On December 7th, members of the European Parliament (MEPs) and the Luxembourg Presidency of the EU Council of Ministers provisionally agreed to the text of the long awaited network and information security directive also known as the cybersecurity directive (Directive).
While the text of the proposed Directive has yet to be released publicly, press releases indicate that the Directive will introduce new requirements for certain organizations to implement security measures to prevent against cyber security attacks. Organizations caught by the Directive will also be required to report security breaches to the national authorities – a requirement currently only imposed upon telecommunications operators.
In addition, member states will be required to adopt cybersecurity policies and to designate a national authority for the implementation and enforcement of the Directive. Many countries, including the UK, have already introduced Computer Emergency Response Teams (CERTs) to manage and prepare for cyber security incidents. The Directive also aims to encourage cooperation between competent authorities to enable coordinated information exchanges and detection/response plans.
These requirements come as part of the broader EU cyber security strategy introduced in 2013 when the Directive was first proposed. The aim of the strategy is to ensure that critical businesses meet minimum standards for network and information security and to encourage member states to coordinate regarding their cyber defense efforts.
Who does it apply to?
The European Parliament has announced that the Directive will apply to both “operators of essential services” such as those operating in the fields of energy, transport, banking, financial markets, health and water supply and “some internet service providers” such as those hosting online marketplaces (specifically naming eBay and Amazon), search engines and cloud service providers. Notably absent from this list are “social networks,” such as Facebook, and “application stores” who do not appear to be caught by the current version of the Directive, but were mentioned in an earlier draft.
One of the most debated topics is around which businesses will be caught by the Directive’s obligations and if internet service providers will be subject to the same requirements as those providing critical infrastructure services. Internet service providers such as Google and Cisco have lobbied to be left out of the Directive stating that they do not provide critical services to society, hoping to avoid the extra security compliance costs likely to be incurred following the implementation of the Directive.
Following a breakthrough in the negotiations in June 2015, a two tier approach towards compliance was agreed; those companies providing digital services would be subject to a different set of less onerous, “light touch” requirements than those providing essential services such as in the banking, energy and transport fields. Micro and small digital companies will be exempt from compliance with the Directive.
What’s the concern?
The statistics about cybersecurity breaches are often staggering. PwC, in connection with the Department of Business, Innovation and Skills (BIS), conducted a survey of businesses in 2014 and found that 73% of large organisations and 45% of small ones suffered from a security breach resulting from an infection by viruses or malicious software in the last year. However, there is currently little open discussion about breaches given the vast numbers of businesses that claim in surveys, such as the PwC report above, to be affected. One of the aims of the Directive is to mandate reporting of any security incidents having a significant impact on critical services (including the number of users affected, the duration of the incident, etc.) to the dedicated national CERTs to encourage information sharing with the hope that sharing information will enable organizations to improve their security and work together to mitigate the impact of attacks. Earlier drafts have proposed the definition of “incident having a significant impact” to mean “an incident affecting the security and continuity of an information network or system that leads to the major disruption of vital economic or societal functions.”
What does it mean for businesses?
Whilst the agreed draft will not be released until December 18, 2015, it is clear that businesses providing critical services and some internet service providers will be required to meet a minimum standard of protection to defend against cyber-attacks. Businesses captured by the Directive will also be required to report security breaches to the national authority. The reporting obligation will apply in addition to similar data breach notification obligations under applicable data protection laws.
We expect more details of the requirements for businesses to emerge following publication of the agreed text and specifics to be negotiated following the implementation of the Directive into local law. Earlier drafts indicate that member states will be required to determine which measures businesses will need to adopt to ensure that they “take appropriate and proportionate technical and organizational measures to detect and effectively manage the risks posed to the security of the networks and information systems which they control and use in their operations… those measures shall ensure a level of security appropriate to the risk presented.” This is a similarly vague statement to that contained in the European Data Protection Directive.
Next steps
The Directive is not likely to be effective for another two years. The Luxembourg Presidency have announced that their aim is for the agreed text to be presented to the Council Committee of Permanent Representatives for approval by 18 December 2015. The text will also need to be formally approved by the European Parliament’s Internal Market Committee. To conclude the procedure, formal adoption by both the Council and the Parliament is required. Following entry into the EU Official Journal, it will then officially enter into force, allowing member states 21 months to implement the legislation into local law and six more months to identify the operators of essential services who will be subject to the more onerous security requirements.
We will provide further details once the final text of the Directive is published.