The Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.”
Summary of the NIS Directive
The NIS Directive is the first comprehensive piece of EU legislation relating to the 2013 EU Cybersecurity Strategy. Its objective is to achieve a high common level of security of network and information systems across the EU through improved cybersecurity capabilities at a national level and increased EU-level cooperation. It also requires “operators of essential services” and “digital service providers” to take appropriate steps to manage security risk and to report security incidents to the national competent authorities. Below, we highlight key provisions of the NIS Directive.
Improved Cybersecurity Capabilities at a National Level and EU-wide Cooperation
The NIS Directive requires Member States to adopt a national strategy on cybersecurity with a view to achieving and maintaining a high level of security of network and information systems across “essential services.” As part of this strategy, Member States must define the objectives and priorities of the national strategy, establish a governance framework to achieve these objectives and priorities, and identify measures relating to preparedness, response, and recovery.
Member States must also designate one or more competent authorities to monitor the application of the NIS Directive at a national level. The Directive permits Member States to designate different authorities for different sectors, but a single authority could also be designated. Either way, each Member State must designate a single point of contact that will liaise with other Member State authorities and the Computer Security Incident Response Teams (“CSIRTs”) that each Member State must establish under the NIS Directive..
Each Member State’s CSIRTs will be responsible for monitoring incidents, providing early threat warnings, responding to incidents, and cooperating with the private sector. As with the competent authorities, a Member State may establish multiple CSIRTs. In addition, the NIS Directive establishes a network of CSIRTs, in which each Member State CSIRT must participate. This network’s duties include exchanging information about security incidents, providing member States with support in addressing cross-border incidents, and exploring and identifying further forms of operational cooperation.
Alongside the CSIRTs network, the NIS Directive also establishes a Cooperation Group in order to support and facilitate cooperation and the exchange of information among Member States. This Cooperation Group will be composed of representatives of the Member States, the Commission, and the European Union Agency for Network and Information Security (ENISA).
In most Member States, it is not yet clear which bodies will act as the competent authorities or single points of contact, or even how many competent authorities or CSIRTs each Member State will have. Indeed, from our discussions with the UK Government, it is not yet clear which government body will take responsibility for managing the implementation of the NIS Directive into UK law, especially given the recent move of responsibility for all policy areas concerning broadband and telecommunication from the Department of Business, Innovation and Skills to the Department of Culture Media and Sport.
It is also not yet clear what enforcement powers the relevant competent authorities are likely to have and how this may impact the enforcement action that can already be brought against organisations that are subject to the requirements of the NIS Directive, such as operators of banking services that are already subject to the Financial Conduct Authority’s significant fining powers for weak systems and controls that lead to security failures.
Risk Management and Incident Reporting Obligations for “Operators of Essential Services” and “Digital service Providers”
In addition to the requirements on Member States to implement the required cybersecurity capabilities and governance models, the NIS Directive sets out certain obligations for two groups of entities, namely “operators of essential services” and “digital service providers.”
“Operators of essential services” are those operators within the energy, transport, banking, financial market infrastructure, health, water, and digital infrastructure sectors that are identified by Member States within 27 months after the date the Directive becomes effective. These businesses will have to take steps to “prevent and minimise” the impact of incidents affecting the network and information systems used by those businesses with a view to “ensuring the continuity of those services.” thereby requiring both preventative and business continuity capabilities and processes. In addition, the operators of essential services will have to notify the relevant competent authority or the CSIRT of incidents having a “significant impact on the continuity of the essential services” that they provide, which shall be determined by reference to high-level parameters set out in the Directive which each Member State will need to further define in order for the parameters to be practically usable.
The NIS Directive imposes similar requirements on “digital service providers” (i.e., businesses that provide an online marketplace, online search engines, and cloud computing services, unless the relevant businesses are “micro” or “small enterprises,” as defined in the Commission Recommendation 2003/361/EC), also setting out high-level parameters for determining whether an incident is “substantial” and setting out issues that digital service providers should consider when considering what security measures to implement. These criteria and considerations can be expanded by the Commission, but for harmonisation purposes Member States cannot impose any further security or notification requirements on digital service providers.
In certain circumstances, competent authorities or CSIRTs will be required to share details of incidents notified to them by operators of essential services and digital service providers with other Member States. This has raised some concerns among our clients in relation to security, confidentiality and issues of general incident management.
Implementation Across Member States
The NIS Directive provides for a high level of harmonisation across Member States, but it remains to be seen how it will be implemented into national laws, including whether Member States will introduce new laws dealing specifically with the requirements of the NIS Directive or whether Member States will seek to layer the new requirements onto existing laws.
For example, in France many of the requirements are already set out in the Military Planning Act for 2014 to 2019, and in Germany the IT Security Act also covers many of the requirements of the NIS Directive. These Member States may therefore use the NIS Directive to build upon their existing laws. Other Member States that do not currently have detailed cybersecurity laws, like the UK and Netherlands, may have to adopt a different approach. For example, the UK’s approach to date has been to publish and encourage companies to implement non-binding guidance and best practices; these non-binding documents may now have to be formalised.
A number of questions remain unanswered around how the NIS Directive will be implemented in Member States and which authorities will be designated as competent authorities under it. The possibility of there being many different sector-based competent authorities in each Member State and that the Directive will be implemented through a combination of new laws and the amendment of existing laws, will complicate tracking the impact of the NIS Directive and lead to diverging requirements among Member States and different sectors, contrary to the NIS Directive’s goal of harmonisation.
We will be tracking the implementation and will post updates on the Data Protection Report.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.