On 7 December 2015 the European Parliament announced it had reached an informal agreement with the European Council on common rules to strengthen network and information security (NIS), the NIS Directive.
The absence of EU control and regulation in this area was summed up by the executive director of the EU's Agency for NIS, comparing the internet to a virtual "Wild West". The new NIS directive will set out cybersecurity obligations for "operators of essential services" and "digital service providers".
What is the background to the NIS Directive?
Cybersecurity has been on the Commission's agenda since a 2001 NIS Communication (COM(2001)298). In 2013 a Commission Communication (JOIN(2013)) submitted that for cyberspace to remain open and free the same fundamental rights, democracy and the rule of law which are protected offline should also be protected online. The European Parliament has been pushing hard for EU-wide cybersecurity rules to end the current fragmentation of twenty-eight cybersecurity systems and December 2015 concluded the informal agreement.
What is the need for the NIS Directive?
The NIS Directive seeks a coordinated approach to cybersecurity across Europe but why is this necessary? Cyber-attacks have been major news in 2015 think Talk Talk, Ashley Madison, and Carphone Warehouse to name but a few. The number and severity of attacks continues to grow, whereas previously monetary gain was not a hacker's priority, there is now concerning trend toward hacking for profit.
However, the majority of security breaches do not stem from a malicious attack but from human error for example, losing hardware or downloading corrupted files. As the number of people working with data continues to increase so does the threat to cybersecurity. The NIS Directive recognises this and the possibility of a cross-border attack or breach in the EU which would require a coordinated response from Member States.
What obligations does the NIS Directive impose?
Member States will be required to designate one or more national authorities to deal with cyber matters. To achieve coordination Member States will be required to cooperate with each other exchanging best practices. In respect of operational coordination, a network of national computer security incident response teams (CSIRTs) will be set up.
What are "Operators of Essential Services"?
The Directive identifies sectors in which Operators of Essential Services are active including energy, transport, and finance. It will be for Member States to decide which companies operating in their jurisdiction are Operators of Essential Services using the criteria set out in The Directive:
- Is the service critical for society and the economy;
- Does the service depend on network and information systems; and
- Could an incident have significant disruptive effects on service provision or public safety?
What are "Digital Service Providers"?
The European Parliament defined Digital Service Providers as:
- Online marketplaces (e.g. Amazon);
- Search engines (e.g. Google); and
- Cloud service providers.
What will be the effects on my business?
If your business falls within the definition of Operator of Essential Services or a Digital Service Provider there is an obligation to report cybersecurity breaches under the NIS Directive. Service providers in the UK are currently obligated to report "personal data breaches" to the Information Commissioner's Office (ICO). The NIS Directive requires "major security incidents" to be reported. Hopefully this overlap will be clarified once the text of the Directive is published.
Operators of Essential Services will have to ensure that the systems they use to deliver essential services are "robust enough to withstand cyber-attacks". There is a lesser requirement on Digital Service Providers to ensure that their infrastructure is secure. We await further clarification on specific requirements.
When will the NIS directive take effect?
A leaked memo revealed that the Presidency hopes to tie matters up before the holiday period, setting 18 December 2015 as the date for the agreed text. Thereafter, Member States will have twenty-one months to adopt the necessary national provisions and then a further six months to identify Operators of Essential Services.
Timeframe aside, it is in the interests of your business to act now when it comes to cybersecurity. If you haven't done so already, assess your current cybersecurity measures and keep an eye out for further guidance from the Commission to consider whether or not your service's current cybersecurity regime provides adequate data protection. The Scottish Government's Cyber-Essentials Guide is a good place to start.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
