Introduction
In an attempt to counter an ever-growing global menace, new EU cyber security rules have been finalized and published. They aim to address cyber security challenges at an EU-wide level – the new rules can be found here.
The new EU rules are in the form of a Directive called the “NIS Directive” (in reference to the main focus being “network and information systems”) which is mainly aimed at the EU Member States in that it requires them to improve their national cyber security capabilities and improve co-operation between them on cyber security. Some parts of the NIS Directive do however have an impact on the private sector.
Who is covered under the new rules?
The NIS Directive directly concerns businesses as those within scope will need to put in place appropriate security measures. In addition, incidents will have to be reported to relevant Member State authorities. The businesses that will be affected are so-called “operators of essential services” and key “digital service providers”.
The operators of essential services that fall under the scope of the NIS Directive are as those that meet the following criteria:
- An entity providing a service which is essential for the maintenance of critical societal and/or economic activities;
- The provision of that service depends on network and information systems; and,
- An incident would have significant disruptive effects on the provision of that service.
The sectors envisaged by this under the NIS Directive include:
- energy;
- transport;
- banking;
- financial market infrastructure;
- health; and
- drinking water supply and distribution.
Digital services envisaged under the Directive include:
- online marketplaces;
- online search engines; and
- cloud computing services
Micro and small digital companies will generally be exempt from security requirements and incident notification.
What do the new rules require?
In short, the NIS Directive:
- Lays down obligations for all EU Member States to adopt a national strategy on the security of network and information systems;
- Creates a “Co-operation Group” in order to support and facilitate strategic co-operation and the exchange of information among Member States and to develop trust and confidence amongst them;
- Creates a computer security incident response teams network (the so-called “CSIRTs network”) aimed at contributing to the development of trust and confidence between Member States and promoting swift and effective operational co-operation;
- Establishes security and notification requirements for operators of essential services and for digital service providers; and,
- Lays down obligations for Member States to designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systems.
Affected organizations will be required to:
- Assess the risks they face and adopt appropriate and proportionate measures; and,
- Report to regulators major security incidents on their core services – the “incidents” that will have to be reported are broadly defined as “any event having an actual adverse effect on the security of network and information systems.”
Entities which have not been identified as operators of essential services and are not digital service providers may notify on a voluntary basis incidents having a significant impact on the continuity of the services which they provide.
Do the rules have extra-territorial effect?
Yes, the NIS Directive also has extra-territorial effect for digital service providers.
A digital service provider will be deemed to be under the jurisdiction of the Member State in which it has its main establishment, which is where a digital service provider has its head office in that Member State. Where a digital service provider is not established in the EU, but offers online marketplaces, online search engines or cloud computing services within the EU, it must designate a representative in the EU. The system of designating a representative is similar to the requirement under the General Data Protection Regulation (GDPR). The representative must be established in one of the EU Member States where the services are offered – the digital service provider will be deemed to be under the jurisdiction of the Member State where the representative is established. The designation of a representative by the digital service provider will be without prejudice to legal actions which could be initiated against the digital service provider itself.
Are there any sanctions?
The EU Member States will have discretion as to what sanctions to apply for breach of the NIS Directive as implemented under national rules. Therefore, because the rules are subject to EU Member State national implementation there will inevitably be a degree of divergence on sanctions.
When must the new rules be adopted?
EU Member States have to adopt the Directive by 9 May 2018, and, also officially identify essential services operators from the sectors in question according to certain criteria by 9 November 2018 (and also note that the GDPR will also come into full force around the same time, on 25 May 2018). Businesses will likely be asked in the individual Member States to take part in a consultation before the rules are implemented. Businesses who are essential service operators and key digital service providers should therefore ensure that their voice is heard in that process. In this regard it should be emphasized that a lot of detail will be required to flesh out this legislation.
In addition, it should also be born in mind that, except for a requirement to not impose any further security or notification requirements on digital service providers, Member States may adopt or maintain provisions with a view to achieving a higher level of security of network and information systems, i.e. they may do what is otherwise colloquially known as “gold-plating”.
The EU has also recently issued an official Communication entitled “Strengthening Europe’s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry” which, amongst other things, sets out measures to enhance the requirements of the NIS Directive including submitting in 2017 a co-operation blueprint to handle large-scale cybersecurity incidents in the EU.
Conflicts with GDPR
As most will know in addition to the NIS Directive, GDPR also has an obligation on all companies to keep personal data secure and to report breaches (subject to some exemptions). You can find out more about GDPR in our FAQs here. The requirements and types of breach are not identical however. It could be in any given situation that a report may have to be made under the NIS Directive, under GDPR, or both. Expert counsel is likely to be needed in co-ordinating these reports.
Next steps
Following the outcome of the Brexit referendum in the UK it is not clear whether the NIS Directive will form part of UK law or not. The exit process is formally expected to begin at the end of this year or the very start of next year and although it has a set (but extendable) two-year period it is anticipated that the process will take longer, and, the UK will also likely be involved in a separate process to come to a new deal with the EU which is expected to go on in parallel. Given the importance to the UK of international co-operation on cyber security issues the NIS Directive is expected to have an impact of some sort.
In the meantime those businesses who are likely to fall under the new rules should:
- Update their data breach plans – experience has shown us that those organisations who have a clear, well considered plan of action after a breach survive better;
- Alert the Board to this new cyber security regime and plan resources to address it – this will include hardware, software and training;
- Set up procedures to help with risk assessment, response management, internal investigation, and, incident reporting;
- Undertake training and develop internal cyber security advocacy – make sure this is not simply off-the-shelf training but that it is tailored to the risks you face;
- Re-evaluate your public relations strategy to deal with a breach; and,
- Reassess existing cyber insurance or take out a new policy.
In addition, businesses doing business with essential service operators and key digital service providers should also consider to what extent there will be a downstream effect, i.e. whether they will in effect be subject to the same requirements.
Cordery regularly reports on cyber security and related issues. Details can be found here. If you’d like help preparing for the new NIS regime then please call Cordery.
For more information please contact Jonathan Armstrong and André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
André Bywater
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com