New EU Cybersecurity Requirements Soon to Fall on “Essential Services” Operators
On 17 May 2016, the Council of the European Union formally adopted the Network and Information Security (NIS) Directive at first reading, paving the way for its final adoption and entry into force in August 2016.
What is the NIS Directive?
The Directive aims to step up the security of network and information systems across the EU. Initially proposed in 2013, it has been progressing through the EU legislative procedure for some time. The Directive aims to:
Improve the cybersecurity capabilities of Member States;
Improve cooperation between Member States on the issue of cybersecurity;
Ensure that operators of essential services in “critical sectors”, such as banking, health, energy and transport and key digital service providers, such as online marketplaces, search engines and cloud services, take appropriate security measures and report cybersecurity incidents to the relevant national authorities;
Ensure that each EU country designates one or more national authorities to implement and enforce the Directive and create Computer Security Incident Response Teams (CSIRTs) responsible for monitoring and responding to security incidents at national level; and
Establish an EU-wide strategy for dealing with cyber threats.
Who is subject to the NIS Directive?
The NIS Directive applies to two categories of service providers: operators of essential services and digital service providers.
(i) Operators of essential services
A company is an operator of essential services if:
It provides a service which is essential for the maintenance of critical societal and/or economic activities;
The provision of that service depends on network and information systems; and
An incident affecting the network and information systems of that service would have significant disruptive effect on its provision or on public safety.
The NIS Directive will require operators of essential services in the energy (electricity, oil and gas), transport (air, rail and roads), banking and healthcare sectors to take security measures and report cyberattack incidents to national authorities.
(ii) Digital service providers
The NIS Directive applies to three main categories of digital service providers: online marketplaces, online search engines and cloud computing services. Whether or not to include digital service providers within the scope of the Directive was one of the most contentious issues during the two years of negotiations around the Directive. Following lengthy negotiations, social networks and payment service providers were excluded.
An “online marketplace” is defined as “a digital service that allows consumers and/or traders…to conclude online sales and service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace.” This broad definition includes marketplaces that engage in B2C as well as B2B transactions. Whilst app stores are deemed to be in scope, price-comparison websites are not.
An online search engine is defined as “a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query or any subject in the form of a keyword, phrase or other input; and returns links in which information related to the requested content can be found.” However, the NIS Directive does clarify that search engines within a particular site will not be subject to the Directive.
A “cloud computing service” is widely defined as a “digital service that enables access to a scalable and elastic pool of sharable computing resources.” This could catch companies providing public, private and hybrid cloud services.
What are the sanctions for non-compliance with the NIS Directive?
Failure to comply with the NIS Directive will trigger substantial penalties for the most serious infringements: up to 2% of a company’s global turnover. Businesses within the scope of the Directive must conduct internal audits to ensure that their network and information security practices are compliant with the new requirements, well documented and effective.
What are the next steps?
The NIS Directive must now be approved by the European Parliament. It is expected to come into force in August 2016. Thereafter, Member States will have 21 months to transpose the Directive into national law, and six months after that to identify operators of essential services.
This post was also written by Oliver Bartholomew.