The Network and Information Security Directive, commonly known as the Cybersecurity Directive (the "Directive"), was approved by the European Parliament (the "Parliament") on the 13 March 2014 with a strong majority of 521 votes for to only 22 against1. This approval comes after the Directive was significantly amended by the Parliament's Internal Market and Consumer Protection Committee ("IMCO"). The Directive is the European Union's first comprehensive attempt to establish a set of minimum cybersecurity standards that would apply across the continent.
This latest version will now move to the Council of the EU (the "Council") for negotiation, where interests of Member States will be brought to bear on the text. As a result, the extent of the reforms to be put in motion by the final Directive remains uncertain, as further amendments are expected. It is anticipated that the Directive will be adopted by 2015, leaving Member States eighteen months to transpose it into national law.
The Directive takes a multi-layered approach and places new obligations on a variety of actors. Member States would be required to appoint a competent central authority and develop a national cybersecurity strategy, along with other baseline security measures. Market operators responsible for critical national infrastructure would be subject to a series of new incident reporting requirements. The Directive contains a non-exhaustive list of such operators, which include operators in the energy, banking, health, transport and financial services sectors. The revised Directive has also included Internet exchange points (the physical infrastructures through which Internet traffic is exchanged between network providers) and the food supply chain within its scope. In addition, Member States will have a choice whether to subject public administrators to the Directive.
This Briefing discusses certain key aspects of the Directive and considers issues associated with attempting to legislate in the cybersecurity area. The area is not new and cyber threats have been with us for quite some time, but attempting to legislate, whether on a regional, national or international basis, is new. It remains to be seen whether or not this legislative approach will succeed in raising the EU's common security baseline, with many Member States favouring a more voluntary approach to boosting cooperation and preparedness.
The Directive was originally published by the European Commission (the "Commission") in February 2013. A strategy outlining the Commission's plans to ensure a common level of network security across Europe was published alongside the Directive (the "Strategy")2. The Strategy aims to reduce cybercrime and improve network resilience by raising awareness of the issues surrounding cybersecurity, developing an internal market for cybersecurity products and increasing research and development investment.
The Directive is the principle mechanism to achieve the Strategy's objectives. Its main aims are:
- to ensure that Member States and private sector bodies providing certain critical infrastructure within the European Union ("EU") take appropriate steps to deal with cybersecurity threats; and
- to facilitate information sharing about cybersecurity threats between the public and private sectors across Member States.
The Directive also sets out in general the standards and obligations that Member States must impose on the private sector.
THE NEED FOR LEGISLATIVE INTERVENTION
The threat posed by cybercrime, online industrial espionage and attacks on critical infrastructure is growing. It is estimated that 823 million individual data breaches occurred in 2013, up from 264 million in 2012.3 Last year in the UK, 93% of large corporations and 87% of small businesses experienced a cybersecurity breach, with estimated losses of £450,000 to £850,000.4 In Ireland a recent report estimated the cost of responding to a data breach "to be in the region of ¤194k".
The annual cost to the global economy from cybercrime and cyberespionage is estimated at over $400 billion. With information and communication technology now forming the backbone of the European economy, the growing prevalence of cybercrime has negative implications for both national security and economic stability.
The European Commission asserts that, in this context, lack of effective sharing of data on threats and incidents is hindering the EU's response to cybersecurity challenges. It claims that the existing, mostly voluntary and ad hoc, nature of information-sharing between businesses, governments and Member States results in "uncoordinated regulatory interventions, incoherent strategies and divergent standards, leading to insufficient protection against NIS across the EU."5 The Commission expressed similar sentiments as far back as 2001,6 though regulatory measures to combat cybercrime since then have been largely sectoral and fragmented in nature.7 This has led to gaps in cybersecurity regulation. The Directive seeks to address these concerns by creating a cross-sectoral legislative framework within and across Member States, in which information-sharing no longer takes place on a purely voluntary basis.
Whether this shift in approach will work in practice is the subject of considerable debate. Concerns have been raised by certain Member States and business operators, who fear that more stringent, top-down regulation at European level will hinder business growth and competition. They argue that new reporting requirements could impose significant administrative burdens and become "a factor of reputational risk"8 for businesses (particularly for SMEs, which may not have the resources required to meet the new standards). It is also claimed that moving from a voluntary to a legislative approach risks creating a "static compliance approach" that could "divert scarce security resources from areas requiring greater investment towards areas with lower priority [and] decrease Europe's collective security."9 Many argue that a voluntary, industry-led set of standards, similar to those used in the United States, is a preferable approach.
ESTABLISHING A NATIONAL STRATEGY AND COMPETENT AUTHORITIES
Chapter II of the Directive requires Member States to ensure the security of the network and information systems in their territory. Member States must:
- establish a national Network Information Security ("NIS") strategy and establish regulatory measures to achieve network security;
- establish a competent authority ("NCA") to monitor and ensure the consistent application of the Directive in their territory and across Member States. The latest version of the Directive permits Member States to appoint several NCAs so long as one "national single point of contact" remains responsible and accountable; and
- establish a Computer Emergency Response Team ("CERT") responsible for handling incidents and risk. As is the case with the establishment of NCAs, the text approved by the European Parliament allows for "at least one" national CERT.
These are positive measures as Member States will have an accountable authority to monitor compliance with the Directive, promote a NIS strategy and receive, collate and share information about cybersecurity threats across the EU in an efficient manner. These bodies will also help Member States develop minimum security requirements and encourage businesses to create ICT security plans.
However, the Directive is unclear in some circumstances. For example, no practical guidance is provided as to how a NCA will ensure the consistent application of the Directive in their territory and across Member States. The Directive also fails to elaborate on what a NCA must do when they receive a cyber-threat warning. These limitations might reduce the effectiveness of the Directive.
Furthermore, the European Network Information Security Agency ("ENISA") revealed only seventeen Member States currently have national cybersecurity strategies.10 This could reflect the different views of Member States as to the best approach to cybersecurity regulation. For example, the UK favours a non-regulatory approach whereas Germany favours regulation. The lack of consensus could undermine the overall effectiveness of national strategies, the consistent application of the Directive across Member States and any co-ordinated attempts to deal with cyber threats.
COOPERATION NETWORK BETWEEN COMPETENT AUTHORITIES
Chapter III of the Directive provides that NCAs and the Commission will form a cooperation network to coordinate against risks and incidents affecting network and information systems ("Cooperation Network"). The Cooperation Network will (amongst other things):
- circulate early warnings about cyber threats. Member States must report to the Cooperation Network cyber threats that (a) grow rapidly in scale; or (b) exceed national response capacity; or (c) affect more than one Member State. The Cooperation Network must ensure a co-ordinated response across Member States to these threats;
- publish non-confidential information on on-going early threat warnings and coordinated responses on a common website; and
- exchange information and best practices with participants in the Cooperation Network.
The Strategy highlights the borderless nature of cybercrime and the importance of involving all actors, both the private and public sectors within and across Member States, when dealing with cyber threats and sharing information. The establishment of a Cooperation Network will address these issues. It will also support the creation of a coherent EU cybersecurity policy.
The Directive and subsequent measures will need to deal with a number of changes and consider a number of issues, which include the following:
- the criteria used to determine when a NCA should report risks to the Cooperation Network is vague, meaning that Member States might apply different reporting thresholds in practice;
- the Directive does not provide any guidance to deal with situations where Member States cannot agree on a co-ordinated response to a cyber-threat. As we will see, there is considerable resistance from some Council members to mandatory sharing of information between Member States;
- the Directive does not address concerns that having to seek agreement from each Member State might slow down an effective response; and
- a co-ordinated response across different Member States might be complicated as security levels differ and many nuances exist on aspects such as operator obligations and code-sharing.
Finally, there are a number of bodies already working on different aspects of European cybersecurity. These include ENISA, the European Public–Private Partnership for Resilience ("EP3R") and CERT-EU. The Directive does not specify exactly how this range of organisations is to cooperate, or how the Cooperation Network is intended to complement their functions. Caution must be exercised to ensure that it is understood who talks to whom and how coordination and co-operation is achieved when responding to a cyber-threat in order to avoid uncertainty.11
INFORMATION SHARING AND INCIDENT NOTIFICATIONS
Chapter IV of the Directive provides for mandatory security breach and incident notification requirements. This provision applies to market operators who provide critical infrastructure "the disruption or destruction of which would have a significant impact on a Member State". The Directive contains a non-exhaustive list of such operators, which includes operators in the energy, banking, health, transport and financial services sectors.
This test could be difficult to apply in practice and further guidance may be needed to clarify exactly which sectors are subject to the Directive. Indeed, Chapter IV obligations have been the subject of rigorous debate during the legislative process.
In the European Commission's original proposal, "key Internet enablers", such as e-commerce platforms, social networks, search engines, cloud services and app stores, came within the scope of the Directive's mandatory reporting requirements. However, the IMCO elected to exclude these actors from its version of the Directive, limiting breach and incident notification obligations to operators of critical infrastructure "essential for the maintenance of vital economic and societal activities".12 It is also interesting to note that Internet exchange points, the organisations which provide network operators with Internet traffic exchange facilities, were added by the IMCO to the Directive's list of critical infrastructure operators. This is a significant addition that takes account of the centrality of electronic communications to national infrastructure.
Importantly, Member States can decide exactly how "critical" an operator of critical infrastructure is, and therefore whether it should be covered by the Directive. Alongside this greater level of discretion, the Directive also allows more flexibility with regard to information-sharing between companies and national authorities, leaving open more avenues for voluntary means of cooperation.
The exclusion of Internet enablers could significantly water down the effect of the Directive, as such operators are central to the online world and the economy as a whole. Critical infrastructure operators engage with software developers, cloud storage providers, e-commerce platforms and others to a growing extent as more of their functions become digitised, making it increasingly difficult to draw a clear distinction between the categories set out in the Directive.
Member States also now have a choice whether to impose Chapter IV obligations on public administrators after the original draft automatically included them. This amendment could again undermine the effectiveness of the Directive, as the Strategy noted the importance of all relevant stakeholders, whether public authorities or private sector, taking action to strengthen cybersecurity.
While the Parliament's version of the Directive reduces the scope of companies affected by reporting requirements, it also defines the conditions under which a report should be made more precisely. The revised Directive attempts to set out exactly what constitutes an incident with "significant impact" that would warrant notification, after a report by the Economic and Scientific Policy Department (the "Report") highlighted a lack of clarity in this regard.13 Whether an incident has a significant impact will depend on, inter alia, the number of users of the core services who are affected, the duration of the incident and the geographical area affected by the incident.
In addition, the revised Directive provides that if an incident affects services in more than one Member State, upon notification a NCA will pass on relevant information to the NCA of any other affected Member States. This measure has addressed previous concerns that multiple notifications of the same incident would be required. It remains to be seen how effective incident notification by market operators will be in practice. The Report highlighted that "large discrepancies" were found in how prepared businesses across all sectors and Member States are to deal with cybersecurity incidents.14
PUBLICATION OF INCIDENT REPORTS BY NATIONAL AUTHORITIES
The Directive provides that a NCA can inform the public, or require market operators (or public administrators if applicable) to do so, where it believes the publication of an incident is in the public interest. The NCA is also required to submit an annual report of notifications received and any subsequent action taken to the Cooperation Network. Publication of notifications will help raise awareness of cyber threats but there were concerns that it could result in reputational damage to the market operator or result in a breach of any confidentiality obligations. Moreover, there were data protection concerns about treating the practice of publishing notifications containing personal data as necessary and legitimate.15
The revised Directive attempts to address some of these concerns. It now provides that the NCA must consult with the market operator and give them a chance to be heard before making its decision whether to publish information about a security incident. In the event that the NCA decides to publish information it must act to ensure it is made as "anonymous as possible".
ENFORCEMENT AND SANCTION
The Directive provides that Member States must ensure a NCA has all the necessary powers to scrutinise and investigate any non-compliance with Chapter IV obligations. Market operators will be required to provide all information that is necessary to assess the security of their networks and to undergo security audits. The Directive further provides for the imposition of effective, proportionate and dissuasive sanctions. It is expected that offending market operators will be fined a certain percentage of their revenue.
Effective enforcement and sanctions mechanism are important to ensure the objectives of the Directive are achieved. Commissioner Kroes pointed out that only 26% of companies in the EU had formally-defined ICT security policies. The threat of audit and subsequent sanction should ensure companies take network security more seriously.16 In addition, the revised Directive has made a number of welcome amendments to the enforcement and sanction provisions. NCA's will now be permitted to tailor the level of scrutiny a market operator is placed under depending on how critical its systems are judged rather than applying a standardised level. Furthermore, market operators will only be subject to penalties for non-compliance with Chapter IV obligations where they arise as a result of intent or gross negligence.
PARALLEL INTERNATIONAL DEVELOPMENTS
In the United States a Presidential Executive Order (the "Order") was published in February 2013 that encouraged the United States government to work with owners and operators of critical infrastructure17 to share information about cyber threats and implement minimum cybersecurity standards. In February 2014 the National Institute for Standards and Technology issued a framework to achieve these objectives (the "Framework"). It provides common security standards to identify and report security risks, measures to recover from attacks and methods to protect against security threats. The Framework resists the mandatory approach adopted in the EU and instead provides a non-regulatory system with incentives to comply with the standards. The different approach adopted by the US could undermine the effectiveness of the Directive. Cybercrime by nature is a global issue and a failure to align with the U.S. could result in gaps in the global cybersecurity framework or slow down responses to threats. It might be sensible for the US and EU to adopt a joint policy position on global cybersecurity threats.
Having been approved by the European Parliament, the Directive now needs to be agreed by the Council of EU telecommunications ministers. The next meeting of this Council configuration is due to take place on 27 November 2014. Between now and then, the text will continue to be debated in trialogue meetings18 between representatives from the European Parliament, Commission and the Italian Presidency, as well as between Member States' Permanent Representatives.
The Council came to what the Italian Presidency called a "general convergence of views" on the Parliament's text in its most recent meeting on 5/6 June 2014.
However, Member States remained divided on a number of key questions, including whether or not cloud providers should be covered by the legislation, and the extent to which the Directive should dictate operational cooperation between different agencies. A number of Member States expressed a preference for more general guidelines for information exchange between national authorities in the final text, rather than the more prescriptive "cooperation network" envisaged by the Parliament's version. These concerns could result in a weaker compromise text at the November Council.
A change of personnel in the EU institutions could also have a significant bearing on the Directive's final shape. A new European Commission, set to take office on 1 November 2014, is likely to give added impetus to trialogue negotiations following a period of uncertainty and institutional transition. The Digital Single Market ("DSM") has been highlighted as a priority for the new Commission, and a new Commission Vice President, former Estonian Prime Minister Andrus Ansip, has been appointed to lead work towards its completion.
Ansip will lead a "project team" of Commissioners working on different aspects of the DSM, which includes a Commissioner for Digital Economy and Society who is tasked with making the EU "a leader in cybersecurity preparedness and trustworthy ICT".19 In his confirmation hearing before the European Parliament Ansip stated that it is "extremely important" to make the Directive a reality, echoing the view of the European Council that "the timely adoption of [...] the Cybersecurity Directive is essential for the completion of the DSM by 2015."20
There is, therefore, a good deal of political impetus behind the Directive and the new European Commission will be eager to mark its completion as an early success. Time is fast running out before the 27 November Council meeting, however, and it remains to be seen if this momentum will be enough to overcome remaining disagreements between Member States. If the Council is to approve the Directive in its next meeting, it is likely that additional compromises will need to be found in the Parliament's text.
Looking further ahead, Member States will have eighteen months to transpose the Directive into national law once it is adopted.
The Directive represents an ambitious and timely attempt to legislate for the prevention of cybercrime in the EU. If adopted, its proposals would help ensure market operators of critical infrastructure, Member States and the EU are all adequately prepared to deal with cyber threats by providing a common baseline of shared standards. The latest version of the Directive has made welcome amendments that have provided guidance to key elements such as the definition of "significant impact" and what constitutes an operator of critical infrastructure.
Nevertheless a significant degree of uncertainty remains on certain key issues, such as how to co-ordinate EU wide responses and exactly which companies are to be subject to the Directive. In spite of the widespread acknowledgement that better frameworks for information exchange are required, there is still considerable resistance to mandatory models of reporting and cooperation. With time running out before the November Council meeting, the final shape of the Directive and how it will be transposed by Member States remains uncertain. It is likely that further compromises will be required before the Parliament's text is approved by the Council, and the final version will have to strike a careful balance between stimulating better exchange of information and adding unnecessary burdens to businesses. Legislating for cybersecurity is a relatively new and untested approach. In this context, the EU's first attempts to shift away from a purely voluntary model of cooperation will be a fascinating test case for future legislative actions in Europe and beyond.
1. Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union (2013/0027(COD)), 13 March 2014 (http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0244
2. Resolution on a Cybersecurity Strategy of the European Union: an open, safe and secure cyberspace (2013/2606(RSP)), 12 September 2013 (http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2013-376
3. Risk Based Security/Open Security Foundation, "2013 Data Breach Trends", February 2014 (https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf)
4. The Department for Business Innovation & Skills, "2014 Information Security Breach Survey" (http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)
5. Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union [COM/2013/048 final - 2013/0027 (COD)], February 2013 (http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52013PC0048&from=EN)
6. The European Commission, "Communication Network and Information Security: Proposal for A European Policy Approach" COM(2001) 298.
7. For example, the Markets in Financial Instruments Directive (Directive 2004/39/EC) requires those in the financial services industry to adopt certain reporting and network security risk measures. Telecommunications companies are required to report cybersecurity incidents under the risk management and incident-reporting obligations set out in the revised EU Telecom Framework Directive (Directive 2009/140/EC)
8. AmCham EU's response to the European Commission's Consultation on Network and Information Security (NIS), 15 October 2012 (http://ec.europa.eu/digital-agenda/en/news/consultation-network-and-information-security-publication-individual-responses)
9. Information Technology Industry Council (ITIC) Position Paper on the Directive, 24 June 2013 (http://www.itic.org/dotAsset/a748f2f7-7d73-4d62-8ea0-b5ad35e3af27.pdf)
13. Ibid at 24
14. Ibid at 16
17. The Order defines critical infrastructure as, "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters".
18. The European Parliament's Committee for Internal Market and Consumer Protection ("IMCO") voted to give a mandate to its Rapporteur, Andreas Schwab MEP, to enter trialogue discussions on 6 October 2014.
19. European Commission Mission Letter to Commissionerdesignate Günther Oettinger, 10 September 2014 (http://ec.europa.eu/about/juncker-commission/docs/oettinger_en.pdf)
20. European Council Conclusions, 25 October 2013 (https://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/ec/139197.pdf)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.