What is this all about?
Under the EU Network Information Security Directive (“the NIS Directive”) operators of essential services and digital services providers will be required to maintain minimum network information security obligations and notify security incidents to a national regulator.
For organisations that already have obligations to notify regulators or affected individuals under data protection laws or under other regulatory regimes (such as regulated financial services firms) a security incident involving network and information systems could potentially involve a multitude of notifications requiring different information, different timeframes, and, give rise to enforcement action for non-compliance.
The objective of the NIS Directive is to achieve a high common level of security of network and information systems (“NISes”) within the EU, by means of:
- Improved cyber security capabilities at national level;
- Increased EU-level cooperation; and,
- Risk management and incident reporting obligations.
These FAQs focus on the incident reporting aspects.
Who does the NIS Directive apply to?
Operators of essential services (“OESes”) are private businesses or public entities with an important role for society and the economy.
The NIS Directive applies to OESes operating in certain critical sectors including:
- Energy e.g, electricity, oil or gas operators;
- Transport e.g, air carriers and airport managing bodies, rail water and road transport;
- Banking e.g credit institutions;
- Financial market infrastructures e.g, trading venues, central counterparties;
- Health e.g hospitals and private clinics;
- Drinking water supply and distribution; and,
- Digital infrastructures, i.e internet exchange points, domain name system service providers, top level domain name registries.
EU Member States will designate a list of OESes with an establishment in their territory. The criteria applied is whether:
- You provide a service which is essential for the maintenance of critical societal and/or economic activities;
- The provision of that service depends on NISes; and,
- An incident affecting the NISes of that service would have significant disruptive effects on its provision.
Digital Services Providers (DSPs), include:
- E-commerce operators and online marketplaces, including computing services such as transaction processing, data aggregation or user profiling, and app stores;
- Cloud computing operators; and,
- Search engine operators.
- It applies to DSPs:
- Established within the EU; or,
- That are not established within the EU but offer services within the EU, e.g, using a language or currency generally used in an EU Member State in connection with orders, or referring to customers in the EU.
There is no list of designated DPSs – it applies to all in-scope DSPs.
Who doesn’t it apply to?
The following are exempt:
- Telecoms operators;
- Hardware manufacturers;
- Software developers;
- Trust service providers;
- Payment and settlement services;
- Public administrations (unless specifically identified); and,
- Organisations with duplicate obligations under other sector-specific laws (insofar as the requirements are “at least equivalent” to the corresponding provisions of the NIS Directive) will be subject to those laws instead. In principle, this is supposed to avoid “double-notifications”. However, in practice, applying the equivalency principle is not necessarily straightforward, e.g, the NIS Directive recognises that there will be overlap regarding some of the rules applying to the water transport sector and certain corners of financial services regulation but has left it to individual EU Member States as to how this is reconciled. Also, if the incident involves personal data, data protection legislation will still apply.
The following exemptions apply as regards DSPs:
- Price comparison sites;
- Micro enterprises and small enterprises;
- Online intermediary services – where the contract is ultimately concluded with a third party;
- Mere accessibility of DPSs or an intermediary’s website, or use of an email address or contact details, in the EU;
- Mere use of the language generally used in the country where the DSP is established;
- Search functions within a website (even if provided by an external search engine); and,
- Telecoms operators.
Am I affected down the supply-chain?
If you are a provider of services to OESes, you may see contractual obligations similar to those in the NIS Directive being passed down the line, particularly imposing requirements to monitor and notify threats or incidents. Your customers may also seek to flow down liability for regulatory fines and other losses arising from breach of these requirements.
If you are a provider of services to DSPs, you may see contractual obligations similar to those in the NIS Directive being passed down the line, particularly imposing requirements to monitor and notify threats or incidents. Your customers may also seek to flow down liability for regulatory fines and other losses arising from breach of these requirements. However, note that the requirements on DSPs are a bit less strict.
What if we outsource our maintenance?
The security and notification obligations will apply to OESes and DSPs regardless of whether the maintenance of NISes is carried out internally or outsourced.
Which cyber security scenarios does it apply to?
The NIS Directive is focussed on incidents affecting NISes. “Incidents” are defined as those events that have an actual adverse effect on the security of NISes. For an OES, when assessing the significance of the disruptive effect of any incident, consider:
- The number of users relying on the service that you provide;
- The dependency of other relevant sectors on that service;
- The potential impact of incidents, in terms of degree and duration, on economic and societal activities or public safety;
- Your market share;
- The geographic spread with regard to the area that could be affected by an incident;
- Your organisation’s importance for maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service; and,
- Any relevant sector-specific factors.
Who do we need to report incidents to?
EU Members States need to:
- Designate one or more national NIS regulator;
- Assign a regulator to act as a national “single point of contact” for NIS security issues to ensure cross-border cooperation with the relevant regulators in other EU Member States and with the cooperation mechanisms created by the NIS Directive; and,
- Set up at least one “Computer Security Incident Response Team” (“CSIRT”) to handle NIS risks and incidents for each of the critical infrastructure sectors in which market operators operate.
When must we report incidents to the regulator?
Not all incidents have to be reported – voluntary notifications are also possible
OESes within the scope of the NIS Directive and established in an EU Member State must notify “without undue delay” to the regulator or CSIRT “incidents having a significant impact on the continuity of the essential services they provide”.
DSPs will need to notify the regulator or the CSIRT “without undue delay” of any incident having a substantial impact on the provision of a relevant service that they offer within the EU. In determining whether the impact of an incident is substantial, the following parameters in particular will be taken into account:
- The number of users affected by the incident, in particular users relying on the service for the provision of their own services;
- The duration of the incident;
- The geographical spread with regard to the area affected by the incident;
- The extent of the disruption of the functioning of the service; and,
- The extent of the impact on economic and societal activities.
What information do we include in the notification?
The NIS Directive says little about the notification requirements but the regulators are expected to issue guidance and/or prescribed notification forms in due course. For now, it simply says that:
- Notifications by OESes and DPSs should include information enabling the regulator or the CSIRT to determine any cross-border impact of the incident; and,
- To determine the significance of the impact of an incident involving OESes, the following parameters in particular must be taken into account:
- The number of users affected by the disruption of the essential service;
- The duration of the incident; and,
- The geographical spread with regard to the area affected by the incident.
Additional information that might also need to be provided (following the trend of other notification regimes) could include:
- An explanation for any delays in notifying, and,
- The details of any investigations and action taken to date and your plans for dealing with the incident and preventing a reoccurrence.
Must we inform individuals whose data has been compromised?
There is no obligation under the NIS Directive to notify any other parties (such as customers, employees or law enforcement agencies) of reportable NIS incidents. However, the regulator or CSIRT may inform the public, where public awareness is needed to prevent the incident or resolve an ongoing incident, or for public interest reasons. The notifying party will be consulted before a public disclosure is made. There is nothing preventing an OES or a DSP from making a voluntary notification to affected parties, if appropriate.
What if we don’t comply?
Regulators will have investigation and audit powers and be able to compel OESes or DSPs to provide certain information.
After assessing this information, a regulator may issue binding instructions to a non-compliant OES to bring its operations into line.
DSPs are subject to “light-touch and reactive ex post supervisory activities justified by the nature of their services and operations”. There is not an equivalent express power to issue binding instructions. Also, regulators will be able to exercise their supervisory activities only when provided with evidence that a DSP is not complying with the NIS Directive (in particular following an incident).
The NIS Directive also expressly states that notification will not increase the notifying party’s liability to enforcement action. Therefore, the fear of regulator retribution should not act as a disincentive to OESes and DSPs to notify.
After consulting the notifying OES or DSP, the regulator or the CSIRT may inform the public about the incident, where public awareness is necessary to prevent an incident or deal with an ongoing incident. However, the interest of the public in being informed about threats needs to be balanced against possible reputational and commercial damage for the OESes or DSPs reporting incidents. There is also recognition of the need to keep information about product vulnerabilities strictly confidential prior to the release of appropriate security fixes.
EU Member States must implement “effective, proportionate and dissuasive” sanctions for failure by OESes or DSPs to comply with the NIS Directive’s requirements regarding security and incident notification.
How long do we have to get ready for this?
The NIS Directive entered into force on 8 August 2016 and EU Member States have until May 2018 to transpose it into national law and until November 2018 to identify OESes.
Although EU Member States have a degree of discretion as to how the implement the NIS Directive into their national legislation, in the case of DSPs more onerous requirements than those under the NIS Directive cannot be imposed.
Harmonisation has also been achieved to some extent because DSPs that operate across multiple EU Member States are only subject to the national NIS rules implementing the NIS Directive in the country in which the DSP has its main establishment in the EU.
What should I do now?
These new rules bring compliance obligations entailing financial and human resources and administrative costs. Use your planning time well to adapt to them – the following are some issues to start addressing:
- Build the new notification requirements into your data governance framework and incident response planning, such as by implementing early warning systems, notification procedures and incident handling processes;
- If you are an OES or a DSP, identify subcontracts that may need to be updated to incorporate the NIS Directive requirements; and,
- Monitor updates from the relevant national regulators as to whether your organisation is on the list of designated OESes and also for further guidance on the applicable NIS requirements generally.
Details of Cordery’s data protection and privacy practice can be found here and details of our training solutions can be found here.
For more information please contact Jonathan Armstrong, Andre Bywater or Katherine Eyres who are lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1784
Office: +44 (0)207 075 1785
Office: +44 (0)207 118 2700