On 7 December 2015 representatives from the European Parliament and Council reached agreement on the long-awaited Network and Information Security (NIS) Directive. Whilst the full text of the Directive has not yet been made public, details have been released of the key features that have been agreed in principle (subject to formal approval by the institutions).
The Directive is aimed at operators of critical infrastructure in sectors such as energy, banking, transport and health. Despite strong opposition from the digital sector, some digital services (search engines, online marketplaces and cloud providers) will be within the Directive. As expected, however, other services such as social networks and app stores, that had previously been proposed to be included, will not be caught.
The Directive will also lead to greater cooperation between Member States, through a network of national Computer Security Incidents Response Teams (CSIRTs) and competent authorities (which in the UK is expected to be a new Cyber Security regulator).
Who will be caught?
The Directive will apply to the following “essential services” sectors:
- Energy: electricity, oil and gas;
- Transport: air, rail, water and road;
- Banking: credit institutions;
- Financial market infrastructure: trading venues, central counterparties;
- Health: healthcare providers; and
- Water: drinking water supply and distribution.
Within those sectors, national governments will have to identify specific “operators of essential services”, who will then be within the Directive, using the following criteria:
- Whether the service is critical for society and the economy;
- Whether the service depends on network and information systems; and
- Whether an incident could have significant disruptive effects on its provision or public safety.
The Directive will apply differently to digital services. Rather than leaving it to national governments to identify specific providers that will be caught, the Directive will include a definition of certain types of service, which will then catch any business to which that definition applies (although there will be an exemption for “micro” and “small” digital companies). Digital service providers will be covered by the Directive if they provide one of the following services:
- Search engines;
- Online marketplaces; or
- Cloud computing (e.g. cloud storage).
There will also be a knock-on effect for companies not directly caught by the Directive. For example, companies providing IT infrastructure and support to operators of essential services can expect to see requirements flowed down contractually which require them to co-operate and assist in notifying and reporting to national regulators.
What changes will the Directive introduce?
The Directive sets out to achieve three aims:
- Improving cyber security capabilities in Member States;
- Improving cooperation between Member States around cyber security; and
- Requiring operators of essential services to take appropriate security measures and report incidents to national authorities.
The Directive will include some high-level measures designed to improve national capabilities and international cooperation. This will include the establishment of new national authorities and CSIRTs, and a “Cooperation Group” to facilitate information exchange between them. Each Member State will also be required to adopt a national NIS strategy, defining its strategic objectives, and the policy and regulatory measures it will take to further those objectives.
Beyond this, the Directive will not be prescriptive as to the measures that individual Member States should take, particularly with regard to the requirements that will be imposed on operators of essential services. The Directive will be of the “minimum harmonisation” type, and the intention is that it will be used as a lever for Member States to bolster cyber security and reporting requirements, through a new regulatory regime. Some Member States, such as Germany, have already introduced their own laws to address cyber security requirements and these will need to be checked against the provisions of the Directive. Companies operating across the EU will need to consider the application of local laws.
When it comes to digital services, however, Member States will have less discretion. In order to avoid tech, media and comms businesses being subjected to different requirements and regimes across the different Member States, the security and reporting requirements for digital service providers caught by the Directive will be harmonised across the EU.
What disclosure obligations will be included? The duty to report cyber breaches
One of the key obligations which will be imposed by the Directive is the duty to report cyber breaches to a national authority. This will apply to those organisations that are either identified by national governments as operating “essential” services in the sectors listed above, or those that are caught under the definitions of digital services providers.
When the full text of the Directive is released, it may contain some guidance on how the notification obligation is intended to apply, but Member States will have a broad discretion as to the scope of this obligation, such as the types of breach that are to be reported, the timescales for reporting and any sanctions for non-compliance.
What happens next?
With the three EU institutions having reached agreement on the substance of the Directive, the next step is for the detailed text of a draft directive to be formally approved by the European Parliament (which has already approved a previous version of the Directive, and can move straight to the second reading stage) and the Council. We expect the Directive to come into force during spring 2016. After coming into force, Member States will have 21 months to implement the Directive into national law, and a further 6 months to identify operators of essential services.
As high-profile cyber attacks continue to come to light on an almost daily basis, the Directive will be a key legislative lever for EU Member States to drive cyber security standards, capabilities and cooperation in key sectors. The EU agency for Network and Information Security estimates the total annual losses from cyber breaches across the EU to be in the region of €260 – 340 billion, and a European cyber security directive has been a priority since the European Commission first put forward its proposals in 2013.
The Directive also overlaps with provisions on security, and in particular requirements to notify regulators of security breaches affecting data identifying individuals, which are likely to form part of the new EU General Data Protection Regulation (GDPR). We are expecting the text of the GDPR to be finalised in the next few months. In due course, this raises the possibility that some companies will be required to notify multiple regulators if a security breach occurs, which will require robust planning and organisational processes.
The inclusion of digital services has not been without criticism, but the harmonisation of requirements across the EU is sensible. The European Commission sees this as a vital part of its Digital Single Market initiative (see our dedicated hub here). As the European Commission’s Vice-President for the Digital Single Market, Andrus Ansip, put it:
“Trust and security are the very foundations of a Digital Single Market. If we want people and businesses to make the most of connected digital services, they need to trust them to be secure in the case of attack or failure.”
The intention is that the requirements imposed on digital service providers will not be as stringent as those imposed on energy or healthcare, providers, for example. With Member States having so much room for discretion, however, it remains to be seen whether this will be the case (in all Member States at least).
In any event, the requirements being introduced by the Directive are likely to be most challenging for operators of essential services, who in many cases will not have the same level of awareness or protection as providers of digital services. A recent Freedom of Information request, for example, revealed that while 71 % of NHS Trusts questioned acknowledged the use of smartphones or tablets in their workplace, an equal number admitted that they provided limited or no training on safeguarding organisational information when using those devices. It may be some time before national requirements come into force, but the implementation and review of cyber security measures, training and crisis-management plans should be a permanent top-level priority for those who operate essential services.