The NIS Directive – new cybersecurity requirements imposed on entities from the essential sectors of the economy
Legal Alert 1/2017 | 1 February 2017
Entities operating in the essential sectors of the economy, including banks, digital infrastructure providers, Internet providers, power and transport companies as well as entities from the healthcare sector will have to place a greater focus on the issue of cybersecurity in their business.
This follows from the regulations of the NIS Directive (Network and Information Systems Directive – Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union).
Obligations under the NIS Directive
Under the NIS Directive the member states are required to adopt regulations that will ensure a high level of security of network and information systems across the Union, specifically:
- the introduction of cybersecurity procedures and the obligation of notification of incidents for business entities operating in the essential sectors of the economy;
- the imposition of specific cybersecurity requirements for business entities operating in the essential sectors of the economy;
- the adoption of a national strategy for the security of network and information systems;
- the creation of a network of Computer Security Incident Response Teams (‘CSIRTs’);
- the creation of a special group to facilitate strategic cooperation and the exchange of information, especially as cybersecurity incidents frequently affect several states at the same time.
Who will have to satisfy the cybersecurity requirements?
The new regulations will be addressed to two groups of entities:
- the so called "operators of essential services"
These include business entities operating in such sectors as banking, financial market infrastructures (along with operators of trading venues as defined in MiFID II and central counterparties as defined in EMIR), digital infrastructure, energy, transport or healthcare.
The member states are required to compile, on their own, lists of the operators of essential services in the aforesaid sectors, considering a number of factors, such as the importance of each operator to the activities of the sector or the provision of essential services, its market share, links with other essential sectors or dependency of the provision of a service on information systems.
- digital service providers
The obligations to ensure an appropriate level of cybersecurity and to notify incidents important from the point of view of cybersecurity will also have to be fulfilled by some digital service providers, namely providers of: online marketplaces, cloud computing services and online search engines. The NIS obligations should not apply to micro and small enterprises.
The legal framework for cybersecurity in Poland
The NIS Directive is general and imposes an obligation on the member states to implement appropriate specific mechanisms at the national level. Therefore, it may turn out that the method of its implementation to the national legal frameworks will differ and business entities operating in different countries will be subject to different obligations.
In those sectors which are subject to strong regulation at present, including the financial industry, where network and information system security regulations are already in place, the differences may be less considerable. However, the accomplishment of the objective to ensure a higher level of cybersecurity in critical sectors will undoubtedly depend heavily on the quality of domestic laws as well as identification of specific security measures, classification of incidents and the oversight framework.
The Ministry of Digital Affairs has already begun work on the national cybersecurity system, which is expected to implement the NIS Directive. Additionally, the National Cybersecurity Center has been established. It will assume responsibility for cybersecurity in Poland and work 24/7. It is supposed to be an early warning center and respond quickly to potential attacks, in addition to coordinating tasks and exchanging information.