On July 6, 2016, the European Parliament adopted the first-ever pan-European law on cyber security. The law, entitled the "Directive on the Security of Network and Information Systems" (NIS Directive), imposes security requirements and security incident notification obligations on digital service providers and operators of essential services.
Background
The NIS Directive was enacted as part of the European Commission's broader initiative to strengthen cyber security capabilities in the EU1 and will take effect in August 2016 (20 days after its publication in the EU Official Journal). However, like all EU Directives, it must be implemented into national law to be fully effective. EU member states will have 21 months to implement the NIS Directive into their national laws. As a result, businesses should expect the rules to come into final force no later than May 2018.
Who Is Affected?
The NIS Directive affects two categories of companies:
-
Digital service providers. The NIS Directive applies to providers of digital services—such as online search engines, cloud computing providers, and online marketplaces—as soon as they offer their services or establish a presence in the EU. As a result, it can apply to U.S. digital service providers that have no physical establishment in the EU. However, the NIS Directive does not apply to digital service providers that are "micro and small enterprises" under EU law.2
-
Operators of essential services (OES). The NIS Directive also applies to companies that provide a service that is essential for the maintenance of critical societal or economic activities and that depends on network and information systems. It specifies the types of entities that offer such services by sector: energy (e.g., gas and electricity suppliers), transport (e.g., airlines), banking (e.g., credit institutions), financial market infrastructures (e.g., operators of trading venues), health (e.g., health care providers), drinking water supply and distribution, and digital infrastructures (i.e., Internet exchange points, DNS service providers, top-level domain name registries). National laws will explicitly list the businesses that must be considered OES.
Security Requirements to Protect Against Cyber Security Risks
The NIS Directive requires OES and digital service providers to take appropriate and proportionate technical and organizational measures to protect their network and information systems from security threats. It does not mandate any specific types of security measures, but requires the implementation of security measures that are appropriate to the risks having regard to the state of the art and taking into account: (i) the security of the systems and facilities; (ii) incident handling; (iii) business continuity management; (iv) monitoring, auditing, and testing; and (v) compliance with international standards.
Security Incident Notification Obligation
-
Security incident. The NIS Directive defines a security incident as "any event having an actual adverse effect on the security of network and information systems."3
-
Obligation to notify the regulator. Digital service providers and OES must notify the regulator—not individuals—of any incident that has: (i) a significant impact on the continuity of essential services; or (ii) a substantial impact on the provision of digital services.
-
What is a "significant" or "substantial" impact? The NIS Directive lists criteria to assess whether to notify an incident (e.g., number of users affected, duration and geographical spread of the incident, extent of the disruption of the functioning of the service, impact on economic and societal activities). National regulators and the EU Commission will further specify the threshold for notification.
-
Timing. Companies must notify the regulator without undue delay.
-
Competent regulator. National laws will determine the regulator competent to receive security incident notification. When the incident involves personal data, the regulator should coordinate with the data protection regulator.
-
Informing the public. The NIS Directive does not require notifying individuals. However, if publicity is in the public interest or is needed to prevent or mitigate the security incident, the regulator may decide to publicize the incident. The company must be consulted on this decision and the regulator should take into account potential reputational and commercial damage raised by the disclosure.
-
Overlap with the EU General Data Protection Regulation (GDPR). The NIS Directive and the GDPR (which will enter into final force on May 25, 2018) have different scopes of application, but will overlap when a security incident involves personal data. In that situation, companies will have to comply with both the NIS incident notification obligation and the GDPR personal data breach notification requirement.
Next Steps and How to Prepare for the NIS Directive
The NIS Directive introduces new security requirements and a security incident notification obligation for OES and digital service providers established or offering their services within the EU. The NIS Directive now needs to be implemented into EU member states law, which may trigger some local deviations or stricter rules. Companies should monitor the implementation of the NIS Directive into national laws, review whether the new rules apply to their business, and consider whether to include the new rules in their incident response or data breach response plan.