The European Union will soon have its own first-ever cybersecurity rules, which will impact a broad range of industries, such as transportation, energy, and online marketplaces. On December 7, 2015, the European Parliament and the Council of the European Union, which is comprised of representatives of the 28 EU countries, reached a political agreement on the draft Directive on Network and Information Security (the NIS Directive).1 Although the final text is still being finalized at the technical level, it is expected to be formally adopted in early 2016.
Background
In February 2013, the European Commission launched its Cybersecurity Strategy,2 which included a proposal for the NIS Directive.3 Like any other EU directive, the NIS Directive will not apply automatically in each EU country once adopted, but will have to be transposed into national legislation by local law. The purpose of the NIS Directive is to harmonize the cybersecurity rules in the various EU countries. However, EU countries will have some leeway when transposing the NIS Directive into national law (e.g., regarding the rules on penalties applicable to infringements of national provisions adopted pursuant to the NIS Directive, as long as such penalties are “effective, proportionate and dissuasive”).
Scope
The scope of the NIS Directive was strongly debated during the legislative process, in particular regarding the types of industries to which the NIS Directive would apply. Ultimately, the NIS Directive applies to many industry sectors, namely to the sectors of energy, transportation, banking, financial market infrastructure, health, drinking water supply and distribution, and digital infrastructure (i.e., Internet exchange points, domain names system services providers, and top-level domain name registries). In addition, it also captures companies providing certain online services.
Below are some examples for the two main categories of industries captured by the NIS Directive:
- “Operators of essential services” (e.g., electricity suppliers, air carriers, credit institutions, trading venues operators, healthcare institutions, water supply and distribution operators)4
- “Digital service providers” (i.e., online marketplace operators,5 search engine operators, cloud providers) that have their main establishment in the EU or are not established in the EU but are offering digital services within the EU (in which case they must appoint an EU representative), except for the small enterprises (i.e., companies with less than 50 employees and an annual turnover of less than €10 million)6
Main Requirements of the NIS Directive
- Incident Notification Requirement. The incident notification requirement is certainly the most important change that the NIS Directive will bring to companies in regard to security, and it goes beyond the existing7 or upcoming8 EU breach notification requirements pertaining to personal data. The companies captured by the NIS Directive must notify their national regulator about security incidents that have a significant impact on the continuity of their services without undue delay. The regulator will decide whether to inform the public when it is deemed that public awareness is necessary for incident mitigation or prevention purposes.
All concerned companies should take into account specific criteria in determining whether an incident has a significant impact on their services. Those criteria are: (1) the number of users affected by the disruption of the essential service; (2) the duration of the incident; and (3) the geographical area affected by the incident. Moreover, “digital service providers” should take into account the following two additional factors: (1) the extent of the disruption of the functioning of the service; and (2) the impact on economic and societal activities.
For “operators of essential services,” regulators will have to adopt guidelines as to how to implement the incident notification requirement. For “digital service providers,” the European Commission will adopt some decisions (so-called “implementing acts”) which will further specify the incident notification requirements at the EU level. Thus, there is some risk of fragmentation of the incident notification requirements in the EU for some parts of the NIS Directive.
- Mandatory Network Security Measures. All concerned companies must implement “appropriate and proportionate” technical and organizational measures to manage the risks related to the security of their networks and information systems. The aim is to minimize the potential impact of security breaches and to ensure the continuity of the services. In particular, “digital service providers” must take into account the following when implementing IT risk management solutions: (1) the security of the systems and facilities; (2) an incident management plan; (3) a business continuity plan; (4) monitoring, auditing, and testing programs; and (5) compliance with international standards.
- Enforcement Network of Regulators. Each EU country must designate a national authority for “network and information system security,” by designating existing authorities or creating new ones. The competent authorities must have adequate resources to effectively and efficiently cooperate with each other and to enforce the provisions of the NIS Directive, including the incident notification requirement. The NIS Directive establishes a cooperation mechanism between the national regulators but it remains to be seen how EU countries will effectively cooperate in a timely fashion in cybersecurity cases.
Relation to the GDPR
The political agreement on the NIS Directive is timed closely to the political agreement on the General Data Protection Regulation (GDPR).9 Both pieces of EU legislation set out a breach notification requirement but have different scopes and rationale. Since network security incidents (scope of the NIS Directive) are likely to involve personal data (scope of the GDPR), there will be situations where companies must comply with both regimes. However, the practical implications of such overlap and co-existence are presently unclear. Guidelines by regulators would be useful in this regard.
Next Steps
The timeline for final adoption of the NIS Directive is currently being finalized by EU officials; however the final text is expected to be officially adopted in Spring 2016. Once adopted and effective at the EU level, the new rules would have to pass the green light from national parliaments to become enforceable as part of national legislation. EU countries are directed to implement the NIS Directive into their national law within 21 months after it enters into force at the EU level, thus concerned businesses should already start preparing for the future.
1 European Parliament’s press release at http://www.europarl.europa.eu/news/en/news-room/content/20151207IPR06449/html/MEPs-close-deal-with-Council-on-first-ever-EU-rules-on-cybersecurity.
2 Communication on a Cybersecurity Strategy of the European Union – An Open, Safe and Secure Cyberspace, JOIN (2013) 1 (February 7, 2013), http://ec.europa.eu/digital-agenda/en/news/communication-cybersecurity-strategy-european-union-%E2%80%93-open-safe-and-secure-cyberspace.
3 Proposal for a Directive concerning measures to ensure a high common level of Network and Information Security across the Union, COM (2013) 48 final (February 7, 2013), http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2013:0048:FIN.
4 The NIS Directive requires each EU country to identify the entities that qualify as “operators of essential services” in its territory; therefore the examples may differ from country to country.
5 “Online marketplace” can be practically understood as a web merchant, although the Directive includes a much more complicated definition.
6 Online marketplace operators, search engine operators and cloud providers are explicitly qualified as “digital service providers” under the NIS Directive.
7 Currently, only a few EU countries require the notification of breaches under data protection law (e.g., Germany, Norway, and the Netherlands), which includes notification to regulators and affected individuals and concerns all business sectors. A few other countries require personal data breaches to be notified only to affected individuals, instead of a regulator, or follow a voluntary notification regime. A sector-specific breach notification requirement exists to date only for EU telecom operators and Internet service providers under the EU e-Privacy Directive 2002/58/EC (amended by Directive 2009/136/EC).
8 Although a pan-EU data breach notification for all sectors will be introduced early this year with the planned adoption of the EU General Data Protection Regulation (GDPR), this will only come into effect in two years from now.
9 See WGSR Alert, “Political Agreement Reached for New EU Data Protection Regulation—Official Adoption Around the Corner,” December 15, 2015, https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-EU-data-protection-1215.htm.