Data leaks, hacking, malware, and more: networks and information systems are prey to growing threats that pose risks to public confidence, economic activity and national security. The NIS (Network and Information Security) directive, adopted on 6 July 2016 and transposed in the Luxembourg Law of 28 May 2019, is a major step towards ensuring a high common level of security in the European Union. The directive is aimed in particular at essential services in the energy, transport, health, water, banking and digital infrastructure sectors. It also applies to digital service providers, namely cloud providers, search engines and online marketplaces.
Each member state must decide which national authorities have jurisdiction for monitoring enforcement of the directive. In Luxembourg, the Luxembourg Institute of Regulation (ILR) is responsible for all areas except the financial sector, for which the Commission for the Supervision of the Financial Sector (CSSF) has been designated. In practical terms, 'essential services' must be defined before they can be safeguarded. This (ongoing) process of identification has involved an initial phase of collaboration between the ILR, LIST and the High Commission for National Protection (HCPN). LIST has helped develop a methodology for identifying essential services and operators of essential services, which complies with the Directive, is innovative and is tailored to the situation in Luxembourg.
Mission accomplished for LIST, which has managed, in record time, to devise a collaborative approach that includes all stakeholders in the sectors concerned, in a structured, reproducible and objective (and therefore indisputable) way.
However, the mission continues because the implementation phase comes next. In June 2019, LIST signed a new collaboration agreement with the ILR which goes even further. LIST will develop a risk analysis model for those operators that are identified, tools and training to help them organise their risk management, and a scheme to certify their maturity. All these elements will be supported by an IT platform that will also enable operators to report incidents and carry out benchmarking.
LIST is proud to continue this long-standing partnership aimed at optimising, integrating and improving the regulatory cycle in Luxembourg, particularly in the areas of information security and in line with the national cybersecurity strategy.