The European Parliament is expected to adopt the Network and Information Security Directive (the NIS Directive) during its plenary session in early July, following which the NIS Directive should enter into force August 2016. Each EU Member State (Member State) will then have 21 months to implement the NIS Directive into its national legislation. The main provisions of the NIS Directive and its effect on Member States and those companies that fall within its scope are discussed below.
Goals of the Network and Information Security Directive
The NIS Directive seeks to establish a harmonized approach to cybersecurity throughout the European Union. It will require all Member States, as well as digital service providers and operators of essential services within those Member States (such as e-commerce platforms, social networks, transport, banking, and healthcare services), to implement a range of measures to achieve a level of network and information security that is coherent across the European Union.
Currently, national capabilities and levels of private sector involvement, preparedness, and cooperation regarding the security of network and information systems vary considerably. The NIS Directive aims to establish a baseline for network and data security by introducing harmonized minimal rules to apply in all Member States. The new rules aim to:
Improve cybersecurity capabilities in Member States:
Each Member State will be required to adopt a Network Information Security strategy defining its objectives and policy and regulatory measures regarding cybersecurity. Member States will also have to designate a competent national authority responsible for implementation and enforcement of the NIS Directive, in addition to establishing Computer Security Incident Response Teams (CSIRTs) tasked with handling cybersecurity incidents and risks.
Improve cooperation on cybersecurity between Member States:
The NIS Directive will create a "Cooperation Group"1 between Member States. This group will facilitate strategic cooperation and information exchanges among Member States. Building on the measures that will be implemented at Member State level, the NIS Directive will also establish a network of Computer Security Incident Response Teams (CSIRTs Network), in order to promote swift and effective operational cooperation on cybersecurity incidents and for sharing information about security risks.2
Establish security and notification requirements for designated operators of essential services and for digital service providers:
The NIS Directive will require that Member States impose network and information security requirements, such as mandatory security breach and incident notification requirements, on operators of essential services and digital service providers. Member States, together with the Cooperation Group, will be responsible for identifying the designated operators of essential services in their respective jurisdictions.
Network and Information Systems
The NIS Directive establishes a framework providing strategic objectives and priorities to enable networks and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, or the related services that are offered by, or accessible through, those network and information systems.
Article 4 of the NIS Directive defines a network and information system as:
- An electronic communications network, as defined in Directive 2002/21/EC, which concerns transmission systems, and where applicable switching or routing equipment and other resources which permit convergence of signals by wire, by radio, by optical, or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile terrestrial networks, and electricity cable systems, to the extent that they are used for the radio and television networks, irrespective of the type of information conveyed;
- Any device or group of inter-connected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or
- Digital data stored, processed, retrieved, or transmitted by elements covered under points (1) and (2) for the purposes of their operation, use, protection, and maintenance.
Operators of Essential Services
The NIS Directive will require that Member State national laws impose network and information security requirements on operators of essential services.
What is an Operator of Essential Services?
Member States, together with the Cooperation Group, will be responsible for identifying the operators of essential services in their territories. The NIS Directive provides the following criteria for determining whether a company operates an essential service:
- An entity provides a service that is essential for the maintenance of critical societal and/or economic activities;
- The provision of that service depends on network and information systems; and
- An incident to the network and information systems of that service would have significant disruptive effects on the provision of that service.
The operators of essential services may be public or private entities in the following industries:
- Energy (electricity, oil, gas);
- Transportation (air, rail, water, road);
- Banking and Financial Markets (credit institutions, financial market infrastructure, operators of trading venues, and central counterparties);
- Health care (including hospitals and private clinics);
- Drinking water supply and distribution; and
- Digital infrastructure (IXPs, DNS service providers, TLD name registries).
Telecom providers are excluded from the application of the NIS Directive. Although their services may be considered essential and satisfy the other conditions, they are regulated by a separate Directive.
Obligations of an Operator of Essential Services:
Chapter IV of the NIS Directive stipulates the obligations that Member States must impose on operators of essential services through their national laws. An operator of essential services will be required to:
- Take appropriate and proportionate technical and organizational, state of the art measures to manage the risks posed to the security of network and information systems that they use in their operation.
- Take appropriate measures to prevent and minimize the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, to facilitate the continuation of those services.
- Notify, without undue delay, the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide. Notifications must include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident.
- Provide information necessary to assess the security of their network and information systems including documented security policies.; and
- Provide evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor, and, in the latter case, to make the results thereof, including underlying evidence, available to the competent authority.
The competent authority may issue binding instructions to the operators to remedy the identified deficiencies. The competent authority will work together with the relevant data protection authorities when it addresses incidents that result in personal data breaches.
Digital Service Providers
The NIS Directive will also require that Member State national laws impose network and information security requirements on digital service providers.
What is a Digital Service Provider?
The second group of companies impacted by the NIS Directive will be digital services providers located in the Member States. Digital services providers include:
- Online market places, such as e-commerce platforms;
- Cloud computing services; and
- Online search engines.
In addition, digital services providers that are based outside the EU but provide services within the EU will fall under the scope of application of the NIS Directive. Micro and small enterprises are excluded from the scope.
Obligations of Digital Service Providers under the NIS Directive:
Chapter V of the NIS Directive deals with the obligations of digital service providers. Member State national laws will have to require digital services providers to identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems that they use while offering its services within the EU. These measures will have to ensure a level of security and take into account the security of systems and facilities, incident handling, business continuity management, monitoring, auditing and testing, and compliance with international standards.
Furthermore, Member State national laws will have to require digital service providers to take measures to prevent and minimize the impact of incidents. Digital service providers will have to notify the competent authority or the CSIRT without undue delay of any incident having a substantial impact on the provision of a service that they offer in the EU. Such notification will have to include information to enable the competent authority or the CSIRT to determine the significance of any cross-border impact.
In cases where an operator of essential services relies on a third party digital service provider for a service that is essential, any significant impact on the continuity of the essential services due to an incident affecting the digital service provider must be notified by the operator. However, the obligation to notify an incident only applies if the digital service provider has access to the information needed to assess the impact of an incident.
If the NIS Directive enters into force August 2016 as expected, Member States will have 21 months to implement it into national law. Once implemented, Member States will have a further six months to identify the operators of essential services. No such identification is required for digital service providers, as they are already deemed to be under the jurisdiction of the Member State in which they have their main establishment, i.e., a head office in the EU. However, those digital service providers that are established or incorporated outside the EU but provide services in the EU should be prepared to designate a representative for the purposes of the NIS Directive in one of the Member States where they offer their services.
Companies that fall within the scope of the NIS Directive should monitor the implementation process in their respective Member States, and the further guidance that the competent authorities of the Member States and ENISA will issue. Moreover, the EU Commission may adopt implementing acts regarding the required formats and procedures with respect to the notification requirements and incident assessment.