European Network and Information Security Directive adopted to address cyber-threats

On 6 July 2016, the European Union (which for now includes the UK) adopted the Network and Information Security (or NIS) Directive. This imposes obligations on three sets of stakeholders:

  1. Member States;
  2. Essential services operators; and
  3. Digital service providers.

Andrus Ansip, European Commission Vice-President for the Digital Single Market, commented:

“If we want people and businesses to make the most of digital services, they need to trust them. A Digital Single Market can only be created in a secure online environment. The Directive on Security of Network and Information Systems is the first comprehensive piece of EU legislation on cybersecurity and a fundamental building block for our work in this area. It requires companies in critical sectors – such as energy, transport, banking and health – to adopt risk management practices and report major incidents that can affect the Digital Single Market to their national authorities which will, in turn, be able to carry out better capacity-building with greater cross-border cooperation inside the EU. It also obliges online market places, cloud computing services and search engines to take similar security steps. The rules adopted today, complemented by the new partnership with the industry on cybersecurity presented yesterday, create the right conditions for people and businesses to use digital tools, networks and services in the EU with confidence.”

The Directive requires implementing national legislation to come into force by 10 May 2018. This is before the earliest date that the UK can leave the UK, and so the NIS Directive will need to be implemented in the UK.

Member states

The NIS Directive obliges member states to:

  • adopt a national NIS strategy to define their strategic objectives and appropriate policy and regulatory measures in relation to cybersecurity;
  • designate a national competent authority for the implementation and enforcement of the Directive; and
  • a Computer Security Incident Response Teams (CSIRTs) responsible for handling incidents and risks (which can be the same as the national competent authority).

In addition, at  European level the Directive:

  • forms a ‘Cooperation Group’ between Member States, in order to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence amongst them; and
  • creates a network of Computer Security Incident Response Teams, known as the CSIRTs Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.

The Commission will provide the secretariat for the Co-operation Group, whilst the EU Agency for Network and Information Security (ENISA) will provide the secretariat for the CSIRTs Network.

Essential Services Operators

Identification

Each Member State will undertake a process to identify its operators of essential services. An Essential Services Operator is a public or private entity  in one of the following sectors:

  • Energy: electricity, oil and gas
  • Transport: air, rail, water and road
  • Banking: credit institutions
  • Financial market infrastructures: trading venues, central counterparties
  • Health: healthcare settings
  • Water: drinking water supply and distribution
  • Digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries

which meets the following criteria :

  • it provides a service which is essential for the maintenance of critical societal and/or economic activities;
  • the provision of that service depends on network and information systems; and
  • an incident would have significant disruptive effects on the provision of that service.

Obligations

Identified operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. The security measures include:

  • Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.
  • Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
  • Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.

Notification

The Directive does not define  what is an significant incident requiring notification to the relevant national authority, but identifies three factors to be taken into consideration:

  • Number of users affected
  • Duration of incident
  • Geographic spread

We expect to see further guidelines around notification thresholds and process in due course. Helpfully, Article 14 (3) of the NIS Directive makes it clear that:

“… Notification shall not make the notifying party subject to increased liability.”

Digital Service Providers

Digital Service Providers  (DSPs) are defined as:

  • online marketplaces;
  • online search engines; and
  • cloud computing services.

DSPs will be required to take appropriate security measures and to notify substantial incidents to the competent authority. To seek to avoid disparate national approaches and/or impractical obligations being imposed, the Commission will adopt implementing acts with regard to security requirements and notifications obligations of DSPs within one year from the adoption of the Directive. Member States will not be able to impose additional more stringent security and notification requirements on DSPs. In addition, the competent authorities will be able to exercise supervisory activities only when provided with evidence that a DSP is not complying with its obligations under the Directive.

Security measures

DSPs will have to implement security measures covering:

  • Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.
  • Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
  • Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.

The security measures taken by DSPs should also address specific factors, to be further specified by the Commission:

  • security of systems and facilities
  • incident handling
  • business continuity management
  • monitoring, auditing and testing
  • compliance with international standards

Notification

The Directive does not define thresholds of what is a substantial incident requiring notification to the relevant national authority. However, it defines five factors which should be taken into consideration:

  • Number of users affected
  • Duration of incident
  • Geographic spread
  • The extent of the disruption of the service
  • The impact on economic and societal activities

Again, we expect further guidelines in due course, and  again Article 16 (3) of the NIS Directive helpfully makes it clear that:

“… Notification shall not make the notifying party subject to increased liability.”