Today, many cybersecurity incidents remain unreported, especially in countries (e.g. Belgium) that do not have general data breach reporting obligations. For the energy sector, the mandatory implementation of the “NIS-Directive” by 9 May 2018 is expected to radically change this.
In Belgium, unlike in the Netherlands, there is no express legal obligation to report data breaches. Sector-specific data breach reporting obligations currently only exist for telecom operators and financial institutions / insurance providers. As a consequence, many cybersecurity incidents still remain unreported.
The EU Network Information Security Directive (“NIS-Directive”), which entered into force on 8 August 2016, will introduce minimum cybersecurity standards for operators in certain sectors deemed to play a ‘vital role’ in society. One of these sectors is the energy sector.
The NIS-Directive contains a list of operators and undertakings in the energy sector which are deemed to be “Operators of Essential Services”. These include, inter alia, electricity and gas suppliers, distribution system operators and transmission system operators.
The NIS-Directive introduces the following obligations for such “Operators of Essential Services”:
obligation to take appropriate technical and organisational measures to manage the risks posed to their network and information systems, and to prevent and minimise the impact of any incidents; and
obligation to notify the competent Member State authority, without undue delay, of all incidents with a significant impact on the security of the essential services they provide.
On the basis of the information provided, the competent Member State authority may inform other affected Member States. It may also inform the public, where public awareness is necessary to prevent future incidents or to deal with an ongoing incident, or where disclosure of the incident is otherwise in the public interest.
The NIS-Directive must be implemented by the EU Member States by 9 May 2018. The notification duty, preventive measures, and sanctions provided by this new legislation will ideally lead to more transparency and awareness regarding cybersecurity risks in the energy sector.