May 2018 is a month which will already be highlighted in the calendars of those responsible for their organisations’ compliance with the General Data Protection Regulation (GDPR). It’s now under a year away. But for some digital businesses and infrastructure providers, when it comes to security risk management and reporting obligations, the GDPR isn’t the whole story.
The EU Directive on Network and Information Security, a.k.a. the ‘NIS Directive’ (said ‘nice’), is key to the EU’s cybersecurity strategy . It aims to improve, and ensure a consistent approach to, cybersecurity throughout the EU. Despite Brexit, the UK Government remains committed to transposing it by the May 2018 deadline (yes, you read that right: it’s the same month the GDPR comes into force).
If reminders were needed of the significance of the NIS Directive, a few have made recent headlines. WannaCry ransomware infected hundreds of thousands of computers across the EU and beyond, causing chaos in the UK health sector, with many hospitals and GP surgeries having to turn away patients and cancel appointments. It was followed by British Airways’ global IT meltdown, where human error is said to have caused a power outage leaving thousands of passengers stranded. These incidents and their aftermath don’t just illustrate the extent to which critical infrastructure depends on network and information systems, or the scale of disruption which an incident can cause: they also make the case for the NIS Directive all the more compelling. Here’s a quick reminder of how the key bits work.
Like the GDPR, the NIS Directive mandates appropriate security measures and notification of serious incidents to a relevant national authority. Unlike the GDPR, however, the NIS Directive targets two specific types of player: (1) ‘operators of essential services’ (OES) in key sectors such as health, energy, banking and transport; and (2) ‘digital service providers’ (DSP), namely providers of online marketplaces, online search engines or cloud computing services. It’s worth recalling that these three particular types of DSP were selected because many businesses increasingly rely on them for the provision of their own services, so disruption to such a digital service could have a knock on effect on the smooth running of other businesses dependent on it.
The rules differ slightly depending on whether you’re an OES or a DSP, but do have some broad similarities. Both must put in place appropriate and proportionate technical and organizational measures to manage risks posed to the security of network and information systems used. Those measures should ensure a level of security of network and information systems appropriate to the risks posed. Measures to prevent and minimise the impact of security incidents are also mandated with a view to ensuring service continuity.
When it comes to reporting a serious incident, this must be directed, without undue delay, to the competent authority (whose identity is TBC) or to a Computer Security Incident Response Team (to be designated by Member States). The NIS Directive doesn’t specify a threshold which triggers a notification requirement, but does list parameters to be taken into account when making that assessment. For an OES, the incident must have a ‘significant’ impact on service continuity. Parameters comprise the number of users affected by the disruption, incident duration and geographical spread. For DSPs, the impact must be ‘substantial’. In addition to those relevant to an OES, two further parameters are to be considered: the extent of the disruption and the extent of the impact on economic and societal activities. The European Union Agency for Network and Information Security’s recently issued preliminary guidance for DSPs on notification makes for useful reading.
But whilst there is some overlap with the GDPR, there are notable difference between the regimes. Take notification for example. A DDoS attack affecting the availability of data is the sort of thing which might require notification under the NIS Directive, but not necessarily under the GDPR. Conversely, a security incident involving unauthorized access to personal data in customer accounts might be a breach which is potentially reportable under the GDPR but, if it doesn’t affect the proper provision of a service, probably isn’t under the NIS Directive. Of course, there will likely be incidents requiring notification under both regimes.
Another notable difference relates to the choice of instrument. Being a Regulation, the GDPR has direct effect. The NIS Directive doesn’t. So the effectiveness of its regime will, in large part, depend on how it is translated into local law, and whether the inevitable differences in implementation from one Member State to another will undermine the reason it exists: to introduce a high common level of security. And what of the UK’s departure by 2019? Will the UK still provide the cooperation which underpins the whole regime? Those are the sorts of considerations which are enough to make anyone WannaCry.