Out-Law News | 20 Jul 2016 | 2:59 pm | 3 min. read
The Network and Information Security (NIS) Directive has been published in the EU's official journal. EU countries have until 9 May 2018 to implement the Directive into national law and the national measures will then need to be applied from 10 May 2018. The Directive was approved by EU law makers earlier this month.
It is not yet clear whether the UK will implement the NIS Directive following the country's vote to leave the EU.
The NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure. It will apply to operators of such "essential services" and to "digital service providers".
Each EU country must determine which organisations in their jurisdiction are operators of essential services and subject to the rules in line with criteria set out in the Directive by 9 November 2018.
Digital service providers, which are defined as being online marketplaces, online search engines or cloud computing service providers, will also be subject to obligations under the Directive. Slightly different rules apply to operators of essential services than apply to digital service providers.
According to the Directive a 'cooperation group' comprising representatives from each EU country will seek to develop "a consistent approach in the process of identification of operators of essential services" by individual member states.
They group "discuss the process, substance and type of national measures allowing for the identification of operators of essential services within a specific sector in accordance with the criteria set out in [the Directive]" as well as, potentially, the specific national measures for selection operators of essential services drawn up by an EU country. The cooperation group is to be active by 9 February 2017.
Technology law expert Luke Scanlon of Pinsent Masons assessed which businesses can expect to be subject to the new NIS Directive earlier this year.
Under the Directive operators of essential services will be required to "take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations". Those operators will also need to "take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services", for instance resilience and business continuity measures.
A new incident notification regime will also apply under the Directive and require operators of essential services to report "incidents having a significant impact on the continuity of the essential services they provide" without undue delay. Notification will have to be made to "competent authorities" or Computer Security Incident Response Teams that each EU country will have to set up, as designated by the EU country concerned.
In determining the significance of security incidents operators of essential services will need to consider factors such as how many users are affected by disruptions to essential services, how long such an incident lasts and the "geographic spread" of the impact from such an incident. The cooperation group may develop guidelines on the circumstances when operators must notify incidents, including parameters for determining the “significance” of an incident’s impact.
Digital service providers will also have obligations to ensure the security of their network and information systems and minimise the impact of incidents affecting that security. They will be subject to lighter-touch reactive requirements and cannot be subjected by member states to more onerous requirements than under the Directive, except for reasons of national security or law and order. However, operators of essential services could be subjected by individual EU countries to more stringent requirements.
Different incident notification obligations will apply to digital service providers than will apply to operators of essential services. Digital service providers will be required to notify incidents that have a “substantial” impact on the provision of a service they offer in the EU without undue delay.
To determine whether the impact of an incident is substantial or not, digital service providers will need to assess a range of criteria. Relevant factors include the number of users affected by the incident, in particular users relying on the service for the provision of their own services; the duration of the incident; the geographical spread with regard to the area affected by the incident; the extent of the disruption of the functioning of the service, and the extent of the impact on economic and societal activities. The Commission is to publish further rules on security requirements and factors for assessing whether the impact of an incident is substantial, within one year of the Directive coming into force.
However, the duty to notify incidents will only apply to digital service providers if they have "access to the information needed to assess the impact of an incident against the parameters referred to".
Each EU country must determine its own “effective, proportionate and dissuasive” penalties for infringement.
Expert in cybersecurity Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said recently that there is some overlap between the NIS Directive and the EU's new General Data Protection Regulation (GDPR), but the security requirements organisations face under each piece of legislation "may not be identical".