be obliged to adopt the security measures that are specified in the Act within two years of it coming into force – April 2020. Some of these measures include mandatory reporting of incidents to the relevant authority when there has been a substantial impact on the provision of their services. Fines of up to 300,000 EUR will be issued for failures to perform these duties.
The EU’s NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring1:
- Member States' preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority,
- Cooperation among all the Member States, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information among Member States. They will also need to set a CSIRT Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks,
- A culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new Directive.
1EU Commission: https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive