European Union: 欧盟网络安全新指令:对数字服务提供者有什么影响?

继2016年7月6日欧洲议会通过《网络与信息安全指令》("NIS指令"),并于2016年7月19日在欧盟官方公报公布之后,2016年8月8日,NIS指令正式生效。负责数字单一市场的欧洲委员会副主席Andus Ansip称,"该指令是欧盟关于网络安全首部全面的立法,是我们发展该领域的构建基石"。的确,NIS指令将通过对欧盟成员国实施最低限度的协调性规则,以提供相应措施来促进欧盟的整体网络安全水平。

NIS指令对两类实体提供了相应指南:(i) 能源、交通、银行业、金融市场基础设施、医疗、饮用水和数字基础设施领域的"基础服务运营者",和(ii) 包括比如网上市场、在线搜索引擎和云计算服务提供者等实体在内的"数字服务提供者"。

NIS指令草案涵盖数字服务提供者一事引起了大量争论,受到了来自欧洲议会、多个成员国以及被归入"数字服务提供者"定义下的实体的反对。这些反对者认为针对数字服务提供者的网络攻击不足以构成重大事件,因此反对额外的规定,因为额外规定可能对创新产生消极影响。虽然NIS指令终稿包含了数字服务提供者,但与基础服务运营者相比,NIS指令对其采取了较为宽松的管制。 1

就本《评论》而言,我们将主要聚焦这类数字服务提供者。

相关条款

"数字服 务提供者""DSP")是指"通常经接收服务的个人请求,以电子方式 2远距离提供有偿服务"的法人。

值得注意的是,依照NIS指令的前言规定所述,数字服务提供者并不包括"硬件生产者和软件开发者"。因此,对数字服务提供者虽要求其技术性和组织性措施保持"最先进水平",但"并不要求以特定方式设计、开发或生产特定商业信息和通信技术产品"。于是,NIS指令虽然包含前言规定强调软硬件开发者使基础服务运营者和数字服务提供者得以保护其网络与信息系统安全的关键角色,指令并未对此作出额外规定。诚然,软硬件产品已受限于与产品责任相关的现行规定。

数字服务提供者的服务涵盖以下三类服务(NIS指令(附件III)):"在线市场"、"在线搜索引擎"和"云计算服务":

  • "线市场 "包括"允许消费者和/或交易者在在线市场的网站或采用在线市场提供计算服务的交易者网站,与交易者达成在线销售或服务契约的一类电子服务"。正如NIS指令的前言规定所示,该定义未涵盖仅作为第三方服务的中间媒介来达成最终契约的在线服务。
  • "线搜索引擎 "包括"允许使用者基于关键词、短语或其他输入形式的任何内容的搜索请求,搜索所有网站或某一特定语言的网站,而出现的链接中包含与搜索的内容相关的信息的一类电子服务"。NIS指令的范围既不包括对仅限于特定网站内容搜索的功能的提供,也不包括就各类交易者的特定产品或服务的价格进行比较的服务。
  • "计算服务 "指"能提供获取可扩展的、弹性的可共享计算资源库渠道的一类电子服务"。根据NIS指令的前言规定,这种计算服务包括比如网络、服务器或其他基础设施、存储、应用和服务在内的资源。


值得注意的是,在立法阶段,就其他服务类别的供应者的规定产生了争议,比如流媒体、主要在线网络游戏、应用软件的数字发布平台和社交网络提供者,但它们最终被排除在指令范围之外。

数字服务提供者的义务

安全要求。NIS指令旨在实施"最先进水平"的措施。它需要数字服务提供者:

  • 明确在欧盟境内提供服务时采用的网络与信息系统的安全性所面临的风险,并采取适当的技术性和组织性措施来管理此类风险。这些措施必须保持"最先进水平"并考虑以下因素:(i) 系统与设施的安全;(ii) 突发事件管理;(iii) 业务持续性管理;(iv) 监控、审计与测试;和(v) 遵守国际标准。
  • 为确保服务的连续性,采取措施防止突发事件对在欧盟境内提供服务的网络与信息系统安全产生影响,并最小化该种影响。


发事件通知要求。发生对欧盟境内提供服务有重大影响的任何突发事件,数字服务提供者必须立即告知主管机构或欧盟成员国指定的"计算机安全应急响应小组"("应急响应小组")。通知必须包括能使主管机构或应急响应小组确定任何跨境影响严重性的信息。但是,通知方不因该通知而负更多责任。

在确定突发事件影响的重要性时,应考虑NIS指令中的以下因素:

  • 受突发事件影响的用户数量,特别是依赖该服务来提供自身服务的用户;
  • 突发事件的持续时间;
  • 受突发事件影响区域的地理分布;
  • 服务功能的破坏程度;
  • 对经济和社会活动的影响程度。


只有当数字服务提供者已获取需对突发事件就上述因素有关的影响进行评估的信息时,通知义务才适用。

指令的实施、通知后程序和强制执行

关于NIS指令的实施,欧盟成员国需要采取指令就欧盟境内网络安全监管措施的策略,创建欧盟成员国解决跨境安全突发事件的计算机安全应急响应团队,并成立鼓励欧盟成员国交换信息的统一战略合作小组。

络与信息系统安全的国家策略。欧盟成员国必须采取具有明确目标的国家策略以及合适的政策和监管措施,以实现高级别的安全。为此,欧盟成员国必须指定:

  • 负责协调问题促进跨境合作的国家单一联络点;
  • 通过提供预先警告和警报、与利益相关者分享关于突发事件和风险的信息、建立关于在线活动和相关风险的公共意识、并致力于发展网络安全标准化实践,负责以国家层面来处理风险和突发事件的一个或多个应急响应小组。


通知后程序。在咨询过相关数字服务提供者后,如果被通知的主管机构或应急响应小组(及适用情况下其他相关的欧盟成员国机构或应急响应小组)认定为了阻止突发事件或对正在进行中的突发事件作出响应,有必要引起公众注意,或认定披露突发事件以其他形式关乎公众利益,则可向公众告知个别突发事件或要求数据服务提供者做此告知。

强制执行。若有证据表明数字服务提供者并未遵守安全通知或突发事件通知的规定,欧盟成员国应确保主管机构采取行动;如有必要,可通过事后监督活动进行。这些证据可由提供服务所在的其他成员国的主管机构提交。

关于上述事后监督,主管机构有权:

  • 要求数据提供者提供评估他们的网络和信息系统安全性所需的信息,包括有明文规定的安全政策;
  • 要求数据提供者对任何不符合安全和突发事件通知要求的事项进行救济。
    NIS指令要求欧盟成员国制定适用于违反依据指令而采用的国家规定的处罚规则,并采取所有必要措施确保这些规则的强制实施。处罚仅需是"有效、适当且有劝诫性的",因此每个成员国可自行就不合规的行为制定具体的制裁规定。


指令的管辖权和领土权 /治外法权的范围

数据服务提供者被视为受其主要设立地点(即总部)所在的欧盟成员国的司法管辖。

如果数据服务提供者的主要设立地点在某欧盟成员国境内,但其网络和信息系统却位于另一个或其他几个成员国,则该主要设立地点所在的成员国的主管机构和其他成员国主管机构必须进行相互合作和协助。

为促进安全规定和突发事件通知程序的统一实施,NIS指令鼓励相关规则的标准化。

主要设立地点在欧盟境外的数据服务提供者若在欧盟境内提供服务,仍可能被纳入指令范围之内。若此,他们必须在欧盟境内指定一名代理人。不过,根据NIS指令,仅通过在欧盟境内可登陆数据服务提供者的网站,或可获取其电子邮箱地址或其他联系方式,并不足以构成此等判断。然而,因素诸如数据服务提供者使用在一个或多个欧盟成员国普遍使用的语言或货币,且可以此等语言定制服务,和/或提及位于欧盟的顾客或使用者,可使得该数据服务提供者实际上设想在欧盟境内提供服务的事实显而易见。

与一般数据保 护规定的关系

作为数字服务提供者的数据控制器和处理器可能同时受制于NIS指令和《一般数据保护条例》("GDPR")(2016年4月27日第2016/679号(欧盟)条例),后者涵盖了欧盟数据主体的各类新保护措施,以及对不合规行为的重大罚款和惩罚。因此数据保护突发事件可能同时触发两项规定下的通知义务。

但是,NIS指令和GDPR下的数据保护类型有重大区别。NIS指令涵盖了数据泄漏的任何类型,而GDPR下的保护数据则限于"个人数据",其定义是"关于明确的或可确定的自然人("数据主体")的任何信息"。

此外,NIS指令不仅包含数据泄漏,也包含能够影响数字服务提供者网络安全和影响服务提供的任何"突发事件"。

展望

欧盟成员国将在2018年5月9日之前,将NIS指令落实到期国家法律中。

NIS指令将要求数字服务提供者和其他相关实体在符合指令规定的前提下,仔细审查现有网络安全并建立适当的突发事件通知措施。

NIS指令范围内的实体必须实施"最先进水平的"安全措施,"应确保与风险相适应的安全级别"。为落实这一安全级别,企业必须要有可审计的综合安全计划。为做好准备工作,企业应:

  • 在高级管理层内部指定个人或小组评估NIS指令对该企业的适用性,并发展准备计划。
  • 进行安全影响评估。
  • 审查所有的内部安全程序,并做好国家机关规定的自我审计能力。
  • 配合董事会、主要法务专员和其他高级管理人员,采取内部安全和应急响应策略。
  • 遵守泄密报告的规定,迅速实施突发事件应急响应计划。
  • 考虑采取将新的NIS威胁信息共享计划纳入在内的安全策略。

NIS指令或将涉及欧盟境外设立的实体,这使得各公司需要评估其活动是否可能导致其被纳入指令范围。鉴于各个欧盟成员国还未确定对违规行为的处罚,各公司更需要确保自身未与NIS指令产生冲突。

Footnotes

1.例如:数字服务提供者只需就具有"实质影响"的突发事件进行通知,而基本服务运营者必须就任何具有"重大影响"的突发事件进行通知,而"重大影响"涉及的范围更为宽泛,且认定此类突发事件的指标的定义更狭窄。

2."电子手段"包括那些"为处理(包括数字压缩)和存储数据通过电子设备在其终端进行最初发送和接收,以及完全通过电报、无线、光纤手段或其他电磁手段传送、传达和接收"的服务(2015年9月9日欧洲议会和欧洲理事会第2015/1535号(欧盟)指令第1(1)(b)条,规定了技术条例和信息社会服务规则领域的信息规定程序)。

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Undine von Diemar
Mauricio F. Paez
Laurent De Muyter
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions