Agreement reached on EU NIS Directive
A first analysis of the security and incident notification requirements for Operators of Essential Services and Digital Service Providers
The Network and Information Security (NIS) Directive aims to achieve a high common level of security of networks and information systems within the European Union. After more than two years of negotiation, the European Council reached an informal agreement with the Parliament on December 7th 2015, and the agreed final compromise text was approved by the Member States (MS) December 18th 2015.
About the NIS Directive
The NIS Directive establishes security and notification requirements for Operators of Essential Services (OoES) such as banking, energy, transport, financial market infrastructure, health, drinking water, digital infrastructure; and Digital Service Providers (DSP), including online marketplaces, online search engines and cloud services.
In addition, the NIS Directive lays down specific obligations for MSs of the EU to adopt a national NIS strategy, to designate National Competent Authorities (NCA), Single Points of Contact (SPoC) and specific NIS tasks to Computer Security Incident Response Teams (CSIRT).
Furthermore, it creates a cooperation group in order to develop trust amongst MSs and facilitate strategic cybersecurity information sharing. In parallel, it creates a CSIRTs network to build confidence amongst MSs to boost operational cybersecurity cooperation.
What are Operators of Essential Services and Digital Service Providers?
An Operator of Essential Service is a public or private entity, which provides an essential service for the maintenance of critical societal and/or economic activities, depends on networks and information systems, and for which an impact on these systems would produce “significant disruptive effects” on its ability to provide its service. In line with these criteria, MSs will have to identify such OoESs from the sectors and subsectors depicted below.
A Digital Service means a service offered at a distance by electronic means at the request of an individual recipient of services (Article 1b of Directive 2015/1535) or of a businesses at large, meaning Online Marketplaces, Online Search Engines or Cloud Computing Services.
Some sectors are already regulated or may be regulated in the future by sector-specific EU legal acts that include rules related to the security of networks and information systems. Whenever those acts impose requirements, their provisions will take precedence over the corresponding provisions of the NIS Directive, so long as they are at least equivalent in effect to the obligations in the NIS Directive.
What security and incident notification requirements will apply to Operators of Essential Services and Digital Service Providers?
Both OoES and DSPs will have to ensure the security of their networks and systems to promote a culture of risk management and ensure that serious incidents are reported to NCA or CSIRT. These would include primarily private networks, and systems for which security is managed either by internal IT staff or by outsourced staff.
The tables below summarise the requirements from the final compromise text of the NIS Directive.
|Security requirements||Operators of Essential Services?||Digital Service Providers?|
|A. Take technical and organisational measures to manage the risks posed to the security of networks and information systems.||Yes||Yes (partially)|
|B. Provide information needed to assess the security of networks and information systems, including security policies.||Yes||Yes|
|C. Provide evidence of effective implementation of security policies, such as the results of security audits.||Yes||No|
|D. Execute binding instructions received by the NCA to remedy their operations.||Yes||No|
|E. Remedy any failure to fulfil the requirements set out in the NIS Directive.||No||Yes|
|F. Designate a representative in the EU when not established in the EU, but offering services within the EU.||No||Yes|
In the case of DSPs the first 5 requirements listed above do not apply to micro- and small enterprises as defined in the Commission Recommendation of 6 May 2003. Therefore, DSPs with less than 50 employees and whose annual turnover and/or annual balance sheet total does not exceed 10 million EUR are exempt from taking security measures and notifying incidents.
|Incident notification requirements||Operators of Essential Services?||Digital Service Providers?|
|A. Notify any incident having a “significant” or “substantial” impact to the NCA or to the CSIRT without undue delay.||Yes||Yes|
|B. Notify impact of incident if OoESs relies on a third-party DSP..||Yes||No|
|C. Inform the public about individual incidents if required by the notified competent authority or CSIRT.||No||Yes|
What is next?
Once the agreed text has undergone technical finalization, it should be formally approved first by the Council and then by the Parliament. The procedure is expected to be concluded in spring 2016.
After the Directive has entered into force, MSs will have 21 months to transpose the Directive into national law. After this period, they will have another 6 months to identify the essential services operators established in their territory which are to be covered by the directive.
|Spring 2016||Formal approval first by the Council and by the Parliament.|
|Q2 2016||Expected publication in the Official Journal of the European Communities.|
|Q4 2016||Member States to ensure representation in the Cooperation Group and the CSIRTs Network.|
|Q2 2018||Deadline for the transposition into national law.|
|Q4 2018||Deadline for Member States to identify the Operators of Essential Services with an establishment on their territory for each subsector.|