Out-Law Analysis | 06 Jan 2016 | 11:10 am | 12 min. read
Political agreement on the draft Network and Information Security (NIS) Directive, which could still be amended, was reached by MEPs and representatives of EU governments in early December. It means the path has been cleared for the new rules to be formally adopted in spring 2016. National laws implementing the Directive will need to be in effect two years after it comes into force.
The NIS Directive will impose new network and information security requirements on operators of essential services and digital service providers (DSPs). In addition, those organisations will be required to report certain security incidents to competent authorities or Computer Security Incident Response Teams (CSIRTs). Each EU country must establish these teams, the Directive says. Different security and incident reporting rules will apply to operators of essential services than to DSPs, with a lighter touch framework applicable to DSPs.
A recently published draft of the Directive helps to clarify which businesses can expect to be classed as 'operators of essential services' or as DSPs for the purposes of the new regime.
When will the NIS Directive apply?
Before considering which types of organisations will be deemed operators of essential services or DSPs under the Directive, a key point to note is that the Directive will not apply to all operators of essential services or DSPs.
Following negotiations between the EU's legislative bodies the final version of the Directive acknowledges that some sector-specific EU regulatory regimes already deal with information and network security issues. The Directive says: "certain sectors of the economy are already regulated or may in the future be regulated by sector-specific Union legal acts" relating to information and network security.
Where this is the case, the NIS Directive will have no application, even if an organisation would otherwise be considered an operator of an essential service or a DSP. Only regulatory regimes which provide equivalent protection to that set out in the NIS Directive will qualify as a 'sector-specific Union legal act' that could apply instead of the provisions of the NIS Directive.
What is an operator of essential services?
Under the NIS Directive an operator of essential services is considered to be an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities, so long as the provision of that service depends on network and information systems and if an incident to the network and information systems of that service would have significant disruptive effects on the provision of those services.
Only organisations operating within specified sectors listed in an annex to the Directive will qualify as an operator of essential services.
It will be up to each EU country to either draw up a list of all the companies within those sectors that fall subject to the new security and incident reporting rules or to devise "objective quantifiable criteria (e.g. output of the operator or number of users) which would allow to determine which entities are subject to NIS obligations and which are not", according to the Directive.
Operators of essential services in the energy sector
According to the draft, suppliers of electricity and gas, as well as electricity or gas distribution or transmission system operators are listed as types of operators of essential services.
Gas storage system operators, liquefied natural gas system operators, companies responsible for the production, transmission, distribution, supply, purchase or storage of natural gas and operators of natural gas refining and treatment facilities are also deemed to be operators of essential services too.
Similarly, operators of oil transmission pipelines and operators of oil production, refining and treatment facilities, storage and transmission are specifically referenced as being types of operators of essential services.
Operators of essential services in the transport sector
Within the air transport sector, airlines, airport managing bodies, including organisations that operate ancillary installations within airports, and air traffic control service providers are considered to be operators of essential services.
Likewise managers of rail infrastructure and licensed rail transport operators, as well as road authorities and operators of intelligent transport systems in the field of road transport.
In addition, ferry operators and other inland, sea and coastal passenger and freight water transport companies are in scope, together with bodies that manage ports, port facilities and entities that operate works and equipment contained within ports. Operators of vessel traffic services are also listed as being a type of operator of essential services.
Operators of essential services in the financial services sector
The NIS Directive's rules on operators of essential services will also apply to banks and other credit institutions. A credit institution is defined under existing EU legislation as being "an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account".
The rules will also apply to operators of trading venues, which includes regulated markets like the London Stock Exchange. Trading venues is a term that includes other multilateral or organised trading facilities, with the Alternative Investment Market (AIM) in London being an example of a multilateral trading facility.
Operators of essential services in the health and drinking water supply sectors
Heath care providers are considered operators of essential services under the NIS Directive. 'Health care provider' is a term broadly defined in existing EU legislation and will include hospitals and GP surgeries as well as, potentially, private sector health care businesses.
Suppliers and distributors of water intended for human consumption are also within the scope of the NIS Directive, although distributors for whom distribution of water for human consumption is only part of their general activity of distribution of commodities and goods will be exempt.
Operators of essential services – digital infrastructure
Operators of essential services have also been identified within the digital infrastructure sub-sector and mean the NIS rules will apply to internet exchange points, domain name system service providers and top level domain name registries.
An internet exchange point (IXP) is defined under the Directive as being "a network facility that enables the interconnection of more than two independent autonomous systems, primarily for the purpose of facilitating the exchange of internet traffic".
According to the Directive, an IXP "provides interconnection only for autonomous systems" and "does not require the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomous system, nor does it alter or otherwise interfere with such traffic".
What companies will be considered to be digital service providers?
Digital service providers are treated differently under the NIS Directive than operators of essential services.
They face less stringent security obligations than operators of essential services and need to report security incidents they experience where those incidents have "a substantial impact on the provision of a service … they offer within the Union". In contrast, operators of essential services must report "incidents having a significant impact on the continuity of the essential services they provide".
Digital service providers are considered by the NIS Directive as being providers of an online marketplace, online search engine or cloud computing service, while a recital says that "hardware manufacturers and software developers" are not digital service providers.
For the purposes of the Directive, an online marketplace is defined as "a digital service that allows consumers and/or traders … to conclude online sales and service contracts with traders either on the online marketplace’s website or on a trader's website that uses computing services provided by the online marketplace".
A recital to the Directive confirms that price comparison sites are not to be considered as being online marketplaces but that app stores are.
Whilst each EU country is responsible for designating operators of essential services to be within the scope of the NIS Directive based on set criteria, the Directive does not offer discretion to countries to determine which digital service providers fall subject to the new framework. Instead, as a recital confirms, the Directive will "apply to all digital service providers within its scope".
Digital service providers that operate across more than one EU country will only be subject to the national NIS rules implementing the Directive in the country in which it has "its main establishment in the Union".
A recital clarifies that where a company's head office is legally based in a particular EU country that location may not necessarily represent its 'main establishment' for the purposes of the NIS regime.
A recital says: "Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in this respect. This criterion should not depend on whether the network and information systems are physically located in that place; the presence and use of such systems do not, in themselves, constitute such main establishment and are therefore not criteria for determining the main establishment." This largely follows the trend of Court of Justice of the European Union case law decisions and the approach taken under the General Data Protection Regulation.
The Directive also clarifies that digital service providers that are "micro enterprises and small enterprises" are not subject to the rules and incorporates a European Commission recommendation from 2003 as the basis for identifying whether or not an organisation can be considered a micro or small enterprise.
Digital service providers – NIS Directive applies to those based outside of the EU too
The new Directive could impact on digital service providers based outside of the EU. DSPs not established in the EU but which offer services within the EU are considered to be within the scope of the Directive and are obliged to "designate a representative" based within the EU to act on its behalf under "written mandate".
Recitals to the Directive explain in more detail the circumstances in which non-EU established DSPs would be considered to be 'offering services within the Union'.
"In order to determine whether such a digital service provider is offering services within the Union, it should be ascertained whether it is apparent that the digital service provider is envisaging the offering of services to persons in one or more member states in the Union," according to the Directive.
"Whereas the mere accessibility of the digital service provider’s or an intermediary’s website in the Union or of an email address and of other contact details or the use of a language generally used in the third country where the digital service provider is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more member states with the possibility of ordering services in that other language, and/or the mentioning of customers or users who are in the Union, may make it apparent that the digital service provider envisages offering services within the Union," it said.
What about telecoms companies?
Under the agreed Directive, telecoms companies are neither considered as being operators of essential services or digital services providers. They are therefore not subject to the new rules. Telecoms companies are already subject to rules on the security and integrity of their networks and services under the Framework Directive of 2002.
A recital in the NIS Directive confirms the position: "To cover all relevant incidents and risks, this Directive should apply to both operators of essential services and digital service providers. The obligations on operators of essential services and digital service providers should however not apply to undertakings providing public communication networks or publicly available electronic communication services … which are subject to the specific security and integrity requirements laid down in Article 13a of [the Framework] Directive nor should they apply to trust service providers … which are subject to the requirements laid down in Article 19 of [the EU's e-ID] Regulation."
The European Union Agency for Network and Information Security (ENISA) published updated guidance on what is expected of telecoms companies under the Framework Directive in relation to network and service security and integrity in October 2014. Ofcom set out its own guidance for UK telecoms providers in August last year.
The Directive confirms that both operators of essential services and digital service providers will not be absolved from their obligations on security and incident reporting where "the maintenance of their network and information systems" is outsourced to a third party.
Security obligations to vary across different digital service providers
For in-scope digital service providers, the precise security measures they will have to put in place will vary from business to business, as is explained in a recital to the Directive. The security measures operators of essential services must put in place will need to be more stringent. The European Commission will be able to specify in more detail what security measures DSPs should implement.
"DSPs should ensure a level of security commensurate to the degree of risk posed to the security of the services they provide, given the importance of their services to the operations of other businesses within the EU," according to the Directive. "In practice the degree of risk for operators of essential services, which are often essential for the maintenance of critical societal and economic activities, will be higher than for DSPs. Therefore the security requirements for DSPs should be lighter."
In addition, according to the Directive a "light-touch and reactive" system of supervision will apply to DSPs. EU countries should not place authorities tasked with compliance monitoring and enforcement under a "general obligation to supervise DSPs", it said.
"[Competent authorities] should therefore only take action when provided with evidence (for example by the DSP itself, by another competent authority, including a competent authority of another member state, or by a user of the service) that a DSP does not comply with the requirements of [the] Directive, in particular following an incident that has occurred", according to the Directive.
Double regulation avoided?
As highlighted above, the Directive specifically addresses the fact that some companies that would be subject to the new NIS rules might already face similar network and information security or incident reporting obligations under existing or forthcoming EU laws. Where businesses would be subject to duplicate obligations, the NIS rules would not apply to those companies.
"Whenever those Union legal acts contain provisions imposing requirements concerning the security of networks and information systems or notifications of incidents, these provisions should apply instead of the corresponding provisions of this Directive if they contain requirements which are at least equivalent in effect to the obligations contained in this Directive," the Directive said.
"In determining whether the requirements on the security of networks and information systems and/or the notification of incidents contained in sector specific Union legal acts are equivalent to those contained in … this Directive, regard should only be had to the provisions of relevant Union legal acts and their application in the member states," it said.
In terms of overlap with the General Data Protection Regulation, the NIS Directive makes it clear that processing of personal data under the Directive must be carried out in accordance with the general data protection legal regime.
But the Directive's statements regarding non-applicability where sector--specific Union laws prevail should not be taken as an indication that compliance with the General Data Protection Regulation will remove responsibility for compliance with the NIS Directive. While there may be overlap between the two where a security incident also involves a personal data breach, the two pieces of legislation are designed to address different subject matter.
The NIS Directive relates to both the commercial data of legal entities and individuals, that is, 'natural persons', while the GDPR relates only to data capable of identifying individuals. It remains to be seen whether EU countries choose to designate data protection authorities also as competent authorities for receiving notification of security incidents and ensuring compliance with the NIS Directive. The NIS Directive does however contemplate the existence of the two regulators operating side by side.
A recital says that "competent authorities and data protection authorities should cooperate and exchange information on all relevant matters to tackle the personal data breaches resulting from incidents".
It is as yet unclear whether the stiff security obligations and requirement to report major operational or security incidents that banks and other payment service providers face under the newly revised Payment Services Directive, would be considered equivalent to the NIS regime. The NIS Directive does single out payment systems, as opposed to payment services, and states that the "Directive does not affect the regime under Union law for the Eurosystem's oversight of payment and settlement systems".
Luke Scanlon is a technology law expert at Pinsent Masons, the law firm behind Out-Law.com