NIS Directive - First cybersecurity law in Luxembourg is coming
Introducing security and incident notification requirements for operators of essential services and digital service providers
The Directive (EU) 2016/1148 (hereafter ‘the NIS Directive’) entered into force in 2016 and had to be transposed by the Member States into national laws by 9 May 2018. The aim of the NIS Directive is to achieve a high, common level of network and information security, across the EU. The NIS Directive establishes security and incident notification requirements for Operators of Essential Services (OES) in critical sectors such as banking and the financial market infrastructure; and for Digital Service Providers (DSPs), including online marketplaces, search engines and cloud services. The Directive lays down obligations for the Member States of the EU. In addition it creates a cooperation group to facilitate strategic cybersecurity information sharing, as well as it establishes a CSIRTs network to boost operational cybersecurity cooperation.
On 3 October 2018, the Luxembourg government issued the coordinated text of the draft law implementing the NIS Directive into national Law (hereafter ‘the draft law’), modifying the law of 23 July 2016 creating the Haut-Commissariat à la Protection Nationale, as well as the modified law of 20 April 2009 creating the Centre de Technologies de l'Information de l'Etat.
This article is mainly intended for Operators of Essential Services (OES) and for Digital Service Providers (DSPs) operating in Luxembourg and will cover the following key questions:
- Which authorities have been designated in Luxembourg?
- Which security requirements will apply to OES and DSPs in Luxembourg?
- Which incident notification requirements will be applicable to OES and DSPs in Luxembourg?
- What are the sanctions for non-compliance with the obligations?
- What are the next steps?
Which security requirements will apply to OES and DSPs in Luxembourg?
According to Recital 4 of the NIS Directive, both Operators of Essential Services (OES) and Digital Service Providers (DSPs) shall ensure the security of their networks and systems to promote a culture of risk management. Security requirements provided by the daft law for OES and DSPs are largely based on the requirements set by the NIS Directive. The table below illustrates the security requirements as reflected in the Chapter III and IV of the draft law. The table clarifies if requirements apply to OES, DSPs or to both.
|A.||Take technical and organisational measures to manage the risks posed to the security of networks and information systems [Art. 8 (1), Art. 11 (1)].||
|B.||Provide to NCAs information needed to assess the security of networks and information systems, including security policies [Art. 9 (1) para 1, Art. 12 (1) para 1].|
|C.||Provide to NCAs evidence of effective implementation of security policies, such as the results of security audits [Art. 8 (1) para 2].|
|D.||Provide to NCAs any information needed to control the effective implementation of security policies [Art. 8 (1) para 3, Art. 11 (1) para 3].|
|E.||Remedy any failure to meet the security requirements [Follow the binding instructions to remedy deficiencies identified [Art. 9 (2)].|
|F.||Remedy any failure to meet the security requirements [Art. 11 (1) para 2].|
|G.||Designate a representative in the EU when not established in the EU, but offering services within the EU [Art. 9 (1)].|
Which incident notification requirements will be applicable to OES and DSPs in Luxembourg?
The figure below shows the actors and their activities related to incident notification.
Figure 4 - Activities related to incident notification in Luxembourg
The table below lists the requirements corresponding to the arrows in the figure above.
|Incident notification requirements|
|1a.||OES shall notify incidents to ILR or CSSF if having a significant impact on the continuity of its essential services, including where the impact is due to relying on 3rd party DSP [Art. 8 (4) and Art. 11 (5)]|
|1b.||ILR or CSSF shall transmit incident notifications to relevant CSIRTs [Art. 8 (4)]|
|2.||DSP shall notify incident if substantial impact [Art. 11 (3)]|
|3.||GOVCERT and CIRCL shall send a report once a year to the ILR (SPOC) [Art. 11 (7)]|
|4.||ILR or CSSF may request the OES to inform the public about an incident [Art. 8 (8)]|
|5.||Remedy any failure to meet the security requirements [Art. 11 (1) para 2].|
|6.||ILR, CSSF, GOVCERT, CIRCL, the authorities or the CSIRTs of other Member States concerned may inform the public about an incident. [Art. 8 (8), Art. 11]
Note: Under Art. 8 (8) and Art. 11 (8), NCAs or CSIRTs may compel both OES and DSPs to inform the public about the occurred incident. This means an entity can be obliged to disclose the information about an incident even when it is contrary to its interests or position on the market. However, the draft law does acknowledge that that making such information public should reflect a compromise between the public's right of being informed of the threats and the possible commercial consequences.
|7.||ILR, CSSF, GOVCERT and CIRCL shall consult and cooperate with the CNPD in case of violation related to personal data [Art. 8 (3)]|
|8.||ILR, CSSF, GOVCERT or CIRCL shall inform other affected Member States of incidents [Art. 8 (6) + Art. 11 (3)]|
Conclusion and next steps
The final version of the draft will only become law after the promulgation by the Grand Duke and its publication as a Memorial in the official journal of the Grand Duchy of Luxembourg. Therefore, the final law transposing the NIS Directive could be expected by the end of 2018.
By 9 November 2018, Luxembourg as a Member State will have to identify a list of Operators of Essential Services with an establishment on their territory for each subsector. In addition, further clarifications of “undue delay” and other details of the incident notification procedures are to be provided by ILR or CSSF under Art. 8 (3) and Art. 8 (5). More information is also expected concerning the unified notification platform that is intended to be used by entities to directly notify incidents in line with Art. 8 and Art. 11 of the draft law.
Building a Cybersecurity Digital Service Infrastructure (DSI) and increasing national cybersecurity capabilities
How cybersecurity is funded in the European Union