The EU has this week agreed the final wording of the Network and Information Security Directive (“NISD”).
The NISD is focussed on protecting the technological infrastructure that underpins critical national infrastructure, and achieving a minimum security standard across all EU countries.
In addition to ensuring EU Member States are suitably prepared and equipped for cyber-security challenges, the NISD also places a direct obligation on certain private enterprises, referred to as “Market Operators”, to report security incidents having a significant impact on the core services they provide.
The final wording of the NISD has not yet been published, but reports indicate that the headlines are as follows:
- The definition of Market Operators has been cast widely, and will include not only the operators of critical infrastructure in the fields of energy, transport, water, banking, financial markets, the food supply chain and health, but also search engines, cloud computing services and online marketplaces;
- There is a mechanism in the NISD by which EU member states will specify which organisations are Market Operators;
- Once the final text is formally adopted, the Member States will have 21 months to adopt implementing legislation bringing it into law. They will then have a further six months to determine which entities will be Market Operators;
- Incident reports will be made to a NISD regulator. In relation to the UK, it is unclear at this stage whether this will be an entirely new regulator, or whether the role will be split between existing regulators (e.g. the FCA);
- The question of which country’s regulator to report to will be determined by the country in which the relevant Market Operator has its European headquarters; and
- EU member states will be required to provide for sanctions for failure to comply with the NISD. Such sanctions will have to be effective, proportionate and dissuasive. These are likely to include significant fines.
Whilst implementation is still some months away, organisations likely to be deemed Market Operators should start preparing now for the new breach notification requirements.