The European Parliament this month adopted the first European Union-wide rules on cyber-security that promise to impose new compliance and reporting obligations on companies across a broad range of sectors.
After three years of back-and-forth negotiations, the European Parliament on July 6 adopted the Directive on Security of Network and Information Systems (NIS Directive). “The adoption of the first EU-wide legislation on cyber-security will support and facilitate strategic cooperation between member states, as well as the exchange of information,” Commissioner Günther Oettinger said in a statement.
Under the NIS Directive, operators of “essential” services will be required to adopt risk management practices and notify the relevant national authority of any “serious incidents.” Digital services providers—such as online marketplaces, cloud computing services and search engines—also will have to comply with these requirements.
Under the NIS Directive, operators of essential services broadly include the following industries:
Energy: electricity, oil, and gas;
Transport: air, rail, water, and road;
Banking: credit institutions;
Financial market infrastructures: trading venues and central counterparties;
Health: healthcare settings;
Water: drinking water supply and distribution; and
Digital infrastructure (such as internet exchange points, domain name system providers and registries).
Beyond these broad categories, however, each member state will have a lot of latitude for determining who qualifies as an operator of essential services. The devil will be in the details, which member states have two years to iron out.
From a compliance standpoint, however, now is the time for companies operating in the European Union to begin assessing whether the law applies to them and, if so, what is required to be in compliance, if they aren’t already, says John Eustice, a partner at law firm Miller & Chevalier. “This directive points up the vital need for companies to do two things: One is to make sure their cyber-security measures are up-to-date. The other is to create effective incident response plans that are tailored to the jurisdictions where you are conducting business,” he says.
To determine whether a company qualifies as an operator of essential services, member states will evaluate whether the company provides a service that is essential for the maintenance of critical societal/economic activities; the provision of that service depends on network and information systems; and a security incident would have significant disruptive effects on the provision of the essential service.
Digital service providers, on the other hand, must comply automatically, whereas micro- and small companies, as defined in European Commission Recommendation 2003/361/EC, do not fall under the scope of the directive. This effectively means that companies that employ fewer than 50 employees and whose annual turnover or annual balance sheet total does not exceed EUR 10 million are exempt.
“The adoption of the first EU-wide legislation on cyber-security will support and facilitate strategic cooperation between member states, as well as the exchange of information.”
Günther Oettinger, European Commissioner
The directive additionally will apply to DSPs that are not established in the European Union, but which offer services within the European Union. “They will need to appoint a representative in a member state where services are offered,” says Conor Ward, a consultant at law firm Hogan Lovells in the firm’s London office. “This may afford non-EU companies the opportunity to select a country whose implementation of the directive is most favorable to them.”
One of the key aspects of the directive requires operators of essential services and digital service providers to implement appropriate security measures.
Those security measures include:
Preventing risks: Technical and organizational measures that are appropriate and proportionate to the risk.
Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks.
Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.
At the same time, however, the directive recognizes that operators of essential services pose a higher degree of risk than digital service providers. Thus, the directive calls for “light-touch” implementing acts with regard to security and notification obligations for digital service providers, which will be adopted by the European Commission by August 2017.
NIS DIRECTIVE TIMELINE
Below is the expected timeline for implementation of the Directive on Security of Network and Information Systems.
August 2016: Entry into force.
February 2017: Cooperation Group begins tasks.
August 2017: Adoption of implementing on security and notification requirements for digital service providers.
February 2018: Cooperation Group establishes work program.
May 2018: Transposition into national law.
November 2018: Member states to identify operators of essential services.
May 2019: Commission report assessing the consistency of member states' identification of operators of essential services.
May 2021: Commission review of the functioning of the Directive, with a particular focus on strategic and operational cooperation, as well as the scope in relation to operators of essential services and digital service providers.
Source: European Commission
Member states will not be able to impose additional more stringent security and notification requirements on DSPs. In addition, the competent authorities will be able to exercise supervisory activities only when provided with evidence that a DSP is not complying with its obligations under the directive.
In general, the security measures DSPs will have to take into account include the security of systems and facilities; incident handling; business continuity management; compliance with international standards; and monitoring, auditing, and testing.
Incident response plans
The other substantial part of the directive requires operators of essential services and digital service providers to report incidents having a “substantial impact” on the provision of the services. In determining whether an incident has a substantial impact, the directive lays out the following five parameters that need to be taken into account:
Number of users affected;
Duration of incident;
The extent of the disruption of the service; and
The impact on economic and societal activities.
“They’ve put in these broad parameters, but haven’t explained what they mean and how they’ll be applied,” Eustice says. It’s expected that the European Commission will further clarify these parameters in the coming months.
Once a reporting obligation is triggered, companies must notify the relevant national competent authority or a Computer Security Incident Response Team (CSIRT), established by the NIS Directive. These notification obligations are in addition to any consumer or user data breach notification obligations that apply.
Being well prepared to respond to a data breach means having a response team in place before a breach even occurs, conducting a mock cyber-attack to test the preparedness of your team, and having partners and vendors on call to help with a response plan.
Many companies still aren’t adequately testing their incident response plans, Eustice says. Whether companies conduct an audit or a mock cyber-attack, “you need to make sure your response plan works,” he says.
NIS Directive v GDPR
Adoption of the NIS Directive comes at a time when member states are also in the process of implementing provisions contained in the EU General Data Protection Regulation (GDPR), marking the most sweeping changes to EU data privacy legislation in the last 20 years. The GDPR takes effect in May 2018.
Both the NIS Directive and the GDPR require enhanced data security measures and breach notification obligations. The GDPR, however, applies only to the collection and handling of data on EU citizens. It applies to both data controllers (companies that decide how and why data is being collected), and data processors—essentially service providers.
“The two—GDPR and NIS—can be addressed at the same time, to the extent that GDPR compliance will imply data security measures,” says Carol Umhoefer, a partner at law firm DLA Piper. “It’s advisable, when you’re looking at your GDPR compliance to keep in mind the NIS Directive.”
The NIS Directive enters into force next month. Member states will then have until May 2018 to implement its requirements into national laws, and until November 2018 to identify operators of essential services.
Member states are also tasked with establishing penalty amounts for non-compliance, which must be “effective, proportionate, and dissuasive.” At this stage, it’s not clear whether penalty amounts will be nominal or on par with penalty amounts under the GDPR, which is up to four percent of total annual global revenue or €20 million ($21.5 million), whichever is higher. Given the size of some digital service providers likely to be covered by the directive, penalties could be substantial.