Last week, the EU Parliament approved The Directive on Security of Network and Information Systems (“NIS Directive”), which constitutes the first EU comprehensive directive on cybersecurity.
What are the main requirements under the NIS Directive?
According to the NIS Directive, each Member State is required to adopt a national strategy on the security of network and information systems which will define the applicable strategic objectives and appropriate policy and regulatory measures. Member States are also required to designate Computer Security Incident Response Teams (CSIRTs) and to support and facilitate strategic cooperation, as well as the exchange of information among Member States with regard to cyber threats and incidents.
In essence, the NIS Directive sets out measures designed to ensure that critical IT systems in “essential services” (such as banking, finance, transportation, energy, water and health) are adequately secure from cyber threats. Each Member State will determine which organizations in their respective jurisdiction are operators of essential services. The NIS Directive also applies to Digital Service Providers (“DSPs”), such as online marketplaces, online search engines and cloud computing service providers, which will be required to take appropriate security measures and to notify “substantial” incidents to the relevant authority.
Under the NIS Directive, operators of essential services and DSPs will be subject to the following requirements:
- To take appropriate and proportionate technical and organizational measures in order to manage the risks to the security of network and information systems which they use as part of their operations;
- To take measures to prevent and minimize the impact of incidents affecting the security of the network and information systems. Such measures should ensure a level of security appropriate to the risks;
- To notify the relevant authorities regarding cyber incidents which have a “significant impact” (or in the case of DSPs - cyber incidents which have a “substantial impact”) on the continuity of the services they provide. Factors which shall be taken into consideration when determining if a specific cyber incident is “significant” or “substantial” include, inter alia, the number of affected users, the duration of the incident, geographic spread; and
- DSPs will be required under the NIS Directive to take into account additional security measures. Such measures will be further specified by the EU Commission and should include measures, such as: the security of systems and facilities; incident handling; business continuity management; monitoring, auditing and testing; and compliance with international standards.
This important development follows the enactment of the General Data Protection Regulation (“GDPR”) a couple of months ago (see more details in our special Client Update on this subject). The GDPR introduced, inter alia, significant changes and requirements which will affect the cybersecurity compliance requirements of companies, such as the reporting of data breach events to the authorities and to the affected data subjects; implementing appropriate technical and organizational safeguards.
The NIS Directive is scheduled to enter into force in August 2016. Member States will have 21 months from the date on which the NIS Directive comes into force in order to implement the new EU legislation into their domestic laws and an extra period of six months to identify the operators of “essential services”.
In addition, the EU Commission is scheduled to adopt implementing acts with regard to security requirements and the notification obligations of the DSPs within one year from the adoption of the NIS Directive.
We encourage you to take appropriate steps to address the requirements stemming from the new NIS Directive. We will be glad to offer our guidance in implementing appropriate technical and organizational measures, as well as addressing other requirements which apply to your company under the NIS Directive and the GDPR.