New cyber security rules on the horizon – network and information security directive approved
New EU rules will impose contingency and breach notification obligations on business across a broad spectrum. If you are engaged in energy, financial, healthcare or technology businesses, in particular, you need to be mindful of the new cyber security rules.
The directive on network and information security (NIS Directive) was formally approved by the Council of the EU on 17 May 2016 and is estimated to enter into force in August 2016 provided the European Parliament will give its approval. Member States must adopt the laws, regulations and administrative provisions necessary to comply with the NIS Directive within 21 months after its entry into force.
The NIS Directive imposes obligations affecting several businesses. If your business falls within the scope of the NIS Directive either as an operator of essential services or as a digital service provider, you will probably need to take action in order to ensure compliance with the new provisions.
What is it all about?
The NIS Directive is the key component of the EU's cyber security strategy, adopted as a response to the continuously increasing amount of cyber security incidents, such as technical failures and security breaches, with complex and cross-border nature. The NIS Directive will impose requirements on all Member States to ensure a common minimum level of cyber security across the European Union.
The key features of the NIS Directive are the following:
- National network and information security strategy
- New competent authorities and closer cross border co-operation
- Obligations for operators of essential services and digital service providers
Under the NIS Directive, each Member State is required to establish a strategy for achieving and maintaining a high level of cyber security and to appoint at least one competent authority responsible for monitoring compliance with the new provisions, as well as a so-called national Computer Security Incident Response Team (CSIRT).
From the perspective of your business, however, the most significant impact of the NIS Directive is likely the new requirements imposed on operators of essential services and digital service providers.
Requirements for operators of essential services
Private and public entities that may be considered "operators of essential services" are listed in Annex II to the NIS Directive for each relevant sector:
- Energy (electricity, oil and gas)
- Transport (air, rail, water and road)
- Banking (credit institutions)
- Financial market infrastructures (operators of trading venues and central counterparties)
- Health sector (healthcare providers)
- Drinking water supply and distribution
- Digital infrastructure (internet exchange points, DNS service providers and TLD name registries)
If your business provides an essential service for societal or economic activities in any of these sectors, which is dependent on network and information systems and which would be significantly disrupted by incidents affecting the systems, the NIS Directive may become applicable.
Each Member State will be required to list the national operators of essential services. Even though some guidelines are provided in terms of the factors that need to be taken into account when national lawmakers determine which service providers fall within the scope of the NIS Directive, the assessment is mainly independent and the interpretation of abstract terms such as "essential" and "significant" in this context will be subject to each Member State's own discretion.
If your business counts as an operator of essential services, you must:
- take appropriate and proportionate technical and organisational measures to manage network and information system security risks;
- notify significant incidents (based on the amount of service users as well as the duration and geographical reach of the incident) to the competent authority without undue delay;
- provide information needed to assess the security of networks and information systems in your company, if requested by the competent authority; and
- provide evidence of compliance with the provisions of the NIS Directive.
In case insufficiencies are found after an inspection and assessment, the competent authority may issue your business binding instructions to remedy the operations.
Each Member State will lay down the rules on additional penalties applicable to infringements of provisions pursuant to the NIS Directive and these sanctions may also become applicable in case insufficiencies are detected.
Requirements for digital service providers
With regards to digital service providers, Member States do not have similar competence as described above to determine which companies fall within the scope of the NIS Directive, but digital services are defined as follows:
- Online marketplaces: services allowing online consumers and/or traders to conclude online sales and service contracts
- Search engines: services that allows users to perform searches of, in principle, all websites
- Cloud computing services: services enabling access to shareable computer resources that can respond to changes in demand of resource
If your company counts as a digital service provider in the foregoing meaning, you will be basically subject to the same obligations as operators of essential services described above. The degree of risk for digital service providers, however, is regarded to be lower than for operators of essential services, so the requirements are somewhat lighter. For example, you are not obligated to provide evidence of compliance with the NIS Directive, but, on the other hand, digital service providers will be subject to a more harmonised approach on EU level due to the cross-border nature of the services.
How to prepare?
Businesses specified as operators of essential services or digital service providers should assess and identify potential security risks relating to network and information systems and establish working methods for preventing and minimising those risks. You should review your cyber security policies and practices in order to ensure compliance with the NIS Directive.
To determine whether an incident must be reported to the competent authority, it is advisable to put in place new procedures for assessing occurring incidents and the criteria for notifying requirements in the light of the NIS Directive.
You should also note that even though your company is not required to notify any other party, the competent authority may disclose the incident to your customers, employees or other legal entities, where public awareness is needed for reasons defined in the NIS Directive. This highlights the better-safe-than-sorry approach of trying to tackle cyber threats beforehand.
But not all incidents can be avoided, so having also a proper security breach response plan in place will be important, and EU legislation may in future require multiple reporting of incidents.
The new General Data Protection Regulation (GDPR) [see: new EU data protection regulation] with its notification obligations will apply from May 2018 onwards and the NIS Directive will have to be transposed into national law around the same time, meaning that security incidents concerning breaches of personal data may in less than two years' time have to be reported both under the GDPR and the NIS Directive.
With hefty administrative fines in the pipeline, managing different triggers for reporting of breaches becomes essential.