EU Network and Information Security Directive finalised

The Network and Information Security (NIS) Directive was approved by the European Parliament earlier this week and is now likely to come into force early next month. The Directive had already received the additional endorsement required for it to become law from the EU Council of Ministers in May. The Council is made up of representatives of the national governments that make up the EU.

The Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure. It will apply to operators of such "essential services" and to "digital service providers". Each EU country will determine which organisations in their jurisdiction are operators of essential services and subject to the rules in line with criteria set out in the Directive, and determine its own “effective, proportionate and dissuasive” penalties for infringement.

Digital service providers, which are defined as being online marketplaces, online search engines or cloud computing service providers, will also be subject to obligations under the Directive.

Slightly different rules apply to operators of essential services than apply to digital service providers.

EU countries will have 21 months from the date the Directive comes into force to implement the new EU legislation into national laws, and have a further six months to "identify the operators of essential services with an establishment on their territory" that would be subject to the new rules.

"Given the uncertainties regarding Brexit, it remains to be seen whether the UK will enact legislation to implement the Directive, but other EU countries will certainly be obliged to do so," said expert in cybersecurity Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com.

"Operators will need to monitor the position in the EU countries in which they operate, to check whether they are listed as essential operators in those countries or fall within objective criteria set out by the relevant country," Hon said. "It is not impossible that an operator could be considered an essential operator in one member state, but not another."

Technology law expert Luke Scanlon of Pinsent Masons assessed which businesses can expect to be subject to the new NIS Directive earlier this year. Scanlon's analysis followed the announcement of a political agreement being reached on the draft NIS Directive by MEPs and the Council of Ministers late last year.

Under the Directive operators of essential services will be required to "take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations". Those operators will also need to "take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services", for instance resilience and business continuity measures.

A new incident notification regime will also apply under the Directive and require operators of essential services to report "incidents having a significant impact on the continuity of the essential services they provide" without undue delay. Notification will have to be made to "competent authorities" or Computer Security Incident Response Teams that each EU country will have to set up, as designated by the EU country concerned.

In determining the significance of security incidents operators of essential services will need to consider factors such as how many users are affected by disruptions to essential services, how long such an incident lasts and the "geographic spread" of the impact from such an incident. National competent authorities acting together in a “Cooperation Group” may develop guidelines on the circumstances when operators must notify incidents, including parameters for determining the “significance” of an incident’s impact.

Digital service providers will also have obligations to ensure the security of their network and information systems and minimise the impact of incidents affecting that security. They will be subject to lighter-touch reactive requirements and cannot be subjected by member states to more onerous requirements than under the Directive, except for reasons of national security or law and order. However, operators of essential services could be subjected by individual EU countries to more stringent requirements

Different incident notification obligations will apply to digital service providers than will apply to operators of essential services. Digital service providers will be required to notify incidents that have a “substantial” impact on the provision of a service they offer in the EU without undue delay.

To determine whether the impact of an incident is substantial or not, digital service providers will need to assess a range of criteria. Relevant factors include the number of users affected by the incident, in particular users relying on the service for the provision of their own services; the duration of the incident; the geographical spread with regard to the area affected by the incident; the extent of the disruption of the functioning of the service, and the extent of the impact on economic and societal activities. The Commission is to publish further rules on security requirements and factors for assessing whether the impact of an incident is substantial, within one year of the Directive coming into force.

However, the duty to notify incidents will only apply to digital service providers if they have "access to the information needed to assess the impact of an incident against the parameters referred to".

Hon said there is some overlap between the NIS Directive and the EU's new General Data Protection Regulation (GDPR), but the security requirements organisations face under each piece of legislation "may not be identical".

"The notification requirements are certainly different – the GDPR requires notification of 'personal data breaches', while the NIS Directive requires notification of all 'incidents', including outages affecting availability, that meet the stated threshold," Hon said. "The authorities to whom notifications must be made could well differ, also."

"Under the Directive, if an operator of an essential service relies on the service of a digital service provider (DSP) such as cloud provider for the provision of an essential service, the operator must notify the relevant authority of any incident affecting the DSP which has a 'significant impact' on the continuity of the essential service. It will therefore be important for any organisation who is treated as an essential operator, and who relies on any DSP for an essential service, to ensure that its contract with the DSP requires the DSP to notify the organisation of incidents so that the organisation is able to comply with its legal obligation to notify such incidents," Hon said.

"The scope of such a contractual notification obligation, and exactly which types of incidents at the DSP must be notified to the organisation, is likely to be debated.”

Regardless of whether an operator uses a DSP service or not, “it will be important for affected organisations to start preparing now, in terms of their security and breach detection and management systems and procedures, as well as relevant contracts," she said. Hon said the Directive could "boost the cyber insurance market".