A new EU directive will bring about significant changes to cyber security laws and will impose cyber security obligations on ‘operators of essential services’ and ‘digital service providers’. For organisations within its scope, it will require a re-assessment of how cyber security risks and issues are managed.
The Network and Information Security Directive (Directive (EU) 2016/1148) (the “NIS Directive”) was adopted by the EU on 6 July 2016 and will enter into force on 8 August 2016. EU Member States have until 10 May 2018 to adopt national measures to transpose the requirements of the NIS Directive into national law. In addition to imposing obligations on Member States, among other things, to adopt national strategies and cooperate with each other in relation to network and information security, it will also impose new requirements on two categories of public or private commercial entities: ‘operators of essential services’ and ‘digital service providers’.
What is an ‘operator of essential services’ or a ‘digital service provider’?
Although the NIS Directive sets out a framework for identifying an ‘operator of essential services’ (an “OES”), each Member State will have some discretion in determining what categories of organisations with an establishment on their territory will constitute OESs for the purpose of their national laws implementing the NIS Directive. Each Member State must submit an initial list of OESs within their territory by 9 November 2018 (ie 6 months after the deadline for transposing the NIS Directive). The criteria for identifying a potential OES are as follows:
- the entity operates in one of the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution or digital infrastructure sectors; and
- it provides a service:
- which is essential for the maintenance of critical societal and/or economic activities;
- the provision of which depends on network and information systems; and
- in respect of which significant disruptive effects would be caused by an incident to the network and information systems of that service.
The definition of ‘digital service provider’ in the NIS Directive is not user friendly, since it cross-refers to other EU legislation regarding the provision of information society services (Directive (EU) 2015/1535). Broadly speaking, an entity will be considered to be a ‘digital service provider’ (“DSP”) if it provides a service, for remuneration at a distance and by electronic means, which consists of (i) an online marketplace, (ii) an online search engine, or (iii) cloud computing services. Unlike the position relating to OESs, the Directive does not require Member States to compile a list of DSPs.
Any entity operating in Ireland which potentially falls within either of these definitions should examine the eligibility criteria set out in the NIS Directive with a view to identifying whether there is a possibility that they could be identified as an OES or DSP in Ireland.
What new requirements apply to OESs and DSPs?
Both OESs and DSPs will be subject to new minimum security and notification requirements set out in the NIS Directive.
OESs will be required to:
- take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems they use;
- take appropriate measures to prevent and minimise the impact of incidents affecting the security of their network and information systems; and
- notify the relevant national authority(ies), without undue delay, of any incident having a significant impact on the continuity of the essential services they provide.
DSPs will be required to:
- identify and take appropriate and proportionate technical and organisational measures to manage security risks posed to the security of the network and information systems they use in the context of providing ‘digital services’ within the EU;
- take measures to prevent and minimise the impact of incidents affecting the security of their network and information systems on the provisions of any ‘digital service’ within the EU;
- notify relevant national authority(ies), without undue delay, of any incident having a substantial impact on the provision of any ‘digital service’ within the EU.
OESs and DSPs will be subject to oversight by designated national authorities (in Ireland, the National Cyber Security Centre, which is within the Department of Communications, Energy and Natural Resources). Such authorities are to have sufficient enforcement powers to enable them to require OESs and DSPs to provide information regarding their security arrangements and to issue binding instructions to remedy any deficiencies that may be identified.
It is notable that the NIS Directive is a minimum harmonisation instrument, so Member States may maintain or enact new cyber security obligations beyond those required under the Directive. In relation specifically to the incident notification obligations provided for by the NIS Directive, these will be in addition to any similar obligations which may apply under other laws or codes of practice, such as the notification obligations regarding personal data security incidents which will apply under the General Data Protection Regulation when it comes into force in May 2018 and any sector specific notification requirements which may apply (eg the Irish Central Bank’s requirement that any regulated firms notify it of any successful breaches of their security or substantial security incidents).