Political agreement has been reached on the Network Information Security Directive (NISD or the Cybersecurity Directive) and provisional text has now been published.
What’s the issue?
Cybersecurity is increasingly on everyone’s mind. The fallout from a security breach can range from barely noticeable to a threat to national security. The EU has decided that cybersecurity needs to be strengthened and coordinated in key industries and, to that end, proposed NISDto:
- require Member States to adopt a NIS strategy;
- create an EU cooperation group;
- establish an EU Computer Security Incident Response Team (CSIRT);
- establish security and notification requirements for operators of essential services;
- establish security and notification requirements for digital service providers (DSPs); and
- require Member States to designate national competent authorities, single points of contact and CSIRTs.
What’s the development?
Political agreement was reached on NISD at the end of last year and provisional text has been published. The text now has to be finalised (only minor changes are expected) and formally adopted by the European Parliament and Council, expected to take place in the spring. OnceNISD has been published in the Official Journal, Member States will have 21 months to put implementing legislation in place.
What does this mean for you?
The Cybersecurity Directive is relevant to you if you are an Essential Service provider or if you are a digital service provider i.e. an online marketplace, an online search engine or a cloud services provider. This is a minimum harmonisation Directive. That means, not only that Member States have to produce implementing legislation, but also that they have discretion to go above and beyond what the Directive says. We are, therefore, looking (to a certain extent) at fragmented implementation across the EU although multi-jurisdictional companies can take comfort from the fact that they will be regulated in the place of their “main establishment”.
- Where sectors are subject to sector-specific Union legal acts relating to information and network security, these will take precedence (e.g. NISD does not apply to telecoms providers as their security is dealt with by the Framework Directive).
- NISD is designed to work alongside data protection legislation. It covers ‘natural persons’ which includes companies, whereas data protection law covers only personal data. Regulators must cooperate.
- As with the GDPR, NISD is intended to have some extra-EU application and will apply toDSPs which are established outside the EU but which offer services within the EU (on more than an incidental and passive basis).
- Organisations will be regulated in the Member State of their main establishment which will be the place where effective and real activity is exercised through stable arrangements.
- Where an organisation is subject to NISD but does not have a main establishment in the EU, it must appoint a representative in one of the Member States in which it offers services and it will be subject to the jurisdiction of that Member State.
- There are exceptions for micro-enterprises and small enterprises as defined by a 2003 EC recommendation.
Operators of essential services
- Member States are required to identify operators of essential services in categories set out in Annex II with an establishment in their territory within six months after the date on which implementing legislation must be established. These categories include operators of essential services in the energy, transport, financial services (including banks), health and drinking water supply and digital infrastructure (including internet exchange points, domain name system service providers and top level domain name registries). Lists must be reviewed and updated at least every two years.
- Member States may make their own rules as to how to identify operators of essential services in each sector but this is to be decided against the broad criteria that the entity provides a service essential for the maintenance of critical societal and/or economic activities where the provision of that service depends on network and information systems and an incident to the network and information systems of that service would have significant disruptive effects on its provision. Whether or not a disruption has a significant disruptive effect should take into account the number of users relying on the service, the dependency of other essential service sectors on it, the impact the incident might have, the market share and geographic reach of the entity and its importance in maintaining a sufficient level of service taking into account availability of alternative providers.
Security and notification requirements for operators of essential services
- Member States must ensure all operators of essential services take appropriate and proportionate technical and organisational measures to manage risks (defined as “any reasonably identifiable circumstances or event having a potential adverse effect on the security of networks and information systems”) posed to the security of networks and information services which they use to deliver their services and to minimise the impact of any network security incidents with a view to ensuring continuity of service.
- Operators of essential services must notify the competent authority or the CSIRT of incidents having a significant impact on the continuity of the service they supply. Notifications must be made without undue delay and must contain enough information to allow the competent authority or the CSIRT to determine any cross-border impact of the incident. To assess the nature of the incident, the number of affected users, the duration of the incident and the geographical spread of its impact must be taken into account.
Digital Service Providers
- DSPs are providers of online marketplaces, online search engines or cloud computing services. These are all defined terms in the Directive:
- online marketplace” is a digital service that allows consumers and/or traders to conclude online sales and service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace (this includes app stores but excludes price comparison websites); “online search engine” is a digital service that allows users to perform searches of in principle all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input; and returns links in which information related to the requested content can be found;
- “cloud computing” service is a digital service that enables access to a scalable and elastic pool of shareable computing resources.
- Hardware manufacturers and software developers are specifically excluded in the recitals.
Security and notification requirements for DSPs
- DSPs must identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems they use in the context of offering services referred to in Annex III within the Union (slightly unclear what impact of Annex III is as it just repeats list of DSPs). Those measures shall ensure a level of security of those systems appropriate to the risk presented taking into account: security of systems and facilities; incident management; business continuity management; monitoring, auditing and testing; and compliance with international standards.
- DSPs must notify incidents having a substantial impact on the provision of a service as referred to in Annex III within the Union to the competent authority or CSIRT. Notifications must contain enough information to allow the notified body to determine the significance of any cross-border impact.
- In determining the impact of an incident, the number of affected users, particularly those relying on the service to provide their own services, the duration of the incident, its geographical spread, the extent of the disruption to the service and the extent of the impact on economic and societal activities must be taken into account;
- Where an operator of an essential service relies on the service provided by the DSP, the essential service operator must also be informed.
- The recitals state that the security levels required for DSPs will vary on a case by case basis and they will be subject to a light touch and reactive system of supervision without being subject to general compliance monitoring. Competent authorities should only take action when provided with evidence of non-compliance.
Regulators are given various general powers but Member States are left to legislate on penalties for non-compliance.
Implementing legislation must be in place 21 months from publication of NISD in the Official Journal.