On 17 May 2016, the EU Council officially adopted the first EU-wide legislation on cyber security – the Network Information Security Directive – paving the way for the Directive to come into force in August 2016.
The Directive will impose obligations on 'operators of essential services' in high-risk sectors such as energy, transport and finance to take measures to minimise their cyber risk, and to report certain cyber incidents. The Directive complements the General Data Protection Regulation, which was adopted in April 2016 and applies from May 2018, and which introduces much increased maximum penalties for cyber security breaches that affect personal data. (Our guide to those rules is here.)
Once the Directive comes into force, EU member states will have 21 months to transpose it into national law - but businesses affected should be getting ready now.
The aim of the Directive.The Directive aims to establish a high common level of network and information security across the EU. Once implemented, member states will be required to co-operate to implement a comprehensive cyber strategy.
How will the Directive become law? The Council will now transmit its position to the EU Parliament, which is expected to vote on the Directive in early July 2016. This vote will facilitate the Directive’s entry into force in August 2016. Member states will then have 21 months (ie until May 2018) to transpose the Directive into national law, and a further six months (ie until November 2018) to identify which 'operators of essential services' fall within the Directive’s scope.
Does the Directive affect my business? The Directive imposes obligations on public and private 'operators of essential services'within certain sectors: energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure. Member states may determine precisely which entities are “operators of essential services” either by adopting a list identifying each entity, or by adopting a set of criteria.
The Directive also applies to 'digital service providers,' including all operators of e-commerce platforms, search engines and cloud computing services. The European Parliament have specifically identified Amazon, eBay and Google as examples of such companies. Telecoms companies, which are already subject to a similar regime, are not included.
What obligations does the Directive impose on 'operators of essential services'? Qualifying businesses must take 'appropriate and proportionate technical and organisational measures' to minimise the impact of cyber security incidents and to ensure continuity of their services. National regulatory authorities will determine the precise measures to be taken. These measures may include steps that infrastructure companies should already be looking to implement in order to minimise risks, such as:
- ensuring that appropriate corporate governance and compliance procedures are in place;
- ensuring that technology systems and networks are appropriately secured and monitored;
- ensuring that employees are trained and aware of cyber risks; and
- ensuring that a business continuity plan and incident response plan (involving personnel from IT, legal, HR and PR) are in place;
- reviewing existing contracts to ensure they adequately address auditing supplier systems, force majeure defences, limitations on liability and notifications of cyber incidents.
Businesses subject to the Directive must also report – ‘without undue delay’ – any incidents that have a significant impact on the continuity of their services. Businesses must assess whether incidents are reportable taking into account: (i) the duration of the incident; (ii) the number of users affected by the disruption of the service; and (iii) the geographical spread of the area affected by the incident. National authorities are expected to act together, in cooperation with the European Network and Information Security Agency, to develop guidelines concerning the test for mandatory notification.
The Directive requires national authorities to consult with a reporting entity before making the reported incident public. Incidents will only be made public where publicity is necessary in order to deal with the incident or prevent a further incident.
What obligations does the Directive impose on 'digital service providers'? Similar security and reporting obligations apply to 'digital service providers.' These businesses must report any incident that has a substantial impact on the provision of the relevant digital service. However, supervision of these entities will be lighter. For example, national authorities will only be empowered to act on an ex post basis.
What happens if your business fails to comply with the Directive? Each member state will determine the applicable sanctions for non-compliance with the Directive. As a point of comparison, the German IT Security Act 2015 – which introduced minimum IT security standards and mandatory reporting obligations on operators of critical infrastructure – provides for fines of up to €100,000 for the most serious breaches. It is not yet clear whether the UK , whose approach to improving cyber security has traditionally been based on voluntary information sharing and standards, will introduce similar sanctions.
What action should your business take now? If your business is in a relevant sector, you’ll need to establish whether you’re an 'operator of essential services' or a 'digital service provider' and are therefore covered by the Directive. If your business will be subject to the Directive, you should:
- assess compliance with national law obligations on minimising cyber security risk;
- assess and refresh cyber security policies;
- ensure relevant staff are aware of their responsibilities in the event of a cyber incident;
- ensure you can assess any incidents, and report significant incidents to the national authorities promptly; and
- consider the costs of ensuring compliance with the Directive’s security standards and reporting obligations.
For more guidance on how to assess your cyber risk, click here.