image

 

image

 

image

 

image

 

image

EU’s general cybersecurity legislation has arrived

Written by Ruben Roex on Thursday 21 July 2016, in category Cybersecurity

A milestone achieved

At the beginning of the month, on the 6th of July 2016, the European Parliament voted in favor of what can be construed as the EU’s first ever piece of comprehensive cybersecurity legislation. The “Directive concerning measures for a high common level of security of network and information systems across the Union” (often abbreviated as the “Network and Information Security Directive” or “NIS Directive”) was published in the Official Journal on July 19th. It is set to enter into force on the 8th of August 2016. Member States have until the beginning of May 2018 to take the necessary measures to transpose the Directive into national law.

It has taken roughly three years to come to the final text after the European Commission put forward its proposal in February 2013. During these three years the sharpest edges of the proposal have been shaved off, resulting in an instrument with a significantly smaller scope. Nevertheless, for a whole range of private and public sector entities this NIS Directive will have an impact on how they deal with the everyday (cyber) security of their services.

Measures at different levels

The NIS Directive takes a layered approach towards European cybersecurity. It includes measures for Member State regulatory-strategic intervention, transnational cooperation as well as specific obligations directed at key economic players within the EU’s single market. To an extent one recognizes the same underlying principles and ideas as found in the European Programme for Critical Infrastructures Protection (EPCIP), which has the same layered approach. This should not come as a surprise, since in a way the NIS Directive is the informational infrastructure complement to EPCIP.

Measures at Member State level and transnational cooperation

One of the main obligations of the Member States under the new NIS Directive, will be to identify operators of essential services. These are according to article 5 (2) entities which provide services which are essential for the maintenance of critical societal and/or economic activities and which are dependent on network and information systems such that if an incident occurs, the service provision would be significantly disrupted. The NIS Directive lists in its Annex II the sectors in which Member States should look for these operators of essential services.

Member States will also be obliged to adopt a NIS strategy and an appropriate regulatory framework. They will designate competent authorities and single points of contact and set up CSIRTs. CSIRTs are the national cyber fire brigades. They will cooperate with the private sector and provide operational support. Last but not least, Member States will have to ensure that obligations imposed on operators of essential services and digital service providers can be enforced.

At the European level, the focus lies mainly on strategic and operational cooperation. Member States will have to cooperate strategically through a Cooperation Group, the secretariat of which is handled by the European Commission. Such strategic cooperation will include among other things the exchange of information and best practices. CSIRTs will take care of operational cooperation through the creation of a network.

Specific obligations for private sector stakeholders

Categories of private sector stakeholders

The Directive focuses on two types of private sector entities:

  • the operators of essential services; and
  • digital service providers.

The definition of the former category is mentioned above, while the latter category essentially encompasses online marketplaces, search engines and cloud computing services. In the proposal of the European Commission all information society services were within the crosshairs, but during the legislative process it was decided that a lot of those services were not ‘critical’ enough. Hence the restriction to digital services that the EU legislator considers of such importance that any incident to them has a sufficiently profound impact on the internal market.

The obligations for private sector stakeholders

The main obligations for operators of essential services and digital service providers can be summarized as follows:

  • taking appropriate technical and organizational measures to manage NIS risks;
  • drafting and implementing business continuity plans;
  • notifying competent authority or CSIRT of an incident that has a substantial impact.

The duty to notify an incident to the CSIRT shall not lead to increased liability for the operator or service provider, i.e. he shall not suffer added liability for the incident itself. Non-compliance with the duty to notify can be subject to liability of course. A digital service provider who provides services to an operator of essential services which are crucial to the continuity of the essential services shall be required to notify every incident that threatens the continuity of its services to the operator. CSIRTs are allowed to communicate, in consultation with the operator of essential services or a digital service provider, to the public about an incident or can require the service provider to do so.

National jurisdiction

It goes without saying that in practice many of the operators of essential services and the digital service providers are organizations that operate on an EU-wide if not a global scale. Hence, there is a need for clear rules allocating competence of national supervisory authorities as well as jurisdiction. Such rules are found in articles 5 and 18 of the NIS Directive. For operators of essential services each Member States shall be competent where the operator has an establishment through which he provides essential services in that Member State. For digital service providers the NIS Directive seems to follow the one-stop-shop principle: the Member State where the service provider has its main establishment (i.e. head office) shall have jurisdiction and its supervisory authority shall be competent. If there is no main establishment in the EU, the operator or service provider shall have to designate a representative.

Conclusion

The NIS Directive sets out in broad strokes the main themes that Member States have to cover in their national legislations to achieve an adequate level of cybersecurity. What the results for private stakeholders will be in practice will largely depend on the national measures that transpose the NIS Directive. One important remark though: for operators of essential services the Directive aims at minimum harmonization while it aims at full harmonization for digital service providers. For the latter category the national cybersecurity rules should therefore remain very close to the Directive’s. For more information, contact time.lex attorney Ruben Roex.