Background
On July 7 the Plenary of the European Parliament (EP) gave its final approval to the Network and Information Security Directive (“NIS Directive” or “Directive”) after three years of discussions. The full text of the Directive (pending publication in the Official Journal at the time of this Alert) can be found here.

The legislative proposal was first put forward in 2013 together with the European Union (EU) Cybersecurity Strategy for "An Open, Safe and Secure Cyberspace," an initiative intended to represent “the EU's comprehensive vision on how best to prevent and respond to cyber disruptions and attacks.” The Strategy articulated a priority focus on cyber resilience, reducing cybercrime, a cyber defense policy, development of resources for cybersecurity, and establishing a coherent international policy to that effect (Commission presentation here).

The vote on the NIS Directive’s final text came a few months after a political deal had been reached between the EP, the Council and the European Commission (EC). The three Institutions agreed on an EU-wide legislation on cybersecurity making the passage of the Directive relatively swift. The main issue at stake had been the extension of the obligations to be imposed upon “operators of essential services” in the energy, transport, banking, and healthcare sectors, as well as upon providers of key digital services like search engines and cloud computing. Also discussed were obligations referring to appropriate security measures and to the reporting to the national authorities on security incidents (Note on the political agreement available here).

Content summary
The new Directive will have implications at different levels. It imposes obligations on Member States themselves, and it also requires them to impose new obligations in this matter on certain kind of companies operating in strategic sectors.

At member-state level, each country will have to adopt a national strategy on the security of network and information systems, including an increase of resources to deal with cybersecurity infrastructures: a reinforced network of cooperation, designated national competent authorities for monitoring the Directive and the new Computer Security Incident Response Teams (CSIRTs), and a risk-assessment plan.

Member States will cooperate among themselves by establishing a Cooperation Group to support strategic cooperation and the exchange of information. The Cooperation Group will establish a work program after the entry into force of the Directive, will steer and provide assistance and guidance to the CSIRTs as well as to Member States, and will share and report on risks and incidents.

The actual coordination and Secretariat for the network integrating all national CSIRTs will be provided by ENISA (the European Network and Information Security Agency).

But—and here is the big novelty that required intense negotiations—for the first time at EU level new obligations are also imposed on Member States for them to regulate providers of certain goods and services within their territory.

This will apply to two categories: operators of “essential services,” and digital service providers.

  1. Operators of essential services
    This category includes private businesses or public entities with an important role for the society and economy, and will be identified by each Member State, following these criteria:
  1. the entity provides a service that is essential for the maintenance of critical societal/economic activities;
  2. the provision of that service depends on network and information systems; and
  3. a security incident would have significant disruptive effects on the provision of the essential service.

The Directive will cover operators in the following sectors:

  • Energy: electricity, oil, and gas
  • Transport: air, rail, water, and road
  • Banking: credit institutions
  • Financial market infrastructures: trading venues, central counterparties
  • Health: healthcare settings
  • Water: drinking water supply and distribution
  • Digital infrastructure: Internet exchange points, domain name system service providers, top-level domain name registries

Under the NIS Directive, such identified operators of essential services will have to take appropriate security measures and to report serious incidents to the relevant national authority. The security measures include appropriate preventive technical and organizational measures; ensuring security of network and information systems; and measures about the handling of incidents, to minimize the impact of incidents on the operators’ IT systems.

This will not be completely uniform or harmonized across the EU: a certain degree of margin is left for each Member State, while implementing the Directive through its national legislation, to fix thresholds defining “significant” incidents.

B. Digital Service Providers
This part of the Directive was the most discussed during the negotiations. What sort of companies fall under the scope of this Directive? Who is in and who is out? Does this cover the operation of all U.S.-based online platforms in Europe, for example? This NIS Directive applies to digital services falling under one of these three categories (the descriptions are extracted from the Directive’s Recitals):

  1. Online marketplaces: An online marketplace allows consumers and traders to conclude online sales or service contracts with traders, and is the final destination for the conclusion of those contracts. It should not cover online services that serve only as an intermediary to third–party services through which a contract can ultimately be concluded. It should therefore not cover online services that compare the price of particular products or services from different traders, and then redirect the user to the preferred trader to purchase the product. Computing services provided by the online marketplace may include processing of transactions, aggregations of data, or profiling of users. Application stores, which operate as online stores enabling the digital distribution of applications or software programmes from third parties, are to be understood as being a type of online marketplace.
     
  2. Cloud computing services: Cloud computing services span a wide range of activities that can be delivered according to different models. For the purposes of this Directive, the term ‘cloud computing services’ covers services that allow access to a scalable and elastic pool of shareable computing resources. Those computing resources include resources such as networks, servers or other infrastructure, storage, applications, and services. The term ‘scalable’ refers to computing resources that are flexibly allocated by the cloud service provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demand. The term ‘elastic pool’ is used to describe those computing resources that are provisioned and released according to demand in order to rapidly increase and decrease resources available depending on workload. The term ‘shareable’ is used to describe those computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment.
     
  3. Search engines: An online search engine allows the user to perform searches of, in principle, all websites on the basis of a query on any subject. It may alternatively be focused on websites in a particular language. The definition of an online search engine provided in this Directive should not cover search functions that are limited to the content of a specific website, irrespective of whether the search function is provided by an external search engine. Neither should it cover online services that compare the price of particular products or services from different traders, and then redirect the user to the preferred trader to purchase the product.

All entities meeting the definitions will be automatically subject to the security and notification requirements under the NIS Directive.

There are two cautions to make regarding the scope: micro and small enterprises (as defined in the EC Recommendation 2003/361/EC) do not fall under the scope of the Directive, and the Directive does not affect the regime under EU law for the Eurosystem’s oversight of payment and settlement systems (that oversight corresponds to the European Central Bank), nor to non–euro area members of the European System of Central Banks exercising such oversight of payment and settlement systems on the basis of national laws and regulations.