Out-Law Analysis | 11 Mar 2015 | 10:22 am | 7 min. read
The UK is facing opposition from other EU countries, though, which want EU cyber security rules to apply to operators of 'digital service platforms' such as Amazon as well as to operators of critical banking, energy, health and transport infrastructure.
The disagreement concerns the precise scope of the Network and Information Security (NIS) Directive. EU countries are negotiating over the final wording of the rules, which are scheduled to be agreed by June and to come into force in 2018.
Rachael Bishop, policy officer at the Department for Business, Innovation and Skills (BIS) on cyber security EU and international policy, told Out-Law.com that other areas of the NIS Directive proposals are also occupying the UK government's thinking.
What is the NIS Directive?
The NIS Directive was first published by the European Commission in February 2013 in a bid to bolster the security of critical infrastructure in the EU and ensure that cyber security incidents affecting that infrastructure that have a real-world impact are reported to regulators. The Commission's original proposal also envisaged a new cross border cyber security information sharing regime.
Since the plans were first published, MEPs and government officials from the 28 EU countries have been working to refine the proposed new framework. Once finalised, EU countries will have to implement the Directive into national law.
Which organisations will the NIS Directive apply to?
Bishop told Out-Law.com that negotiations on the new Directive have stalled as a result of a disagreement between EU governments on the scope of the new framework. The crux of the disagreement is over the interpretation of what is an 'essential' service and, in particular, whether 'digital service platforms' can ever be considered essential, she said.
EU law makers, through the NIS Directive, are keen that operators of infrastructure that is "essential" for the maintenance of major "economic and societal activities" have appropriate and proportionate cyber security measures in place to protect their network and information systems from being compromised. They want operators of that infrastructure to report cyber security incidents that have a significant impact on the security of their network or systems to regulators.
Bishop said there is broad agreement between the law makers that 'essential' systems in banking, health, transport and energy should subject to those rules. However, she said the UK government is resisting attempts to bring 'digital service platforms' also within scope of the Directive.
That issue has been divisive, with a near "50/50 split" across the 28 EU country governments, Bishop said.
The UK government believe that 'digital service platforms' fail the 'essentiality' test and should not be regulated through the NIS Directive, Bishop said. Even if the biggest digital service platforms experience downtime because of a cyber attack this would not have a sufficiently "significant disruptive effect" on the economy and society to merit regulation under the Directive, she said.
Explaining the government's view, Bishop said there is a distinction to be made between the need for a continuous supply of energy in the UK, for example, and the availability of digital service platforms such as Amazon. Whilst an extended outage caused by a cyber attack on Amazon's market place could have major implications for SMEs selling via that platform, it could not be compared with the potential seriousness of a cyber attack that knocks out the UK's electricity grid, she said.
Bishop said the government's position does not mean that it believes cyber security is unimportant for businesses, nor that it would be unsympathetic to the plight of companies affected by disruption to an important sales channel.
Ultimately it will be left up to the UK and the other individual EU countries to each determine what services in their jurisdiction should be classed as 'essential' and therefore subject to the NIS Directive. Bishop said, though, that a "criticality test" is likely to be written into the Directive to ensure that there is broad consistency from EU countries on which organisations they place subject to the new rules.
The incident reporting regime and notification fatigue
Determining exactly whether a cyber security incident has had a 'significant impact' and is therefore reportable to regulators under the new regime is another issue EU law makers have been considering closely, Bishop said.
Both the European Parliament and Council of Ministers – the body that brings together government officials from the 28 EU countries to debate legal reforms in the trading bloc – have agreed that criteria to help organisations determine whether an incident is reportable should be written into the new NIS Directive.
Organisations will have to consider the number of individuals affected by an incident, the duration of disruption caused by the incident and an incident's geographic spread, she said. Assessment of those factors will help organisations determine whether or not an incident has had a significant impact and is reportable.
Bishop said the UK government was also concerned with the administrative burdens that could be placed on businesses subject to the NIS Directive. There is potential for double reporting of incidents, owing to the fact that reportable cyber security incidents under the Directive might concern a breach of personal data which would need to be reported to data protection authorities under the planned new General Data Protection Regulation.
Other countries seem less concerned with the potential for double reporting and so separate notification requirements are likely to co-exist under the new data protection regime and the NIS Directive, she said.
There are already security notification rules in place in some sectors. The blueprint for the NIS Directive is the EU's existing Telecoms Framework Directive which currently requires telecoms companies to notify regulators of major breaches of their network security. For this reason, telecoms companies are excluded from the scope of the NIS Directive.
There are existing requirements in other industries too. Last autumn, the European Central Bank (ECB) called on EU law makers to account for existing rules and procedures payment service providers are subject to the assessment of cyber security risk and notification of incidents they identify to regulators when finalising the NIS Directive.
The ECB said "procedures for early warnings and coordinated responses" have already been established in relation to "systemically important payment systems" and "deal with possible cyber-security threats". There are "existing oversight arrangements", involving financial regulators, for these procedures, it added.
Bishop said the UK government, in implementing the NIS Directive, would do its best to "streamline" the reporting arrangements for businesses to cut down on the time and cost burdens they would face from double reporting.
The BIS policy officer said that the UK government is trying to ensure that the finalised Directive is worded flexibly to allow individual EU countries to decide which "competent authorities" organisations would have to report cyber security incidents to under the new regime. She said the UK government could decide to build NIS Directive reporting into existing sectoral reporting frameworks so as to limit disruption, but that the issue had yet to be discussed by the government in any detail.
A threat to national security?
Bishop said that the UK government has been concerned that the NIS Directive, in seeking to protect important systems and networks, would lead to the backdoor definition of the UK's 'critical national infrastructure' (CNI). She said the government was opposed to any "inadvertent harmonisation" of CNI in the EU and that disclosure of the operators of critical infrastructure could raise national security issues.
What happens if there is non-compliance?
Under current plans, EU countries will be required to put in place dissuasive, effective and proportionate sanctions for non-compliance with either the NIS Directive's cyber security requirements or the incident reporting rules, Bishop said.
The UK government has yet to consider in detail what sanctions regime it should develop to correspond with the Directive's requirements.
Cross border information sharing
Under the current plans for the NIS Directive, EU countries will have an obligation to share details of some cyber security incidents reported under the regime with other EU countries.
The cross border sharing requirement will be triggered if the incident reported has a significant impact on the continuity of essential services in another EU country, Bishop said. Rules will be in place to preserve the confidentiality of that information.
Bishop said the UK government's preference would be for reporting of incidents to happen on a voluntary basis only. She said relying on information shared from other countries demanded trust and that the government had spent years nurturing trusted relationships with other countries under existing information sharing frameworks. Such trust "cannot be built into the text of legislation", she said.
In addition to some mandatory cross border information sharing, further voluntary information sharing on cyber security issues will be encouraged under the NIS Directive, Bishop said. The UK's computer emergency response team (CERT) will coordinate with counterparts elsewhere in the EU.
Bishop said the UK government is aware that it must lead on improving the voluntary sharing of information and make it a "useful network" to ward off any moves to expand the mandatory information sharing regime in the future.
What is the current state of play?
The European Parliament and Council of Ministers held talks on finalising the NIS Directive in the final couple of months of last year. In November, the then Italian presidency of the Council suggested reforms could be agreed in principle before the end of 2014. However, agreement failed to materialise.
Bishop said this was because EU governments had not given the Italian presidency a mandate to enter into a third round of talks with the Parliament because EU governments could not agree on which organisations should be brought within scope of the new framework.
Since then, the new Latvian presidency of the Council has put talks on hold. Bishop said, though, that the presidency wants to re-open exploratory talks with the Parliament again soon, and has set a target of achieving political consensus with the Parliament on the wording of the Directive by the end of April this year. If that informal agreement is reached, procedures for formally adopting the Directive will begin.
Bishop said, if everything goes to schedule, the NIS Directive should be finalised by the end of June and written into the Official Journal of the EU shortly thereafter. EU countries would then have two years to publish national regulations implementing the Directive and a further six months to bring those new rules into force.
It is therefore likely to be early 2018 before the NIS Directive regime is operational, Bishop said.
Editor's note 11/03/15: This story was updated to clarify the government's position on sanctions.