On 6 July 2016, the final text of the Network and Information Security (NIS) Directive was adopted by the European Parliament.
The main objective of the Directive – to strengthen the security of network and information systems underpinning key economic and social services across Member States – is undoubtedly commendable. However, the real benefit in the Directive is likely to be in raising overall security standards across the Union, as aspects of the Directive are already in place in many Member States or covered (at least in part) by pre-existing national or European legislation. There also remains uncertainty around the extent of the obligations being placed on the organisations operating in these key sectors.
A national framework for cyber security
One of the main features of the Directive is the establishment of national infrastructures for the notification of cyber-security incidents and the sharing of information and expertise.
Each Member State will be required to set up and resource:
- a “competent authority” for network and information security, responsible for monitoring the application of the Directive;
- a “single point of contact”, to act as a liaison between Member States and ensure effective cross-border cooperation on cyber security matters; and
- a “Computer Security Incident Response Team (CSIRT)”, responsible for handling cyber security risks and incidents.
These functions may be performed by one or more national bodies within each Member State. Member States are also required to ensure that these organisations have the power to obtain information from organisations and, where appropriate, impose “effective, proportionate and dissuasive penalties” for breaches of the Directive. At this stage, it is unclear how such penalties will be applied, particularly for cross-border organisations.
In the UK, much of this framework is already being put in place. CERT-UK, set up in March 2014, acts as the body for reporting and handling cyber security breaches. The British government is also in the process of setting up the National Cyber Security Centre (NCSC), which will take on most (if not all) of these functions. The government has yet to provide an indication of the NCSC’s likely position on incident response, investigation and penalties.
Member States must also adopt national strategies on the security of network and information systems. These strategies will be required to cover a wide range of cyber security issues; from government support and supervision, to incident identification and response, to education and training.
A structured government plan to tackle cyber security risks is an essential part of providing a meaningful response to threat of cybercrime. However, the implementation of such policies is not new in much of the EU. In practice, the majority of Member States have already established cyber security plans. For example, in the United Kingdom, a detailed cyber security strategy covering each of the areas set out in the Directive has been in place since 2011 – with the next 5-year strategy due later this year.
Appropriate technical and organisational measures
The Directive also requires Member States to place specific notification and information security obligations on what are defined as, “operators of essential services” and “digital service providers”.
“Operators of essential services (OESs)” include providers of economically or socially critical services in the transport, energy, healthcare, banking, financial markets infrastructure, water and digital infrastructure sectors. Essentially, this will cover organisations such as key utilities providers, banks, internet service providers and stock exchanges insofar as the critical services they provide depends on a network or information system.
“Digital service providers (DSPs)” include online marketplaces, search engines and cloud computing providers with over 50 employees and whose annual turnover and/or annual balance sheet total exceeds EUR 10 million.
Both OESs and DSPs will be required to implement “appropriate technical, organisational and security measures” to manage the risks posed to their network and information systems. This reflects the wording of the security obligations already in place under the Data Protection Act 1998 (DPA 1998).
However, unlike the requirements under the DPA 1998, these organisations are also explicitly required to have “regard to the state of the art” in ensuring that the level of the security is appropriate to the risk posed. At the very least, this emphasises that such organisations are under an obligation to continually monitor and review the level of their network security in line with advancement or development of cyber security threats. However, it is important to note that this security obligation will extend to the security of the network and system as a whole, rather than just the personal data processed within.
The precise technical requirements of the measures to be taken will depend on the risks to each entity’s network and information systems and the potential consequences of any related security incident. Given that many of the systems concerned, by definition, relate to the provision of economically or socially critical services, it is likely that a very high level of security will be required to ensure compliance with the Directive. However, what is, or is not, “state of the art” is up for debate in some areas, and this is a continually moving target for organisations to have regard to.
Notification of cyber security incidents
OESs and DSPs will also be required to notify either the competent authority or CSIRT of any incidents having a “significant” (in the case of OESs) or “substantial” (in the case of DSPs) impact on the continuity /provision of the services they provide. Where an OES relies on network services provided by a third-party DSP, the OES will also be required to notify the relevant authority of qualifying incidents affecting the DSP, where these affect the continuity of the service the OES provides.
In both cases, the significant/substantial nature of an incident will be determined by reference to the number of users affected by the incident, the duration of the incident and the geographical spread of the incident. DSPs will also be required to consider the extent of the disruption on the functioning of their service and of any related impact on economic or social activities.
As with similar notification obligations under the GDPR, it is far from clear exactly when these notification obligations will “bite”. Whilst some clarity is likely to be gained from national and European technical guidance, this will still ultimately boil down to a judgment call for the organisation concerned.
The Directive also provides for the voluntary notification for incidents or organisations that fall outside of the scope of these mandatory obligations.
The Directive provides for the establishment of a European “Cooperation Group” for sharing expertise, strategies and best practice, and a “network of CSIRTs” for dealing with cross-border incidents.
The establishment of such a pan-European framework may well help provide for more consistent support for cross-border organisations that are heavily reliant on network and information systems. It can be hoped that communication between national competent authorities through the Cooperation Group may lead to a more uniform application of the provisions of the Directive, particularly in respect of penalties.
The Directive also allows for the sharing of information relating to cyber security incidents, particularly where these may involve a cross-border element. In doing so, the Directive has sought to strike a balance between facilitating an effective cross-border response to cyber security threats, whilst also protecting the privacy, confidentiality and personal data of those affected by the incident.
When passing information to another Member State, the relevant national authority will be required to preserve the confidentiality, security and commercial interests of the relevant OES or DSP. National authorities will also need to ensure all such transfers comply with the European data protection law. However, organisations which are subject to NIS will need to be aware that while they may be comfortable with how their CSIRT will deal with notifications, different CSIRTs in other jurisdictions may take different approaches. This may also discourage organisations which are not technically subject to NIS, but which can make voluntary notifications to their relevant CSIRT, from doing so.