What does the new EU Network Information Security Directive imply?

– By Monika Josi –

EU lawmakers and Member States found an agreement on the first cyber-security law – the Network and Information Security Directive (NIS Directive). The deal was reached on 7th December in response to increasing worries about cyberattacks resulting in security and privacy breaches. This new law sets out security and reporting obligations for companies in critical sectors such as transport, energy, health and finance but also mandates what governments need to put in place. Following this political agreement, the text will now have to be formally approved by the European Parliament and the Council before it officially enters into force. Member States will have 21 months to transpose this Directive into their national laws and 6 additional months to identify operators of essential services.

Summary

The EU NIS Directive, together with the new EU data breach regulation that includes large fines—up to €20m or, in the case of an enterprise, up to 4% of its annual worldwide turnover, will have wide implications on both governments and private sector companies covered. The requirement to fulfil information security standards and to report incidents will eventually involve not only the industries in scope but, as part of the due diligence process, also their service providers, outsourcers, business partners and consultants to augment their capabilities regarding information (cyber) security. The directive should further promote the ability to detect an incident and therefore support the shift from a protection based security concept to a detection and response based setup. This will also help CISO’s, CIO’s and IT Security Professionals to highlight the importance of cybersecurity, which can however only be achieved from a risk-based approach rather than a compliance angle.

For governments

Develop a national (cyber) strategy

Member states are required to adopt a national strategy that sets out concrete policy and regulatory measures to maintain a level of network and information security. This includes designating a national competent authority for information security and setting up a computer emergency response team (CERT) that is responsible for handling incidents and risks.

Challenges: most EU countries have both a national strategy as well as CERT(s) in place, however, the maturity varies greatly. This either concerns who is responsible for the implementation of the national strategy (civil government agencies or national security) and what which services the CERT offers (proactive and reaching out to private sector or response oriented and government focused). In particular, the question of who is responsible for the implementation of the national strategy and how the CERT(s) are governed may have an impact on both the national discussion (e.g. economic impact of requesting the private sector to weaken encryption or to implement backdoors) and the cooperation between EU Member States’ and agencies. Given that the EU NIS Directive aims at increasing and enhance trust of citizens into digital services, it can only be hoped that EU Member States will give priority to this point of view over pure national security concerns.

International cooperation

The competent authorities in EU member states and the European Commission will form a co-operation network to co-ordinate against risks and incidents affecting network and information systems. The network will exchange information between authorities, provide early warnings on information security issues and agree on a coordinated response in accordance with an EU NIS co-operation plan.

Challenges: aforementioned considerations regarding who owns the national strategy and how are the CERT(s) governed, will have a big impact on the effectiveness of this cooperation. In addition, many governments already struggle with their internal cooperation to be effective. Unless there will be a common consensus on the governance structure, mature EU Member States will keep communicating within their own trusted cooperation network and exclude other EU (or aspiring) Member States.

Minimal technical requirements and use of standards

EU Member States must ensure that public bodies and certain market operators take appropriate technical and organizational measures to manage the security risks of networks and information systems – these must guarantee a level of security appropriate to the risks and should prevent and minimize the impact of security incidents affecting the core services they provide.

Challenges: the EU NIS Directive does not (and does not intend to) set or define these standards, which may lead to some countries taking a very stringent approach while others will be more lenient and hesitant to set strict rules.

For all sectors in scope (public and private)

Requirement of incident notification

Public bodies and selected private sector companies must also notify the competent authority of incidents that have a significant impact on the continuity of these services. The competent authority may decide to inform the public about the incident. The significance of the incident should take into account the number of users affected, the duration of the incident and the geographical spread of the area affected by the incident. Hence, these requirements do not only apply to private sector companies set out in the next paragraph but also to public bodies.

The EU NIS Directive would currently apply to the following private sector industries:

  • Key Internet companies (e.g. large cloud providers, social networks, e-commerce platforms, search engines)
  • Banking sector and stock exchange
  • Energy (e.g. electricity and gas)
  • Transport (operators of air, rail and maritime transport and logistics)
  • Health (e.g. Electronic medical devices and online/electronic personal health and financial information)
  • Public administrations (e.g. eGovernment and eParticipation services)
  • ISP’s are already required to provide incident notification under the current EU Telecom Framework Directive.

Challenges: the definition of ‘significant impact’ has been widely discussed and will have to be agreed upon to prevent too few or too many incidents being reported.

In addition, there is still the question on how these incidents will have to be reported: multi-national companies are concerned about additional burden if incidents will have to be reported in 27 EU Member States in different formats. The Commission has promised to develop a common reporting systems through the implementation of measures for the Directive.

 

Resources