The Directive on Security of Network and Information Systems (so-called ‘NIS Directive’) was adopted by the European Parliament on 6 July 2016. It is likely to come into force in August 2016, with a further 21 month period for the Member States to implement the Directive into their national laws.
The NIS Directive is the main piece of legislation of the “2013 EU Cybersecurity Strategy”. It aims at ensuring a high common level of network and information security (“NIS”) across the EU and in particular requires operators of critical infrastructures and so-called digital service providers to adopt appropriate steps to manage security risks and to report serious incidents to the national competent authorities.
Security Risk Management and Incident Reporting Obligations
Who will be affected?
The NIS Directive covers two different categories of market players:
- Operators of critical infrastructures of the following sectors: energy, transport, banking, financial market infrastructure (trading venues, central counterparties), health, water, digital infrastructure (internet exchange points, domain name system service providers, top level domain name registries), and
- Certain digital businesses that are considered to be of general importance when it comes to cybersecurity (so-called ‘digital service providers’ – “DSP”): online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online), cloud computing services and search engines.
All businesses in these sectors that are identified by the Member States (based on a set of criteria stipulated in the NIS Directive) as operators of essential services will have to take appropriate security measures and to notify significant incidents to the relevant national authority. The same applies to all entities that meet the definition of online marketplaces, search engines and providers of cloud computing services. Micro and small enterprises are excluded from the scope of the NIS Directive.
What security measures will need to be implemented?
The security measures that will need to be implemented should be appropriate to the individual risks faced and shall include
- technical and organisational measures that are appropriate and proportionate to the risk,
- measures that should ensure a level of security of network and information systems appropriate to the risks, and
- measures that should prevent and minimize the impact of incidents on the IT systems used to provide the services.
When implementing security measures DSPs should also take into account a couple of further factors: (i) security of systems and facilities, (ii) incident handling, business continuity management, monitoring, (iii) auditing and testing, and (iv) compliance with international standards. All these factors are to be further specified in a Commission implementing act. It is expected that industry standards will arise which lift the standards and may increase infrastructure and security costs at the concerned companies.
What will the reporting obligations look like?
DSPs and operators of critical infrastructure will be required to report serious incidents to their relevant national authority.
The threshold to determine whether an event will need to be notified has not defined by the Directive. However, it provides certain parameters to be taken into consideration: (i) number of users affected, (ii) duration of incident and (iii) geographic spread. For DSPs the NIS Directive also mentions (iv) the extent of the disruption of the service and (v) the impact on economic and societal activities as relevant parameters. The actual parameters for determining whether an event is to be notified are likely to be clarified by EU-level common guidelines and formalized when the Directive is adopted into national legislation. The procedural framework to support notification will need to be established by the Member States.
National Cybersecurity Capabilities and Increased Cooperation on EU-level
The NIS Directive also requires the Member States to adopt their own cybersecurity/NSI strategies defining the strategic objectives and appropriate policy and regulatory measures and to designate national authorities that are competent for monitoring the application of the NIS Directive at national level.
In order to ensure adequate cross–border cooperation with the relevant authorities in other Member States a national single point of contact must be designated which will exercise a liaison function. Member States mustalso designate one or more Computer Security Incident Response Teams (CSIRTs) that are responsible for handling incidents and risks. By establishing a network of national CSIRTs the NIS Directive aims to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.
The NIS Directive also provides for certain further cooperation mechanism and establishes a so-called Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States. This Group will be composed of representatives of Member States, the Commission and the European Union Agency for Network and Information Security (ENISA).
The NIS Directive is likely to enter into force in August 2016. Member States will have twenty-one (21) months to implement the NIS Directive into their national laws (plus a further six (6) months to identify and specify operators of essential services).
The NIS Directive provides for a high level of harmonization for NIS but it has still to be seen how it is implemented on national level and how it correlates with existing legal requirements (e.g. data protection related obligations to take technical and organisational measures and to report personal data breaches). In this context it is worth mentioning that Germany has already adopted an IT-Security Act a year ago which already implements most of the requirements stipulated by the NIS Directive (but certain adaptions will likely be needed in particular concerning the broader obligations of DSPs).
The NIS Directive and the implementing laws will impose many new, and partly far reaching, obligations on operators of critical infrastructure and DSPs that will in many cases likely require certain adaptions of existing systems and processes (as the existing example of the German IT Security Act already illustrates).
The NIS Directive may not need to be implemented in the UK as the timescales for implementation may fall outside the UK withdrawal processes from the EU. Alternatively, the NIS Directive implementation timescales may fall so close to the UK's departure from the EU that implementation is considered unnecessary. However, even if the NIS Directive is not simply adopted as national legislation in the UK it is wholly forseable that the UK will implement substantially consistent legislation.