The so-called NIS Directive has been overshadowed by the new Data Protection Regulation, and it might come as a surprise to some companies that they will have new obligations in terms of data security issues related to network and information systems. Even though the directive has a limited scope of application, companies other than those directly within the sphere of the directive also may have to comply with the obligations – for example, in cases where they offer services to an operator of essential services and within the sphere of the directive.

The objective of the Network and Information Security Directive (2016/1148), which took effect in August 2016, is to strengthen Europe’s cybersecurity preparedness. EU member states must adopt the regulations as part of their national legislation by May 9, 2018. The directive has two main objectives:

  • A high level of cybersecurity for the critical infrastructures of the member states
  • Increased collaboration

Network and information system security in the EU is considered a key competitive advantage in the intensifying cybersecurity markets, and the new directive will improve the functioning of the internal market.

A working group is mapping the requirements

The Ministry of Transport and Communications announced in October that it will start preparations for the national implementation of the NIS Directive, and the work is expected to be completed in February 2017. The working group is mapping what kinds of requirements the actors currently have within the sphere of the directive, and the extent to which they meet the requirements of the new directive. The mapping will also identify possible amendments needed to the existing legislation, such as the Information Society Code.

Risk management and reporting required from operators of essential services

The directive obligates the member states to specify sector-specific operators of essential services. These include operators in energy, transportation, banking and financial markets, health care, drinking water suppliers, and digital infrastructure. The operators are required to have appropriate risk management measures proportionate to the risks targeting network and information systems, and they are required to report to the relevant national authority incidents that have a significant disruptive impact on the service.

Another group within the sphere of the directive are companies offering digital services, like online marketplaces, search engines, and cloud computing services. These digital service providers too must ensure that they have sufficient operating models to manage incidents impacting the security of network and information systems. Additionally, in certain situations, the digital service providers must report incidents to national authorities. The obligation to report incidents is outlined relatively precisely, but, unlike the requirements of the Data Protection Regulation, the incident doesn’t have to involve the protection of personal data.

After completion of the report by the working group appointed by the Ministry of Transport and Communications, it would be prudent to find out if your company must meet the requirements imposed by the NIS Directive. Companies within the sphere of the requirements also tend to handle personal data, so then it must also be verified that the activities meet the requirements of the new Data Protection Regulation. It is usually advantageous to combine the mappings and the measures to save the company time and money during the mapping phase and in the practical work.