The crux of the NIS Directive is its security requirements and incident notification. The NIS Directive proposes, inter alia, an obligation to implement appropriate security measures and to report incidents having a “significant” impact on provided services. This proposed obligation has a very wide scope and, if adopted, will apply to:
- public administrations;
- providers of critical infrastructure essential for the maintenance of vital economic and societal activities in the fields of: energy, transport, banking, stock exchanges and health;
- providers of information society services, including social network providers, search engines, application ('app') stores, e-commerce platforms and cloud computing services.
Background and aim
The publication of the Strategy and the NIS Directive follows the recent establishment of the European Cybercrime Centre (EC3), part of EUROPOL in The Hague, and illustrates the increased attention within the EU for (cyber)security and the protection of critical infrastructures. Strategy and Directive aim to ensure a high common level of network and information security (NIS), which means "improving the security of the Internet and the private networks and information systems underpinning the functioning of our societies and economies."
The objectives of the proposed Directive are threefold:
- to create a minimum level of national capabilities by establishing competent authorities for NIS, setting up Computer Emergency Response Teams (CERTs) and adopting national NIS strategies and national NIS cooperation plans.
- ensure cooperation among national competent authorities within a network enabling secure and effective coordination, including coordinated information exchange as well as detection and response at EU level.
- ensure that a culture of risk management will develop and that information is shared between the private and public sectors. Companies and institutions in sectors that are particularly vulnerable due to high dependence on correctly functioning network and information systems (such as banking, stock exchanges, energy generation, transmission and distribution, transport (air, rail, maritime), healthcare, internet services and public administrations) will be required to report any incidents seriously compromising their network and information systems and significantly affecting the continuity of critical services and supply of goods.
Closer look at the proposed measures
Pursuant to the Directive, incidents must be reported to the national competent authorities, who can then decide to disclose the incident to the public or require the companies or public administrations involved to do so.
In addition, the Directive stipulates a requirement for each EU Member State to adopt a national NIS strategy and to designate a national NIS authority. Tasks include preventing, handling and responding to NIS risks and incidents. The Directive creates an obligation to form a cooperation network between all national authorities and EU institutions (such as EC and ENISA, EC3). The cooperation network should, inter alia, make possible that competent authorities circulate early warnings on risks and incidents, in order to ensure a coordinated response. The competent authorities will be obliged to cooperate closely with other authorities, in particular in the field of data protection, energy, transport, banking, stock exchanges and health. Cooperation between both public and private entities is an essential component of many clauses of the Directive.
In the current text of the proposal, the security requirements and incident notification obligation will not apply to providers of public electronic communication networks and services, since these providers are already subjected to similar obligations under sector specific telecommunication rules. The EC has made clear that hardware providers, software developers and parties in specific other fields (e.g. water and food supply, insurance providers) will be exempted as well. The obligations will not apply to enterprises with less than 10 employees and an annual turnover less than EUR 2 million.
Not clear yet is how the incident notification of the proposed Directive and the breach notification requirements in the proposed General Data Protection Regulation will relate to each other.
The proposed Directive was submitted to the European Parliament and the European Council for review and subsequent adoption. This could lead to amendments, but it is almost certain that the crucial elements of the Directive - security requirements and incident notification for a very wide scope of enterprises - will remain and become part of the adopted version.
Following the adoption, EU Member States will have 18 months to transpose the Directive into national law.