EU Network and Information Security Directive and its Impact on Online Businesses

Overview
 

The EU Directive on the security of network and information systems (NIS Directive) aims to bolster the security of Europe's critical infrastructure by imposing a minimum level of security for digital technologies, networks and services across all Member States. It also makes it compulsory for certain businesses and organisations to report significant cyber incidents. Certain companies operating in critical sectors such as health, energy and transport, as well as some online businesses like search engines, online marketplaces and cloud computing providers, will be required to satisfy wide-ranging security and incident reporting obligations.
 

Timetable and implementation
 

The NIS Directive came into force in August 2016. Each Member State must implement the NIS Directive into national law by 9 May 2018.

 

The UK government confirmed in its Cyber Security Regulation and Incentives Review in January 2017 that it intends to implement the NIS Directive into UK law despite Brexit.

 

Some Member States already have existing laws concerning the security of their critical infrastructure. For example, in Germany, an existing IT Security Law (Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme) that pre-dates the NIS Directive partly reflects requirements under the NIS Directive. At the time of writing, the German government has published draft laws to fully implement the NIS Directive. Similarly, France's Military Programming Law, adopted in December 2013, contains measures for the security of "operators of vital important importance" and their critical network and information systems.

 

Who is affected?
 

The NIS Directive applies to (i) operators of essential services and (ii) digital service providers. It does not apply to telecommunications company or payment service providers as they are subject to security and incident reporting obligations under separate legislation. It also does not apply to hardware/software developers or to small/micro-sized digital service providers (as defined in Commission Recommendation 2003/361/EC).

 

Each Member State will be responsible for identifying "operators of essential services" that are in scope. These entities will then be listed in the national laws that implement the NIS Directive. One of the law's purposes is to protect critical infrastructure in the event of a cyber-attack and so it is highly likely that energy suppliers, airports, banks, utility companies and healthcare providers will be considered as operators of essential services. Member States have until November 2018 to identify operators of essential services.

Digital service providers are defined to consist of:

It is likely that all three categories will be interpreted widely.

 

An online marketplace is defined by the NIS Directive as "a digital service that allows consumers and/or traders ... to conclude online sales and service contracts with traders either on the online marketplace's website or on a trader's website that uses computing services provided by the online marketplace." Large players like Amazon and eBay will be caught but, equally, smaller e-commerce stores where consumers can purchase products/services from third party traders may also be subject to the law, unless they benefit from the exemption for "small" or "micro" businesses. Application stores are also deemed to be in scope but price comparison websites are not.

 

An online search engine is defined as a "digital service that allows users to perform searches of in principle all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input; and returns links in which information related to the requested content can be found." Clearly, the likes of Google and Bing will fall within this definition.

 

A cloud computing service is defined as "a digital service that enables access to a scalable and elastic pool of shareable computing resources." The law's recitals provide brief guidance on the meaning of: "computing resources"; "scalable"; "elastic pool"; and "shareable." However, it remains unclear how this definition will be applied in practice. Put simply, a vast number of online businesses provide cloud computing services (even if they are not the business' primary commercial offering) and thus are likely to fall within this definition.

 

Unlike operators of essential services, the obligation is on online businesses to self-assess whether they are subject to the law's requirements. The security and notification obligations that apply to digital service providers are light touch compared to those that apply to operators of essential services. The obligations on digital service providers are described below.

 

Complying with the NIS Directive's national implementing law
 

Operators of essential services and digital service providers must comply with the national law in the Member State where the operator/provider is established. In this context, establishment means where an entity has an "effective and real exercise of activity through stable arrangements" rather than, for example, the physical location of its network and information systems or location of its legal branch.

 

If a digital service provider is not established in a Member State but still provides services within the EU then it must appoint a "representative." At this stage, there is little guidance on who can perform the role of a representative.

Finally, as a "minimum harmonisation" law, Member States are entitled to adopt laws that achieve a higher level of cyber security than set out in the NIS Directive. For example, some Member States might enact stricter security legislation than others. The national implementations of the NIS Directive represent an additional issue (though clearly not as significant as tax or employment issues) for an online business to consider when deciding upon its EU country of establishment.

 

Dealing with newly established cyber security authorities
 

Online businesses in scope should acquaint themselves with the new authorities/bodies established by the NIS Directive. This is crucial so that a business knows: (i) to which authority incidents should be notified; and (ii) the authority that has the power to sanction non-compliance.

 

The NIS Directive refers to two bodies of importance to online businesses. The first is the national competent authority ("NCA"). An NCA will be formed in each Member State and will be in charge of regulating the law's application at national level. It may be an existing regulator or a new body (the UK Information Commissioner's Office has already made known its reluctance to perform this role). Each NCA will have differing powers in relation to operators of essential services and digital service providers.

 

Unlike with operators of essential services, the NCA will have no general power to regulate the conduct of digital service providers. However, it will be able to take "action" when provided with "evidence" that a digital service provider is failing to comply with the NIS Directive. Such evidence can be provided by the digital service provider itself, a user of its service or another NCA.

 

The "action" that the NCA will be able to take will be to require the digital service provider to remedy any failure to fulfill its security and incident notification requirements. No explanation is provided as to how the NCA will require remedial action to be taken. This, along with other enforcement measures (like fines, undertakings etc.) will be determined by each Member State and then set out in the national law.

 

The second body of importance is the Computer Security Incident Response Team ("CSIRT"). Each Member State will have a CSIRT, which will provide guidance to operators of essential services and digital service providers on cyber security issues as well as cooperate internationally to ensure that cross-border threats are detected and handled. Online businesses may wish to liaise with a CSIRT regarding practical issues/questions relating to incident preparedness.

 

At present, the precise powers and responsibilities of the NCAs and CSIRTs are uncertain. For example, the NIS Directive provides that incident notifications can be made to an NCA, a CSIRT or both. Clearly, this is not ideal since an online business needs certainty on the appropriate notifying body and also to bake this information into its incident handling policies/procedures. Hopefully, this point will be resolved in the implementing acts or national transpositions.

 

Putting in place security measures
 

Online businesses in scope will be required to put in place "appropriate and proportionate technical and organisational measures" to protect NIS. These measures must ensure that digital service providers manage the risks posed to the security of networks and information systems that they use in the provision of their service.

In implementing these security measures, digital service providers must take into account the following elements: (i) security of systems and facilities; (ii) incident management; (iii) business continuity management; (iv) monitoring, auditing and testing; and (v) compliance with international standards.

 

ENISA (the European Agency for Network and Information Security) has published Technical Guidelines for the implementation of minimum security measures for digital service providers.

 

The European Commission will adopt implementing acts that set out in more detail the specifications of the security measures.

 

Developing an effective cyber incident notification process
 

Online businesses in scope will be required to notify any incident having a "substantial impact" to the provision of its digital service. The European Commission will adopt implementing acts on the notification requirement, which is intended to be harmonised across Member States for digital service providers. However, what we know so far is that the notification should be made to the NCA or the CSIRT "without undue delay." The notification should contain information to enable the NCA or the CSIRT to determine the significance of any cross-border impact. After consulting with the digital service provider, the NCA or the CSIRT may choose to publicise the incident in certain circumstances.

 

In order to determine whether the impact is "substantial," the digital service provider should consider the following parameters: (i) the number of users affected by the incident, in particular users relying on the service for the provision of their own services; (ii) the duration of the incident; (iii) the geographical spread with regard to the area affected by the incident; (iv) the extent of the disruption of the functioning of the service; and (v) the extent of the impact on economic and societal activities.

 

No guidance has been provided as to how overlapping notification obligations (e.g. under the NIS Directive and the General Data Protection Regulation) will work in practice. Hopefully this business headache will be resolved in the implementing acts.

 

This is a landmark requirement since digital service providers are not currently obliged to notify data security or cyber security incidents in EU Member States. Therefore, the new law mandates notification (which is voluntary in most Member States) thereby meaning that digital service providers need to take incident handling and notification more seriously than ever before. Online businesses in scope should formulate and agree upon incident handling and notification policies and procedures to ensure they are ready to deal with likely incidents and mitigate commercial, reputational and regulatory risks.

 

Conclusion
 

For those businesses that fall under its scope, such as search engines and cloud computing providers, the NIS Directive will mean that incident handling and notification will take on a more serious role than previously, and numerous security obligations will need to be satisfied.

Additional Resources
 

Commission Implementing Decision (EU) 2017/179 of 1 February 2017 laying down procedural arrangements necessary for the functioning of the Cooperation Group pursuant to Article 11(5) of the Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union

France: The French Critical Infrastructures Information Protection framework (2013) published by the Agence nationale de la sécurité des systémes d'information (ANSSI)