On 17 May, 2016 the Council of the European Union, which comprises representatives of the Member States’ national governments, formally adopted the Network and Information Security Directive (“Directive“). The NIS Directive will increase the security of network and information systems across the EU, and includes a new incident notification regime for affected businesses. The final stage for the NIS Directive is endorsement from the Parliament, which is expected imminently. Thereafter, it should become effective EU law in August of this year, giving Member States 21 months to adopt the necessary national provisions.
The NIS Directive will apply to two types of organisation – operators of essential services, and digital service providers. The former is defined as an entity which “provides a service which is essential for the maintenance of critical societal and/or economic activities”. In practice, that is likely to include energy suppliers, major transport providers (including airlines, rail transport operators and road authorities), banks and credit providers, and healthcare providers. A digital service provider, meanwhile, might be an online marketplace, a search engine or a cloud computing provider.
Significantly, digital service providers based outside the EU, but which offer services within the EU, will be within the scope of the Directive.
The two key outcomes from the Directive will be (i) increased network and information security requirements and (ii) a mandatory incident notification regime. In respect of each of these areas, different rules apply to operators of essential services and digital service providers.
Operators of essential services will be required to “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations”. Competent authorities in each Member State will be able to demand documented security policies, and evidence of their effective implementation, to test compliance with this requirement. Operators will also be required to notify, without undue delay, the local competent authority of any incident (or breach) “having a significant impact on the continuity of the services they provide”. In deciding if there is a significant impact, operators will need to consider the number of users affected, the duration of the incident, and its geographical spread.
Meanwhile, digital service providers will be required to “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services […] within the Union”. They will only be required to notify incidents that have a substantial impact on the provision of their services.
Finally, Member States need to designate a national authority for the security of network and information systems, and establish a national strategy for cyber security.
There is obvious overlap between the provisions of the Directive and the data security and breach reporting provisions of the General Data Protection Regulation (“GDPR“), due in force in 2018. In terms of incident/ breach reporting, where the competent authority of a Member State is also its data protection authority, it will be up to that authority to determine how it handles obligations to report incidents under both the Directive and the GDPR. We note that the Directive talks about reporting incidents without “undue delay”, whilst the GDPR is more specific in prescribing a 72 hour deadline.
The entry into force of the Directive will give affected businesses further impetus to kick-start internal assessments to ensure that their network and information security practices are well documented and effective. This will be valuable preparation for compliance with the increased technical and organisational security measure requirements of the GDPR.