Agreement reached on new EU Network Information Security (NIS) Directive
A first analysis of the impact of security and incident notification requirements for Operators of Essential Services and Digital Service Providers
The Network and Information Security Directive aims to achieve a high common level of security of networks and information systems within the European Union. After more than two years of negotiations, the European Council reached an informal agreement with the Parliament on 7 December 2015, and the agreed final compromise text was approved by the Member States (MS) on 18 December 2015.
About the NIS Directive
The NIS Directive establishes security and notification requirements for Operators of Essential Services (OoES) such as banking, energy, transport, financial market infrastructure, health, drinking water and digital infrastructure; and Digital Service Providers (DSP) that include online marketplaces, online search engines and cloud services.
In addition, the NIS Directive lays down specific obligations for Member States of the EU to adopt a national NIS strategy, to designate National Competent Authorities (NCA), Single Points of Contact (SPoC) and Computer Security Incident Response Teams (CSIRT) with NIS tasks.
Furthermore, it creates a cooperation group in order to facilitate strategic cybersecurity cooperation and information sharing among Member States and further develop trust amongst them. In parallel, the Directive creates a CSIRTs network to build confidence between Member States and to boost operational cybersecurity cooperation.
What are Operators of Essential Services and Digital Service Providers?
Operator of an Essential Service
An Operator of an Essential Service is a public or private entity that provides an essential service for the maintenance of critical societal and/or economic activities, depends on network and information systems and for which an impact on its network and information systems would produce “significant disruptive effects” on the provision of the service. In line with these criteria, Member States will have to identify such Operators of Essential Services from the sectors and subsectors depicted below.
A Digital Service means a service offered at a distance by electronic means at the individual request of a recipient of services (Article 1b of Directive 2015/1535) or to businesses at large which are Online Marketplaces, Online Search Engines or Cloud Computing Services.
Some sectors are already regulated or may be regulated in the future by sector-specific EU legal acts that include rules related to the security of networks and information systems. Whenever those acts impose requirements, these provisions should apply instead of the corresponding provisions of the NIS Directive if they are at least equivalent in effect to the obligations in the NIS Directive.
What security and incident notification requirements will apply to essential service operators and digital service providers?
Both Operators of Essential Services and Digital Service Providers will have to ensure the security of their networks and systems to promote a culture of risk management and ensure that serious incidents are reported to NCA or CSIRT. These would include primarily private networks and systems managed either by internal IT staff or the security provider to which has been outsourced.
The tables below summarise the requirements from the final compromise text of the NIS Directive.
In the case of Digital Service Providers the first 5 requirements listed above do not apply to micro- and small enterprises as defined in the Commission Recommendation of 6 May 2003. Therefore, Digital Service Providers with less than 50 employees and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million are exempt from taking security measures and notifying incidents.
1. Will only apply where the Digital Service Provider has access to the information required to appreciate if the criteria are fulfilled.
2. Where an operator of essential services relies on a third-party digital service provider for the provision of a service which is essential for the maintenance of critical societal and economic activities any significant impact on the continuity of the essential services due to an incident affecting the digital service provider will still have to be notified.
Details of technical and organisational measures
Using a risk based approach, for Digital Service Providers only, security measures will have to take into account the following elements: the security of systems and facilities; incident management; business continuity management; monitoring, auditing and testing and compliance with international standards.
National Competent Authorities (NCAs) will have the powers to require both Operators of Essential Services and Digital Service Providers to provide information needed to assess the security of their networks and information systems, including documented security policies. In addition, NCAs will require only operators of essential services to provide evidence of effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor. These operators will also have to execute binding instructions received by the competent authority to remedy less secure operations while digital service providers will have to remedy any failure to fulfil the requirements as required by the competent authority.
Digital Service Providers that are not established in the EU, but offer services within the EU, will have to designate a representative established in one of the Member States where the services are offered and will be deemed to be under the jurisdiction of that Member State.
Details of incident notification requirements
Operators of Essential Services will have to notify National Competent Authorities or CSIRT whenever there is a “significant” impact on the provision of the operator’s service. The “significance” of an incident will be mainly determined by the number of users affected by the disruption; the duration of the incident; and the geographical spread with regard to the area affected by the incident.
Digital Service Providers will have to notify any incident having a “substantial” impact on the provision of a service. The “substantiality” of an incident will be determined by the same criteria as for Operators of Essential Services and in addition the extent of the disruption of the functioning of the service and the extent of the impact on economic and societal activities.
This incident notification requirement will be stronger for Operators of Essential Services than for Digital Service Providers as the obligation to notify an incident will only apply where the Digital Service Provider has access to the information required to appreciate if the criteria are fulfilled.
Besides notification of incidents, the NIS Directive foresees, under specific conditions, the obligation to inform affected Member States and, to a certain extent, the public. Therefore, in the case of Operators of Essential Services, the notified NCA or CSIRT will be required to inform affected Member State(s) in case of significant impact on the continuity of the essential services. Informing the public by the notified NCA or CSIRT about individual incidents is set as an option as it may be decided where public awareness is necessary to prevent an incident or to deal with ongoing incident and only after consultation of the concerned Operator of Essential Services.
Regarding Digital Service Providers, the notified NCA or the CSIRT will be required to inform other affected Member States. The NIS Directive further details this requirement by stating that information is particularly deemed appropriate where the incident concerns two or more Member States. In any case, security and commercial interests of the Digital Service Provider and the confidentiality of the information provided should be preserved. An obligation to inform the public is foreseen as well where public awareness is necessary to prevent an incident or to deal with an ongoing incident. What differs from requirements applicable to operators of essential services is that information may be decided where disclosure of the incident is otherwise in the public interest. Information can be done not only by the NCA or CSIRT but also, where appropriate, by the authorities or CSIRTs of other Member States concerned and even by the Digital Service Provider itself if so required. Like in the case of Operators of Essential Services, Digital Service Providers will be consulted.
Implications for Member States
Obligations imposed on Member States
Member States will be required to adopt a national NIS strategy defining the strategic objectives and appropriate policy and regulatory measures in relation to cybersecurity and covering essential sectors. This will include setting up a governance framework including roles and responsibilities of the governmental bodies and relevant actors; the identification of measures on preparedness, response and recovery, including cooperation between the public and private sectors; awareness raising and training programs; and research and development plans relating to the NIS strategy.
Member States will also be required to designate a National Competent Authority for the implementation and enforcement of the NIS Directive at national level. These NCAs will consult and cooperate with the national Law Enforcement Authorities (LEA) and national Data Protection Authorities (DPA). In addition, each Member State will have to designate a national Single Point of Contact (SPoC) on NIS which will liaise to ensure cross-border cooperation of Member State authorities and with the cooperation group and the CSIRTs network. Once a year, the SPOC will submit a summary report to the cooperation group on the incident notifications received.
Each Member State will have to designate one or more Computer Security Incident Response Teams (CSIRTs) responsible for handling incidents and risks covering at least the sectors in scope of the Directive. Tasks of the CSIRT shall include the monitoring of incidents at a national level; the provision of early warning, alerts, and dissemination of information to relevant stakeholders about cyber risks and incidents; responding to incidents; providing risk and incident analysis and situational awareness; and participation in the CSIRT network. In addition, the CSIRT will have to promote the adoption and use of common or standardised practices for incident and risk handling procedures including information classification schemes.
Cooperation between Member States
The NIS Directive will set up a strategic cooperation group to among others draw up strategic guidelines for the activities of the CSIRT network and discuss capabilities and preparedness of Member States. This group will be composed of representatives from the Member States, the Commission and the European Union Agency for Network and Information Security (ENISA) while representatives from relevant stakeholders will also be allowed to be invited for participation. The Commission will provide the secretariat for this group.
In addition, at operational level a network of Computer Security Incidents Response Teams (CSIRTs) will be assigned multiple tasks including supporting Member States in addressing cross-border incidents; exchanging best practices on the exchange of information related to incident notification and assisting Member States in building capacity in NIS. This network will be composed of representatives of the Member States’ CSIRTs and CERT-EU while the Commission will participate as an observer. ENISA will provide the secretariat for the CSIRTs Network and will be encouraged to maintain a website with general information on major NIS incidents occurring across the Union.
What is next?
Once the agreed text will have undergone technical finalisation, it should be formally approved first by the Council and then by the Parliament. The procedure is expected to be concluded in spring 2016.
After the Directive has entered into force, Member States will have 21 months to transpose the Directive into national law. After this period, they will have another 6 months to identify the essential services operators established in their territory which are to be covered by the Directive.
|Spring 2016||Formal approval first by the Council and by the Parliament.|
|Q2 2016||Expected publication in the Official Journal of the European Communities.|
|Q4 2016||Member States to ensure representation in the Cooperation Group and the CSIRTs Network.|
|Q2 2018||Deadline for the transposition into national law.|
|Q4 2018||Deadline for Member States to identify the Operators of Essential Services with an establishment on their territory for each subsector.|