Today, many cybersecurity incidents remain unreported to the Belgian authorities and to the public. With the entry into force of the EU General Data Protection Regulation in May 2018 and the mandatory implementation of the “Network Information Security Directive” (“NIS-Directive”) by EU Member States, by 9 May 2018 the EU cybersecurity landscape is set to change drastically, especially in countries (such as Belgium) that do not yet have general data breach reporting obligations in place.
In addition to some sectors (financial institutions, insurance providers, providers of electronic communications networks) which are already subject to specific rules concerning cybersecurity, the NIS-Directive adds another legal basis for the enforcement of cybersecurity standards in certain other sectors.
To ensure a high common level of network and information security in these sectors, the NIS-Directive lays down a number of obligations for Member States in order to prevent, handle and respond to risks and incidents affecting networks and information systems.
“OES” / “DSP”
The NIS-Directive applies in particular to “Operators of Essential Services” (“OESs”) and “Digital Service Providers” (“DSPs”):
- “Operators of Essential Services” can be found in the following sectors: energy (electricity, oil and gas), transport (air, rail, water and road), banking, financial market infrastructures, health and drinking water supply and distribution, and digital infrastructure; and
- “Digital Service Providers” are search engines, online marketplaces and cloud computing service providers.
The NIS-Directive highlights that network and information systems and services play a vital role in society, and that their reliability and security are therefore essential to economic and societal activities, and in particular to the functioning of the internal market.
Regrettably, other key internet enablers such as social networks, e-commerce platforms and internet payment gateways are not included in the scope of the NIS-Directive.
Network security obligations
- Obligation to take appropriate technical and organisational measures to manage the risks posed to their network and information systems, and to prevent and minimise the impact of incidents which affect these systems;
- Obligation to notify the competent authority, without undue delay, of all incidents with a significant/substantial impact on the security of the essential/core services these operators provide:
- In order to determine the exact impact of an incident, the following parameters are taken into account: (a) the number of users affected; (b) the duration of the incident; (c) the geographical spread with regard to the area affected by the incident; and, (d) for DSPs only, the extent of the disruption of the functioning of the service and the extent of the impact on economic and societal activities.
- On the basis of the information provided in the notification, the competent Member State authority may inform other affected Member State(s). It may also inform the public about individual incidents, where public awareness is necessary to prevent an incident or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest.
Important to note is the exception to the above notification obligations for DSPs that qualify as “micro- and small enterprises”, i.e. companies with less than 50 employees and whose annual turnover and/or annual balance sheet does not exceed EUR 10 million.
Timing and outlook
The NIS-Directive was formally adopted on 6 July 2016, entered into force on 8 August 2016, and must be implemented by the EU Member States by 9 May 2018.
The notification duty, preventive measures, and sanctions provided by the NIS-Directive (as well as the data breach reporting obligations under the GDPR) should lead to more transparency and awareness regarding cybersecurity risks in the abovementioned sectors.
Text of the NIS-Directive: