European lawmakers capped off a blockbuster week for privacy with an important step towards the first comprehensive information security legislation in the EU. The Network Information Security (NIS) Directive was initially proposed by the European Commission in February 2013 to raise cybersecurity capabilities across the EU’s 28 member states. After more than two years of negotiation, the European Council reached an informal agreement with the Parliament on December 7, and the agreed text was approved by the Member States December 18.

The text now must undergo “technical finalisation,” and then needs to be formally approved by both the Council and the Parliament, which is expected, according to the Council, this spring. Member States will then have 21 months to implement the Directive into law, passing their own legislation in accordance with the Directive.

[quote]The Parliament and Council disagreed over which operators would be subject to the provisions. Ultimately, they extended the measures to operators of “essential services” and digital service providers.[/quote]

The Directive aims to “increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers,” according to a Council press release. To that end, it will require operators take measures to manage cyber risks and report security incidents.

The Parliament and Council disagreed over which operators would be subject to the provisions. Ultimately, they extended the measures to operators of “essential services” and digital service providers.

Perhaps most importantly for privacy and data protection professionals, the Directive introduces breach notification requirements that extend beyond those of the General Data Protection Regulation (GDPR). Unlike the GDPR, which mandates notification only when there is a risk to personal data, the Directive requires operators to notify competent authorities whenever there is a substantial impact on the provision of the operator’s service. Thus, while the GDPR includes security and notification provisions to protect personal data, the Directive seeks to improve security safeguards and the sharing of knowledge on cybersecurity threats.

To whom does it apply?

The NIS Directive applies to operators of “essential services” in “critical sectors” as well as to “digital service providers.”

An operator of an essential service is a public or private entity that provides a service that (a) “is essential for the maintenance of critical societal and/or economic activities,” (b) depends on network and information systems and (c) is such that an impact on its network and information systems would produce “significant disruptive effects” on the provision of the service. The Directive applies to operators of essential services in the following critical sectors:

  • Energy: oil, gas and electricity supply, distribution, transmission and storage operators as defined under Directive 2009/72/EC and Directive 2009/73/EC.
  • Transport: including air transport, rail transport, water transport and road transport, with emphasis on entities that manage traffic control services as well as port, airport and rail authorities.
  • Banking: specifically credit institutions, defined under Regulation 575/2013 as “an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account.”
  • Financial market infrastructures: including operators of trading venues and “central counterparties,” which are entities that interpose themselves between parties to contracts traded on financial markets, thereby reducing the risk exposure to the original parties to the contracts.
  • Health: “any natural or legal person or any other entity legally providing healthcare on the territory of a Member State.”
  • Drinking water supply and distribution: applies to suppliers and distributors of water intended for human consumption, but not to distributors whose general activity is the distribution of other commodities and goods.
  • Digital infrastructure: Internet exchange points, domain name system service providers and top level domain name registries.

The Directive also applies to “digital service providers,” which include online marketplaces, search engines or cloud computing services. However, it does not apply to companies that are considered small- or micro-enterprises. Therefore, digital service providers with fewer than 50 employees and an annual balance sheet total under 10 million euros are exempt from the Directive’s requirements. Digital services under the Directive are defined as:

  • Online marketplace: a digital service that allows consumers and/or traders to conclude online sales and service contracts.
  • Online search engine: a digital service that allows users to perform searches of all websites or websites in a particular language on the basis of a keyword, phrase or other input and which returns links to related content.
  • Cloud computing service: “a digital service that enables access to a scalable and elastic pool of shareable computing resources.”

What does it do?

The Directive imposes obligations on Member States to establish Computer Security Incident Response Teams as well as competent national authorities with adequate technical, financial and human resources to coordinate with law enforcement authorities, data protection authorities and the operators covered by the Directive. The law mandates specific rules for how these entities are to share early warnings on risks, threat indicators, cybersecurity intelligence and best practices among Member States.

The Directive also requires operators of essential services and digital service providers to implement “appropriate and proportionate” security systems and to notify the competent authority of a security incident. These requirements differ slightly depending on whether the organization is an operator of an essential service or a digital service provider:

Operators of essential services must implement “state of the art” network and information security systems appropriate to each organization’s risks. These systems should be designed to prevent and minimize the impact of incidents and ensure the continuity of essential services. Where an incident creates a “significant impact” on the continuity of services, the Directive requires operators to notify the competent authority “without undue delay.” The significance of an incident is determined by “(a) the number of users affected by the disruption of the essential service; (b) the duration of the incident; [and](c) the geographical spread with regard to the area affected by the incident.”

The member states will be tasked with attaching numbers and definitions in their respective pieces of legislation.

[quote]an operator of essential services may fall under the jurisdiction of more than one Member State, but digital service providers likely will fall under the jurisdiction of only one Member State.[/quote]

Due to the cross-border nature of digital service providers, the Directive includes additional factors to ensure “a high level of harmonization” between the Member States. In crafting their security systems, digital service providers should consider the security of systems and facilities, incident management, business continuity, monitoring, auditing and testing, and compliance with international standards. In the case of an incident, digital service providers must notify the competent authorities without undue delay if the incident causes a “substantial impact” on the provision of the service. Beyond the factors discussed above—number of users, duration and geographic spread—digital service providers also should consider whether the functioning of the service is “seriously disrupted” and whether the impact on economic and societal activities is “profound” when deciding whether to notify.

Member States must craft sanctions for violations that are “effective, proportionate and dissuasive.”

Jurisdiction

With the aim of creating a “one-stop shop” for operators to coordinate with national authorities, the Directive sets out specific rules for cross-border cases. A digital service provider will fall under the jurisdiction of the Member State where it has its head office in the EU. If the digital service provider does not have a presence in the EU, the provider must designate a representative in one of the Member States if it “offers services” within the EU. For operators of essential services, each Member State is required to maintain a list, updated every two years, of all operators with an establishment within its territory. Thus, an operator of essential services may fall under the jurisdiction of more than one Member State, but digital service providers likely will fall under the jurisdiction of only one Member State.

How does the NIS Directive impact security requirements in the GDPR?

There is significant overlap between the GDPR and the NIS Directive. Both laws mandate operators to implement risk-based security measures and both laws include notification requirements in the event of an incident. However, they also protect distinct interests and may apply to different types of incidents.

First, the Directive and the GDPR have different rules for triggering jurisdiction. With few exceptions, the GDPR will apply to any person or entity that processes the personal data of EU residents related to the offering of goods or services or to monitor their behavior. The NIS Directive applies much more narrowly to operators of essential services and digital service providers with 50 or more employees. Thus, any overlap only occurs with respect to those operators.

Second, where the goal of the GDPR is to safeguard personal data, the Directive is squarely focused on network security. Thus, the GDPR requires controllers to adopt measures that secure personal data, while the Directive requires operators to appropriately secure their networks in order to protect the provision of the service. While these aims often overlap, there also will be areas where the protections diverge. For example, encryption may aid in protecting personal data in compliance with the GDPR without protecting the network from vulnerabilities as intended by the Directive’s provisions.

The same applies to breach notification. The GDPR requires controllers to notify the competent authority of a breach “without undue delay and, where feasible, not later than 72 hours after becoming aware of it . . . unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.” Thus, the GDPR requires breach notification only where personal data is at stake. The Directive, on the other hand, mandates breach notification if there is a significant disruption to the provision of the service. There are no penalties for compromising specific information, as there are under the GDPR for failing to protect personal data. Instead, the Directive penalizes operators that fail to implement appropriate security measures or fail to notify the competent authorities of an incident.

Finally, under the Directive, operators must notify only the competent authorities. The GDPR, however, requires controllers to notify the data subjects—i.e. individuals—if the breach poses a “high risk” to their rights and freedoms. The GDPR provides these individuals with a private right of action in addition to administrative remedies to vindicate their rights. The Directive only provides for administrative fines.

The Directive states that it will apply “without prejudice” to the GDPR, but it remains unclear what will happen if there are conflicting obligations. The Directive likely will create additional liability in cases where an operator has violated the provisions of both laws. But could compliance with the GDPR serve as a defense to enforcement under the Directive? Many issues surely will arise as these new laws are implemented over the next several years.

One thing is clear: Europe is now serious about cybersecurity and breach notification.

Photo credit: blink(1) mk2 via photopin (license)