The Cybersecurity Directive (formally known as the Network and Information Security Directive or NIS Directive) came into force on 8 August 2016, and must be implemented into national law by May 2018. The Directive aims to raise the level of resilience against cyber-attacks across Member States by creating national frameworks, improving cooperation and imposing obligations on particular operators and providers, including "digital service providers".
A 2015 Information Security Breaches Survey by PWC found that 90% of large organisations had a security breach last year. The average cost of such incidents has risen sharply and 59% of those surveyed said that they expected the number of breaches to increase in the future. A separate survey reports that two-thirds of UK companies that have suffered from a cyber attack did not report it to the police. Apart from data breaches, where personal details have been revealed, there have been cases where confidential emails and commercially sensitive information has been released on public sites, data has been wiped from information systems to the extent that global organisations have had to rely on pens, paper and fax machines, and a cyber-attack on the German parliament systems left the Bundestag needing to replace 20,000 computers. It is in the context of incidents like these that the European Commission has adopted a cybersecurity strategy and has brought the Cybersecurity Directive into force.
The Directive particularly imposes obligations on Member States, operators of "essential services" and digital service providers.
The Directive requires Member States:
- To define cybersecurity strategic objectives and regulatory measures;
- To establish one or more national competent authorities to monitor the application of the NIS Directive;
- To create Computer Security Incident Response Teams (CSIRTs) to work both within its borders and to cooperate within a wider network of CSIRTs promoting swift and effective action across Europe;
- To work with other Member States to circulate and exchange information in relation to cyber threats; and
- To create a single point of contact to liaise between the authorities and cooperation groups envisaged by the Directive.
Operators of "essential services"
The Directive applies to both public and private entities who are operators of "essential services", in sectors including digital infrastructure, energy, transport, banking, financial markets, health and drinking water. Such services are defined as being:
- Essential for the maintenance of critical societal or economic activities, and
- Dependant on network and information systems to the extent that their disruption would significantly affect the provision of that service.
Operators that are identified by the Member State as meeting that definition are required to take appropriate measures to prevent and minimise the impact of cybersecurity incidents and to comply with a reporting scheme established by the Member State.
Digital service providers
Digital service providers include online marketplaces, search engines and cloud computing services. The Directive applies to legal persons offering such services within any Member State, whether or not established within the EU. Providers meeting these criteria will also be obliged to take appropriate security measures and to comply with the reporting scheme applicable to operators of "essential services".
Companies should check if they are likely to be caught by the provisions and be prepared to adopt appropriate (and, as yet, unclarified) strategies and measures. They should also be aware that although the initial reporting requirement will only be to the competent authority established or designated under the Directive, such authority may decide that public disclosure of the information is in the public interest.
An area of confusion remains. It is not clear across all Member States whether IT security testing service are exempt from any technical IP infringement that may occur as a result of their operations. In practical terms, it is unlikely to generate any serious practical problems/exposure, but it would have been welcome for the Commission to also introduce a harmonised specific exception.