Cyber security is one of the biggest issues currently facing governments and businesses in the EU and globally. In response to this, the European Parliament adopted a proposal for a Network and Information Security Directive (NIS Directive) in March 2014.
The directive, which was originally proposed by the European Commission in 2013, is part of the European Union’s cyber security strategy aimed at tackling network and information security incidents and risks across the EU.
According to the commission’s consultation, 57% of respondents had experienced information security incidents over the previous year, while the UK government recently rated cyber security as a Tier 1 threat to national security along with terrorism.
The NIS Directive will now need to be agreed with the EU’s Council of Ministers and may be adopted in 2015 along with the proposed EU data protection regulation. Together, they will impose minimum information security requirements and many new measures related to use of personal data.
The five main elements of the proposed NIS Directive are listed below.
New national strategy
Member states are required to adopt a national strategy that sets out concrete policy and regulatory measures to maintain a level of network and information security. This includes designating a national competent authority for information security and setting up a computer emergency response team (CERT) that is responsible for handling incidents and risks.
The UK, for example, has been active in developing its UK cyber security strategy, which has seen the introduction of the Ten steps to cyber security guide, the cyber security information sharing partnership (CISP) and the recent cyber essentials scheme, which involves voluntary cyber certifications for businesses.
The UK has also launched its first national computer emergency response team, CERT-UK, which will be tasked with liaising with UK businesses and other national CERTs – including those in financial services and education – on cyber security issues, particularly those relating to national infrastructure.
The competent authorities in EU member states and the European Commission will form a co-operation network to co-ordinate against risks and incidents affecting network and information systems. The network will exchange information between authorities, provide early warnings on information security issues and agree on a co-ordinated response in accordance with an EU NIS co-operation plan.
A key element of the directive is that member states must ensure public bodies and certain market operators take appropriate technical and organisational measures to manage the security risks to networks and information systems – these must guarantee a level of security appropriate to the risks and should prevent and minimise the impact of security incidents affecting the core services they provide.
Public bodies and market operators must also notify the competent authority of incidents that have a significant impact on the continuity of these services.
More about EU security strategies
The competent authority may decide to inform the public of the incident. According to amendments by the European Parliament, the significance of the incident should take into account:
- The number of users affected;
- The duration of the incident;
- The geographic spread of the area affected by the incident.
There has been a lot of discussion over who should be included as a market operator.
The commission’s draft of the NIS Directive defines market operators to include information service providers – internet payment gateways, social networks, search engines, cloud computing providers and app stores – and operators of critical infrastructure, such as electricity and gas suppliers, operators of oil and natural gas, air carriers, maritime carriers, railways, airports and ports, traffic management operators, banks, financial market infrastructure and health care providers.
In the end, the European Parliament decided that to include information service providers in the scope of the NIS Directive was “disproportionate and unmanageable” and that the requirement to report incidents should be limited to critical infrastructure operators. Despite these amendments, market operators not within scope can still voluntarily report incidents.
Where the security incident involves personal data, there may be a requirement to notify data protection authorities and individuals affected either under existing EU data protection laws or under the proposed EU data protection regulation which may be adopted in 2015.
Use of standards
Member states are encouraged to use NIS standards for the implementation of the security requirements on market operators and the European Commission has been given responsibility to draft these standards.
The competent authorities in each member state are to be given powers to investigate cases of non-compliance of public bodies and market operators with the NIS Directive, which may include undergoing a security audit. The competent authorities may also report criminal incidents to law enforcement authorities and work with data protection authorities where incidents involve personal data.
Together with the proposed EU data protection regulation, the NIS Directive, once adopted, will have an important impact on many public bodies and businesses. For the first time in the EU, there will be an information security regulatory framework with national authorities and European-wide information security standards.
The NIS Directive will also require many businesses to apply procedures that will demonstrate effective use of security policies and measures. Failure to do so may result not only in loss of customer trust and damage to reputation, but also breach European data protection and information security requirements and enforcement actions.
William Long is a partner at law firm Sidley Austin.