by Natasja Bolton, Acquirer Support Manager
On 7th December 2015 it was announced that the European Parliament, the European Council and the European Commission have agreed on the first EU-wide legislation on cybersecurity: the EU Network and Information Services (NIS) Directive. With the emerging threat of cyber-attacks, it is hoped that the NIS directive will provide a more secure cybersecurity infrastructure across Europe.
Once it has been formally approved by the European Parliament and the Council, and published in the EU Official Journal, EU Member States will have 21 months to implement this directive into national laws and a further 6 months to identify operators of essential services.
It is expected that the provisions of the directive will therefore come into force sometime in 2018; meaning that in-scope entities will be required to implement the NIS Directive’s security measures at the same time as the operational and technical security requirements of the revised Payment Services Directive (PSD2).
The PSD2 is due to come into force in 2018/9 and will be applicable to all payment service providers, including banks, as well as the new types of payment service providers: payment initiation services providers and account information service providers.
The proposed directive covers three core areas:
- Improve cybersecurity capabilities in member states through establishment of a national network information security strategy and regulatory regime;
- Improve member states’ cooperation on cybersecurity to encourage information exchange between member states;
- Require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to the national authorities.
It is this latter area that may impact Sysnet’s clients and service providers. The directive will cover “operators of essential services”, such as operators in the energy, transport, water and health sectors, as well as:
- Banking: credit institutions
- Financial market infrastructures: trading venues, central counterparties
- Digital infrastructure: internet exchange points, DNS service providers, top level domain name registries
As Member States are expected to identify these operators on the basis of criteria as to their criticality, for example whether their loss would have a detrimental impact on the nation’s security, health, economic stability or society, it may be that not all entities within scope of these definitions will be obliged to meet the security requirements.
Appropriate security measures and reporting of incidents will also be required of “Digital service providers” (DSPs). DSPs include the following providers:
- Online marketplaces, such as Amazon or eBay, that offer businesses the ability to set-up online shops on that marketplace
- Cloud computing services, such as Windows Azure, Amazon Web Services, Google Cloud Computing and other providers of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS)
- Search engines
It’s highly likely therefore that many of Sysnet’s clients operating payment processing services, hosted ecommerce platforms or other cloud-based merchant solutions will be in scope of this directive when it becomes law.
If you are a merchant that requires technical or PCI DSS help, please click here