The threat posed by cybercrime, online industrial espionage and attacks on critical infrastructure is growing. The annual cost to the global economy from cybercrime and cyberespionage is estimated at over $445 (£266) billion. The proposal for a ‘Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the European Union'(NIS Directive) attempts to address the issue of lack of effective sharing of data on cyber threats and incidents. The EU Commission has asserted that the voluntary and ad hoc nature of information-sharing between businesses, governments and Member States results in "uncoordinated regulatory interventions, incoherent strategies and divergent standards, leading to insufficient protection against NIS across the EU."
Back in February 2013, the European Commission presented its proposal for the NIS Directive, which accompanied the EU’s cyber-security strategy. This was approved by provisional agreement on December 18, 2015. Formal adoption is now a step closer following a vote by the European Parliament’s internal market and consumer protection (IMCO) committee held on January 14, 2016, which was in favour of the NIS Directive (34-2).
The proposal contains a number of measures to strengthen EU efforts in tackling cyber security, including creating a system to fulfil security measures and notify significant cyber incidents. This incident reporting system would apply to critical operators in: energy, transport, health or banking fields. Search engines, cloud computing services and online marketplaces will also be affected.
The main requirements
The NIS Directive will impose new network and information security requirements on any ‘operator of essential services’ and ‘digital service providers’ (DSPs), including reporting certain security incidents to competent authorities or Computer Security Incident Response Teams (CSIRTs). There are two main requirements for companies under the NIS. The first, is to implement security measures that “guarantee a level of security appropriate to the risk presented”. The second is “to notify national authorities of any security incident that has a significant impact on the continuity of core services they provide.” Obligations on DSPs will be less onerous. However, DSPs will still need to report security incidents that they experience where the incident has “a substantial impact on a service… they offer within the Union.” Even more significant is perhaps the requirement for regulators to share information amongst each other via NIS Cooperation Plans.
Under the NIS Directive an operator of essential services is considered to be an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities, so long as the provision of that service depends on network and information systems and if an incident to the network and information systems of that service would have significant disruptive effects on the provision of those services. Internet exchange points, such as the London Internet Exchange (LINX), as well as domain name system service providers, have been added to the Directive's list of operators of essential services. It will be up to the discretion of Member States to decide how critical an operator or infrastructure is.
Although the Security Directive is unlikely to come into force in the UK in the near future, the on-going focus on cyber security should serve as a timely reminder to companies that cyber security has become a critically important and high profile issue for risk management. A consequence of this pending regulation will be the requirement for organisations to establish cyber-incident response plans that will need to be rehearsed, including the establishment of a mechanism to capture any lessons learned. It should also be remembered that the UK has started implementing its own NIS strategy and companies are advised to be proactive and review existing cyber-security and ICT policies in light of the ten steps.
Where to now?
The IMCO committee has published a table, dated January 13, 2016, which provides a useful overview of the different institutions’ positions during the negotiations and sets out an article-by-article comparison of the key differences between the Commission proposal, European Parliament’s position, and the Council position. The NIS Directive will now be put forward for a full plenary vote in the European Parliament. Once it is published in the Official Journal of the European Union and enters into force later this year, Member States will have 21 months to transpose it into national law. These processes are likely to be complicated, and companies that may fall within scope, especially DSPs, will need to monitor developments across the EU over the coming months.