European Institutions Reach Agreement on EU Cybersecurity Rules
On December 7, 2015, the European institutions reached an informal agreement on the EU Network and Information Security (NIS) Directive — dubbed the Cybersecurity Directive (see press release from the Council). Among other things, the NIS Directive imposes security and incident reporting obligations on operators of essential services in critical sectors and on some digital service providers.
As we reported in the summer, the scope of the NIS Directive has been controversial since the Commission published its original proposal back in February 2013. Several stakeholders, including some Member States, have expressed reservations about subjecting online companies to the same obligations as operators of essential services in the energy, transport and other critical sectors. Following many months of negotiations, a compromise has now been reached by introducing a lighter-touch regime for certain digital service providers that fall within the scope of the Directive.
Operators of essential services in critical sectors
The NIS Directive imposes two key obligations on operators of essential services in the energy, transport, banking, financial market infrastructure, health and water supply sectors:
to implement security measures to manage the risks posed to the security of networks and information systems that they control and use in their operations; and
to report to the competent authorities security incidents that have a significant impact on the continuity of the essential services that they provide.
Supervision by competent authorities will be stricter for these operators than for providers of digital services.
Digital service providers
Some digital service providers — specifically cloud services, e-commerce platforms, and search engines — will be subject to similar security and incident reporting requirements, but we understand that supervision will be lighter (i.e., authorities will only be empowered to act on an ex post basis). The European Parliament’s press release specifically identifies Amazon, eBay and Google as examples of companies that will likely be covered. The European Parliament initially wanted to remove online companies from scope entirely, but the Commission and Council resisted this — creating a lighter oversight regime for the digital service providers in scope seems to have facilitated a compromise.
The precise nature of the obligations and oversight arrangements will become clear once a consolidated text becomes publicly available.
Next steps and other key points for the private sector
The immediate next step in the legislative process is for the European Parliament’s Internal Market Committee and the Council’s Committee of Permanent Representatives to approve formally the provisionally agreed text. It is anticipated that Parliament will give its approval on December 17, and the Presidency of the Council will present the agreed text for approval by Member States at the Permanent Representatives Committee (Coreper) on December 18.
Once the NIS Directive is published in the Official Journal of the European Union and enters into force early next year, Member States will have 21 months to transpose it into national law. Member States will then have a further 6 months to apply criteria laid down in the Directive to identify specific companies covered by national rules. These processes are likely to be complicated and companies that may fall within scope should participate in consultations and monitor developments across the EU over the coming months.
The NIS Directive is a minimum harmonisation measure, meaning that it establishes minimum security and reporting requirements that Member States must introduce, while granting them leeway to adopt or maintain stricter rules. ENISA, the principal EU agency on NIS, will be tasked with providing recommendations and guidelines on technical issues, for example in relation to security measures and incident reporting, next year and beyond. ENISA’s role and input is likely to be important to try to avoid significant variances in practices from emerging across the EU.
Although separate from the proposed General Data Protection Regulation (GDPR) and the security and personal data breach notification requirements that it sets out, legislators have indicated that they will try to ensure that requirements to report security incidents under NIS and to notify personal data breaches under the GDPR will be aligned. Negotiations on the GDPR are expected to conclude in the coming weeks, so hopefully we will find out soon more details about the interaction between these potentially overlapping security and reporting obligations.