With the context of the NIS directive as a starting point, Marc Wouters pointed out the diction between two groups of digital service providers: those involved in the critical infrastructure environment (with ‘ex ante’ supervision because of specific expectations) and those providing services to the economy in general (with a lighter touch ‘ex post’ supervision). In the latter class are included online search engines, digital market places and cloud computing services (‘in general including SAAS providers’). The supervision must result in solid trustworthy services for customers, as well as a balanced playing field for providers.
In practice, the supervision strategy will focus on basic expectations, with resilience and continuity of services as enablers of the digital economy. Providers will take measures, both technical and organizational, to guarantee this, as well as the protection of valuable data. A risk management culture is a must.
To start, supervision will be reactive, followed by a phase of network building for the sharing of best practices. In a couple of years, more results regarding certification could be expected. There will also be focus groups for providers in the critical/essential services business and for DSP’s catering for federal public authorities. Efforts will be made for unified platforms for notification.
And one solid piece of advice: do not wait for the authorities to contact you to start! Do peruse this presentation as an excellent primer.