A new EU-wide cybersecurity law, Directive (EU) 2016/1148 (NIS Directive), has come into force this month. The NIS Directive aims to increase the level of protection against network and information security incidents, risks and threats across the EU and, in terms of its impact on businesses, will affect “operators of essential services” in critical sectors (such as energy and transport) and “digital service providers” (such as cloud computing service providers).
Member States will have until 9 May 2018 to transpose the NIS Directive into their national law, giving businesses some time to review and adapt their policies and procedures where necessary.
Key features
The NIS Directive recognises that cyber security incidents can result in substantial financial losses and cause major damage to the European economy and seeks to apply common security requirements across the EU to operators of essential services and digital service providers.
Security and notification obligations: Operators of essential services and digital service providers will be required (regardless of whether maintenance of their network and information systems is outsourced) to:
- take appropriate and proportional technical and organisational measures to manage security risks to their network and information systems and ensure a level of security appropriate to the risk posed;
- take measures to minimise the impact of incidents which affect the security of their systems, with a view to ensuring the continuity of those services; and
- report incidents affecting their services to the competent national authority or competent Member State’s Computer Security Incident Response Team (CSIRT) “without undue delay” (the notification thresholds for operators of essential services and digital service providers differ slightly):
- operators of essential services will be required to notify incidents that have a “significant” impact on the continuity of the essential services they provide – operators will need to determine the significance of the impact with reference to certain criteria (for example, the number of users affected and the duration of the incident);
- digital service providers will need to notify incidents that have a “substantial” impact on the provision of their services (again, with reference to a set of criteria), but only if they have access to the information needed to assess the impact.
Once notified, the competent national authority or CSIRT may decide to inform the public of the incident.
It is worth noting that the security and notification obligations envisaged by the NIS Directive will be in addition to those imposed by the Data Protection Act 1998 specifically in respect of personal data (and expected to be imposed by the new EU General Data Protection Regulation) and affected businesses will need to comply with both regimes.
Two-tier framework: The NIS Directive envisages a two-tiered framework where, by virtue of the more critical nature of their services, operators of essential services will be subject to more stringent requirements and greater supervision than digital service providers. Individual Member States will be left to determine what sanctions and penalties should apply.
Essential services
The NIS Directive captures operators within the energy (electricity, oil and gas), transport, banking, financial market infrastructure, health, water and digital infrastructure (internet exchange points, domain name system service providers and top level domain name registries) sectors:
- who provide a service that is essential for the maintenance of critical societal and/or economic activities;
- where the provision of that service depends on network and information systems; and
- an incident would have “significant disruptive effects” on the provision of that service.
Member States will be responsible for identifying the operators of essential services within their own territories and will need to do so by 9 November 2018.
Digital service providers
The NIS Directive considers digital service providers to be online marketplaces (marketplaces which enable the sale of goods and services online such as app stores), online search engines and cloud computing service providers. Hardware manufacturers and software developers are not digital service providers according to one of the recitals to the NIS Directive.
Digital service providers that are microenterprises and small enterprises (as defined in Commission Recommendation 2003/361/EC) will not be subject to the security and notification requirements summarised above. The Recommendation defines “microenterprises” as entities employing fewer than 10 persons and whose annual turnover and/or annual balance sheet total do not exceed EUR 2 million and “small enterprises” as entities employing fewer than 50 persons and whose annual turnover and/or annual balance sheet total do not exceed EUR 10 million, subject to certain conditions.
Non-EU digital service providers that offer services within the EU are considered to be within the scope of the NIS Directive and will need to appoint a representative in one of the Member States where the services are offered to act on their behalf.
What’s next?
The European Commission has said that it will adopt implementing acts with regard to the security requirements and notification obligations of digital service providers within one year from the adoption of the NIS Directive, ie around August 2017.
In the meantime, affected businesses may wish to assess the sufficiency of their existing measures against the possible risks and consider whether any adjustments are likely to be required to strengthen their security and breach detection processes and procedures. Where services are outsourced, a review of the relevant contracts may be required.
Beverley Flynn