Just months after the entry into force of the German IT Security Act in July 2015, European rules for improving IT security are now imminent: EU Commission, European Parliament, and EU Council agreed on the "Directive concerning measures to ensure a high common level of network and information security across the Union" (referred to as NIS Directive). After formal adoption of the draft directive, the NIS Directive is expected to enter into force in spring 2016.
The NIS Directive is an essential part of EU Cybersecurity Strategy. The objective is to establish an EU-wide common minimum standard for digital security. The requirements of the NIS Directive will not apply in the Member States directly, but will only unfold binding effect upon their transposition into national law. The Member States are free to establish more stringent requirements at the national level than provided for in the NIS Directive.
With the IT Security Act, the German legislature established a set of national rules to improve IT security and for critical infrastructure protection in Germany already last year. Since the NIS Directive and IT Security Act are comparable in key aspects, the IT Security Act is likely to have anticipated a substantial part of European regulations. Where the IT Security Act falls short of the NIS Directive, however, the German legislature will need to add appropriate provisions.
Some of the expected core contents of the NIS Directive are summarized below:
- Cooperation among Member States (Cooperation network)
One of the key contents of the NIS Directive is to establish strategic cooperation of the Member States with the objective of strengthening the protection of IT systems across the EU. The NIS Directive closes the gap of cross-border IT security not provided for by the purely national IT Security Act.
In Germany, the BSI is expected to assume the function of a contact for the other Member States. In addition to the competent authorities in the various Member States, the EU Commission will also be part of the cooperation network.
The network is intended to coordinate EU-wide cooperation to improve network and information security through cooperation across Member States. For this purpose, the NIS Directive provides for an early warning system within the cooperation network and rules on coordinated responses to early warnings.
- Secure information exchange
In addition, a secure system for the exchange of information is to be established to ensure the secure exchange of sensitive and confidential information within the cooperation network. The collaborative network can only work by means of such a system, since the exchange of information would otherwise be made more difficult and the objective of the EU-wide strengthening of IT security be endangered. The NIS Directive provides for adequate financial, technical and human resources to establish and maintain the system.
- Networking of National Rapid Response Teams (CSIRTs)
For enhanced cooperation at the operational level, the NIS Directive also contains provisions for the EU-wide networking of national Computer Security Incident Response Teams, referred to as CSIRTs. The CSIRT network primarily serves to exchange information on current risks and security incidents, but is also intended to allow for effective cooperation in transnational incidents.
- Security measures and reporting of incidents
According to the NIS Directive, operators of essential services are required to take appropriate technical and organizational measures to protect their networks and IT systems and to report significant incidents. The IT Security Act provides for essentially corresponding duties for operators of critical infrastructure.
- Specifying affected companies
It is too early to predict with absolute certainty whether the companies obligated under the IT Security Act and by the NIS Directive are entirely identical. Neither the IT Security Act nor the NIS Directive define in detail what companies are required to take security measures and to report incidents. Instead, the NIS Directive only designates affected industrial sectors and framework criteria.
Each Member State needs to determine who specifically is to be considered as an operator of essential services within the meaning of the NIS Directive. In this respect, the IT Security Act also corresponds to the NIS Directive, which provides for a specification of operators of critical infrastructure through the BSI Ordinance on Critical Infrastructure Operators. It makes therefore sense to refer to the criteria laid down in the Ordinance on Critical Infrastructure Operators when defining essential services operators. A current draft Ordinance on Critical Infrastructure Operators is available on the BMI website. The final version is expected for mid-March 2016.
- Search engines, online marketplaces, and cloud services
The NIS Directive requires search engine operators and providers of online marketplaces and cloud services (digital service providers) to protect the networks and IT systems used to provide their services. A similar obligation for providers of telemedia services was already added to the Telemedia Act on the basis of the IT Security Act.
In addition, the NIS Directive provides for affected companies the duty to report incidents with a significant impact to the competent authority. In that regard, the NIS Directive goes beyond the IT Security Act, which provides for a reporting duty only for operators of critical infrastructure, but not for providers of telemedia services as well.
Overall, it must be expected that the German legislature will act again in the field of IT security, in order to fully transpose the requirements of the NIS Directive into national law. The scope of required legislative changes will only be seen in detail after the entry into force of the NIS Directive. Transposition must be carried out by the Member States within 21 months.
Potentially affected companies should continue to monitor developments in this area closely. The Ordinance on Critical Infrastructure Operators will at least define the group of companies affected by the IT Security Act in further detail. It is currently expected that these companies will also be covered by the scope of the NIS Directive.
Since the companies concerned are currently only directly obligated by the IT Security Act, they should initially implement the provisions contained therein, even if changes to the requirements due to the NIS Directive cannot be excluded.