On July 6, 2016, the European Parliament passed the Network and Information Security (“NIS”) Directive, over three years after the initial draft was proposed. The Directive will enter into force in August 2016. EU Member States will then have 21 months to transpose the Directive into their national laws and 6 additional months to identify the operators of certain essential services that are subject to the Directive’s requirements.
In short, the NIS Directive will impose comprehensive cybersecurity and breach reporting requirements on critical infrastructure operators. Unlike the breach reporting obligations under the General Data Protection Regulation that require notification to individuals in an incident where personal data is compromised, the NIS Directive will impose an obligation to report incidents to the relevant authority without regard to whether personal data is affected or not. Companies involved in energy, transportation, banking, health care, and water supply, as well as large search engines and cloud platforms are considered to be “critical infrastructure” companies, although Member States will be responsible for identifying the entities who will be caught by the Directive.
The Directive requires subject entities to take appropriate proactive security measures and to notify the relevant national authority of serious security incidents. The proactive security requirements include:
- Preventing risks: Technical and organizational measures that are appropriate and proportionate to the risk.
- Ensuring security of network and information systems: Measures that ensure a level of security of network and information systems appropriate to identified internal and external security risks, and after consideration of state-of-the-art technologies.
- Handling incidents: Measures to prevent and minimize the impact of incidents on IT systems and assets used to provide critical services.
Implementing administrative, technical and physical security measures necessary to comply with these requirements will take time. Organizations should begin to consider today what existing security measures they currently have in place and what additional measures will be necessary to meet forthcoming standards and requirements, all consistent with their security roadmaps and applicable security frameworks. The requirement that organizations consider state-of-the-art technologies (for example, deep packet inspection and firewall decryption products) will require close coordination with legal, privacy, and security teams in order to ensure that such technologies are implemented in a manner that complies with privacy restrictions of the General Data Protection Regulation, among other regimes. Multi-nationals with a presence in the United States will benefit from several years of experience incorporating elements of the NIST Cybersecurity Framework into their enterprise security programs—many provisions of which have parallels in the NIS Directive.
In addition to mandatory incident reporting, the NIS Directive will obligate EU Member States to establish Computer Security Incident Response Teams (“CSIRT”), responsible for coordinating critical infrastructure cybersecurity efforts with national law enforcement authorities and data protection authorities. Moreover, the Directive will require Member States to establish a network connecting relevant data protection authorities and CSIRTs in order to facilitate the sharing of threat-related indicators, cybersecurity intelligence, and best practices.
Under the Directive, Member States will also be required to implement and enforce penalties against critical infrastructure providers that fail to comply with the Directive’s requirements. A detailed discussion of the NIS Directive’s requirements can be found here.