Europe's response to the issue of cyber security – the draft Network and Information Security Directive (NISD) – is close to finalisation as the MEPs, the Council of Ministers (Council) and the European Commission battle out its exact wording. The final version of NISD is expected to be released very soon, however, even after much debate, key details of the proposal remain undecided.
What does NISD do?
NISD is a bold initiative and the first attempt to legislate in the cyber security arena, contrasting with the approach of other countries (e.g. the US) which have opted for an industry-led / voluntary approach.
In short, NISD adopts a multi-layered approach by placing obligations on all stakeholders across the industry:
- NISD requires Member States to:
- establish a national Network Information Security strategy (NIS) and establish regulatory measures to achieve network security;
- establish a competent authority (NCA) to monitor the application of NISD in their territory and across Member States; and
- establish a Computer Emergency Response Team (CERT) that handles incidents and risks;
- the NCAs and the European Commission must form a cooperation network which coordinates against the risks and incidents affecting network and information systems and circulates and exchanges information amongst members; and
- NISD requires "market operators" that provide "critical infrastructure", the "disruption or destruction of which would have a significant impact on a Member State", to comply with a mandatory security breach and incident notification requirement. "Market operators" are targeted cross-industry and include operators in the energy, telecoms, banking, health, transport and financial services sectors. It is worth noting that the telecoms sector is already subject to incident reporting obligations, as per the EU Framework Directive.
Does it do enough?
By and large, the introduction of these measures is likely to cultivate a more coordinated approach in responding to cyber threats in Europe. However, the current draft of NISD leaves open a number of gaps and undecided issues which are likely to lessen the impact of the legislation.
For example, NISD provides no practical guidance as to how the NCA will ensure consistent application of NISD in each Member State, nor indeed, how this would be coordinated across Member States. This is particularly problematic as, traditionally, the Member States have been divided when it comes to adopting a regulated approach towards cyber security: for example, Germany and France have been strident supporters of legislating against the problem, whereas the UK has favoured a non-interventionist and industry-led approach. Moreover, NISD fails to address the scenario in which Member States cannot agree on a coordinated response to a cyber issue. With security policies and standards being significantly different across the EU Member States, any such disagreement is likely to have a significant negative impact on formulating a quick response to threats.
This is exacerbated by the current disagreement between the European institutions over whether Member States should be allowed to select the operators to whom the new rules should apply. The text of NISD put forward by the Council allows the Member States to select the operators within the selected industries to whom the new rules regarding security and incident notification would apply – an approacy which, if adopted, would result in a fragmented rather than harmonised implementation of NISD by Member States. This contrasts with the text preferred by the European Parliament, which would see all operators become subject to NISD.
The most important, yet still undecided issue, is the scope of NISD itself. The original draft, proposed by the European Commission, included "key internet enablers" such as e-commerce platforms, social networks, search engines, cloud services and app stores, but this category was later taken out by the European Parliament and the application of the obligations was limited to operators of critical infrastructures that are "essential for the maintenance of vital economic and social activities". The Parliament, the EU Executive, and countries such as France and Germany, have been in favour of keeping these operators in, whereas the Council, as well as the internet industry itself, are strong objectors, arguing that such obligations would create a significant administrative and financial burden, as well as result in duplicative and unnecessary reporting by both the infrastructure and services providers. The Council's final decision in respect of this issue will likely have a significant impact on the effectiveness of NISD.
While NISD, insofar as it aims to regulate against cyber threats, remains unprecedented and has the potential to set an example to the rest of the world, the current draft suffers from a number of gaps and inconsistencies which could result in a highly fragmented approach to cyber security across Europe – exactly how the Council aims to address these outstanding issues should become clear very shortly.