The growth in cloud computing is a double-edged sword and the European Network and Information Security Agency has published a new report in relation to the cloud just about one week after the European Commission announced its plans for a new Network and Information Security Directive.

On February 7, the European Commission, with the High Representative of the Union for Foreign Affairs and Security Policy, announced their cybersecurity strategy for the European Union. As part of this strategy, the Commission also proposed a draft directive on measures to ensure a common level of network and information security across the EU.

The proposed directive is the vehicle to implement this cybersecurity strategy. It introduces several measures to boost cybersecurity.

This includes the requirement for EU member states to adopt a network and information security strategy and to authorise national NIS authorities to prevent, and take action in relation to NIS incidents; the obligation for operators of “critical” infrastructures in certain sectors (financial services, transport, energy), providers of information society services and public administrations to execute proper security measures and report incidents having a serious consequence on the services they provide; and the establishment of a cooperation network to facilitate the national NIS authorities, the European Network and Information Security Agency, the European Commission and, sometimes, the Europol Cybercrime Center, to share warnings on dangers and incidents and work together to combat cybercrime.

Under that proposed new law, Enisa would assist the European Union’s member states to share information and data regarding security violations.

Enisa deems the cloud as the area of serious concerns and risks, taken into consideration its use in significant sectors such as finance, health and energy, etc. Its director Udo Helmbrecht approved the plans for compulsory violation reporting in the new directive, specifically for cloud services.

There is also a call for better transparency regarding rational and substantial dependencies, which critical operators or services depend on for the cloud computing services.

The proposed NIS Directive include examples of companies that would need to report cyber incidents, including cloud computing service providers; search engines; e-commerce platform providers; social network providers; music and video sharing services; major online computer games; an application stores.

In order for companies to avoid dealing with all 27 EU member states when reporting cyber incidents, the Commission has stated that it would encourage the development of common reporting systems by implementing measures for the directive.

The proposed directive was submitted to the European Parliament and the European Council for their review and adoption. Following the adoption, the members states will have 18 months to invert the directive into their national laws.

Chryssa Tsiotsi is a lawyer specialising in information technology and telecommunications laws.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.