Negotiators of the European Parliament, the Council and the European Commission have agreed on the first EU-wide legislation on cybersecurity. This will also make eHealth services more secure - healthcare providers will have to take appropriate security measures and notify serious incidents to the relevant national authority.
The new rules of the Network and Information Security (NIS) Directive act on three levels:
Firstly, the NIS directive will improve cybersecurity in EU countries. Each Member State is obliged to have a national strategy, to identify who will enforce this and to set up a Computer Security Incident Response Team to handle incidents and risks.
Secondly, and because the internet and cyber-attacks don't stop at national borders, the rules will help Member States and their Computer Security Incident response teams to cooperate on cybersecurity issues and to share information about risks.
Finally the rules mean that operators of essential services – like healthcare providers (but also power companies, financial institutions, transport providers and digital infrastructure – and those who provide the online marketplaces, search engines and cloud computing services at the heart of the digital economy) must take appropriate security measures and inform the authorities when they have a cyber-incident.
In his blog post, Commissioner Oettinger states: "This initiative should be instrumental in structuring research and innovation for digital security in Europe, ensuring that there will be a sustained supply of innovative cybersecurity products and services. I want European citizens and businesses to have access to the latest digital security technology developments, secured infrastructures and best practices, which are trustworthy and based on European rules and values."
The NIS Directive, proposed by the Commission in 2013 and currently agreed on by the European Parliament and the Council, aims to ensure a high common level of cybersecurity in the EU. And since healthcare providers are included among the businesses with an important role for society and economy, referred in the Directive as 'operators of essential services', they will have to take appropriate security measures and notify serious incidents to the relevant national authority.