Network and Information Security Directive set to come into force in August

Out-Law News | 17 May 2016 | 5:18 pm | 3 min. read

New measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure are set to be written into EU law.

The Council of Ministers has announced that the proposed Network and Information Security (NIS) Directive has won formal approval from the national governments that make up the EU. It said the Directive is likely to come into force in August once the European Parliament has voted to endorse the text.

The Directive will apply to operators of essential services and digital service providers. Each EU country will determine which organisations in their jurisdiction are operators of essential services and subject to the rules in line with criteria set out in the Directive.

Digital service providers, which are defined as being online marketplaces, online search engines or cloud computing service providers, will be directly subject to the Directive.

Slightly different rules apply to operators of essential services than apply to digital service providers.

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, assessed which businesses can expect to be subject to the new NIS Directive earlier this year. Scanlon's analysis followed the announcement of political agreement being reached on the draft NIS Directive by MEPs and representatives of EU  governments in December last year.

According to the latest draft of the Directive (77-page / 550KB PDF), operators of essential services will be required to "take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations". Those operators will also need to "take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services".

A new incident notification regime will also apply under the Directive and require operators of essential services to report "incidents having a significant impact on the continuity of the essential services they provide" without undue delay. Notification will have to be made to designated "competent authorities" or Computer Security Incident Response Teams that each EU country will have to set up.

In determining the significance of security incidents operators of essential services will need to consider how many users are affected by disruptions to essential services, how long such an incident lasts and the "geographic spread" of the impact from such an incident.

Digital service providers will also have obligations to ensure the security of their network and information systems and minimise the impact of incidents affecting that security.

Different incident notification obligations will apply to digital service providers than will apply to operators of essential services. Digital service providers will be required to notify incidents that have a substantial impact on the provision of a service they offer in the EU without undue delay.

To determine whether the impact of an incident is substantial or not, digital service providers will need to assess a range of criteria. Relevant factors include the number of users affected by the incident, in particular users relying on the service for the provision of their own services; the duration of the incident; the geographical spread with regard to the area affected by the incident; the extent of the disruption of the functioning of the service, and the extent of the impact on economic and societal activities.

However, the duty to notify incidents will only apply to digital service providers if they have "access to the information needed to assess the impact of an incident against the parameters referred to".

If digital service providers offer services in the EU but have no establishment inside the trading bloc they will be required to appoint a designated representative in the EU so as to fulfil its obligations under the Directive.

Under the proposed Directive EU countries will also be required to outline "a national strategy on the security of network and information systems". New frameworks for cross-border information sharing on security issues will also be established.

EU countries will have 21 months from the date the Directive comes into force to implement the new EU legislation into national laws, according to the Council of Ministers' draft. They will have a further six months to "identify the operators of essential services with an establishment on their territory" that would be subject to the new rules.

Businesses can expect to be included on the list countries draw up if they provide a service which is essential for the maintenance of critical societal and/or economic activities, if the provision of that service depends on network and information systems and if an incident would have significant disruptive effects on the provision of that service, according to the Directive.