On 17 May 2016, the European Council adopted the Network and Information Security Directive (“NIS”), which forms a part of the European Commission’s EU Cybersecurity Strategy, which will operate alongside its Digital Single Market Initiative. The purpose of NIS will be to increase EU Member State cooperation on cybersecurity and to impose new incident reporting requirements on organisations. NIS is aimed at combating the apparent complacency demonstrated by organisations in connection with cyber breaches and is very much a hot topic, particularly in light of recent high profile cybersecurity breaches, such as TalkTalk.
The European Parliament are expected to endorse NIS on their second reading imminently, and it will become effective in EU law in August 2016 and will give EU Member States 21 months to adopt the necessary domestic legislation.
Who does NIS apply to?
NIS will apply to both public and private sector organisations and EU Member State governments will need to adopt a strategy for dealing with cyber threats, and designate one or more national authorities to enforce NIS.
NIS will apply to two types of organisations:
1. Operators of essential services – which is likely to include digital services providers (such as internet exchange points, but not e-commerce platforms), energy suppliers, transport providers (major ones, such as rail, air and road authorities), banks and credit providers, financial market infrastructure (such as stock exchanges), healthcare providers and drinking water suppliers and distributors.
Those who qualify as operators of essential services will be required to “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations”.
EU Member States’ designated authorities will be able to demand organisations provide information required to assess the security of their systems and demonstrate effective implementation of their documented security policies. If an organisation is found to be at fault, the competent authority may issue binding instructions for the organisation to remedy its operations.
Organisations which are subject to NIS will have to report to the competent authority “without undue delay” any incident which has a substantial impact on the provision of their services. When assessing whether to report to the competent authority, an organisation must take into account:
- the duration of the incident;
- the extent of the disruption and number of users affected; and
- the geographical spread of the incident.
2. Digital services providers – which is an entity which provides services in any EU Member State, including online marketplaces, online search engines and cloud computing services. There is an exemption for organisations with less than 50 employees, and if an organisation is established outside of the EU, it must designate a representative in an EU Member State.
Digital services providers will be required to “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services…”. Organisations will only be required to report incidents to the competent authority when there has been a substantial impact on the provision of their services. However, the supervision on digital services providers will be lighter and competent authorities will only take action when they have evidence of non-compliance.
There is an interesting overlap between NIS and the General Data Protection Regulation (“GDPR”), which will come into force on 25 May 2018, as the GDPR requires that in the event of a data security breach, organisations must notify the competent authority within 72 hours, whereas NIS requires reporting to be done “without undue delay”. It will ultimately be for the competent authority of each EU Member State to decide how to deal with reporting obligations and they will also create and enforce “effective, proportionate and dissuasive” penalties under NIS.
Organisations should now be assessing their activities to establish whether they qualify as an ‘operator of essential services’ or a ‘digital services provider’ and if they are subject to NIS, then they should undertake a review of their cyber security policies and update them to reflect the incoming changes; provide training to staff on their responsibilities in the event of a cyber breach; and conduct a cost assessment of complying with NIS, noting that changes are required irrespective of whether their obligations are outsourced.