NIS Directive establishes first EU-wide cyber security rules
For those businesses that fall under its scope, such as search engines and cloud computing providers, the advent of the NIS Directive will mean that incident handling and notification will take on a more serious role than previously, and numerous security obligations will need to be satisfied.
Mark Webber and Michael Brown of Fieldfisher discuss five key issues for online businesses to consider in reaction to the Directive.
Under the NIS Directive, certain companies operating in critical sectors such as health, energy and transport, as well as some online businesses like search engines, online marketplaces and cloud computing providers, will be required to satisfy wide-ranging security and incident reporting obligations.
From the TalkTalk hack to the Ashley Madison breach, cyber security issues and risks have captured the attention of journalists, CEOs, legislators and ordinary citizens in recent years. The NIS Directive represents a legislative attempt to address some of these cyber issues and risks and, in doing so, safeguard EU critical infrastructure and the much-vaunted EU Digital Single Market.
Although the NIS Directive has yet to be formally adopted by the European Parliament and the Council of the EU, the authors of this article have obtained a copy of the agreed text. We understand from sources in Brussels that there are unlikely to be any notable amendments to the text that we reviewed. The law makes for fascinating reading and will undoubtedly raise significant compliance challenges for all of the entities who will be subject to its requirements. These entities are divided into the following two categories: (i) operators of essential services; and (ii) digital service providers.
In February/March 2016, the European Parliament and Council of the EU will formally approve the law. After that, the text will be published in the EU Official Journal and will officially enter into force. Member States will have 21 months to implement the NIS Directive into their national laws and six months more to identify operators of essential services. During this time, the European Commission will adopt implementing acts, which will realise some of the more specific elements of the law on security measures and incident notification. Here we set out five key issues with which online businesses will have to wrestle to ensure cyber security compliance and, in turn, hopefully reduce their chances of becoming the next breach story.
1. ASSESSING WHETHER YOU ARE IN SCOPE
The first critical issue for online businesses is to assess whether they are subject to the law’s requirements. The NIS Directive applies to operators of essential services and digital service providers. It does not apply to telcos or payment service providers who are subject to separate security and incident reporting obligations. It also does not apply to hardware/software developers or small/micro-sized digital service providers.
Operators of essential services can be public or private entities and are defined as follows: ‘(i) the entity provides a service which is essential for the maintenance of critical societal and/or economic activities; (ii) provision of that service depends on network and information systems; and (iii) an incident to the network and information systems of that service would have significant disruptive effects on its provision.’ There is little merit in analysing this definition since each Member State will be responsible for identifying its operators of essential services. These entities will then be listed in the national laws that implement the Directive. One of the law’s purposes is to protect critical infrastructure in the event of a cyber attack and so it is highly likely that energy suppliers, airports, banks, utility companies and healthcare providers will be considered as operators of essential services.
Digital service providers are defined to consist of online marketplaces, online search engines and cloud computing services. From the law’s recitals, it seems that all three categories will be interpreted very widely.
An online marketplace is defined as ‘a digital service that allows consumers and/or traders as defined respectively in Article 4(1)(a) and 4(1)(b) of Directive 2013/11/EU to conclude online sales and service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace.’ The breadth of this definition means that large players like Amazon and eBay will be caught but, equally, small e-commerce stores where consumers can purchase products/services from third party traders may also be subject to the law. App stores are also deemed to be in scope but price comparison websites are not.
An online search engine is defined as ‘a digital service that allows users to perform searches of in principle all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input; and returns links in which information related to the requested content can be found.’ Clearly, the likes of Google and Bing will fall within this definition. A cloud computing service is defined as ‘a digital service that enables access to a scalable and elastic pool of shareable computing resources.’ The law’s recitals provide brief guidance on the following different elements of this definition: ‘computing resources’; ‘scalable’; ‘elastic pool’; and ‘shareable.’ However, it remains very unclear how this definition will be applied in practice. Put simply, a vast number of online businesses provide cloud computing services (even if they are not the business’ primary commercial offering) and thus are likely to fall within this definition as drafted.
Given the opaqueness of the definition and recitals, online businesses should carry out a careful legal analysis of whether they are defined as a cloud computing service. The need for this analysis is heightened by the fact that, unlike operators of essential services, the obligation is on online businesses to self-assess whether they are subject to the law’s requirements.
Despite the NIS Directive’s apparent broad net, the good news for online businesses is that the law sets out a more ‘light-touch’ approach towards its security and notification obligations compared to operators of essential services. Information on these obligations is set out below.
2. COMPLYING WITH THE NIS DIRECTIVE’S NATIONAL IMPLEMENTING LAW
As a brief recap, the NIS Directive will be transposed into a national law for each Member State. Therefore, online businesses in scope will need to assess which national law applies to their network and information systems. It seems that operators of essential services and digital service providers that are active in multiple Member States may not need to comply with the national implementing law in each of these countries. The entity will only have to comply with the national law in the Member State where it is established. In this context, establishment means where an entity has an ‘effective and real exercise of activity through stable arrangements’ rather than, for example, the physical location of its network and information systems or location of its legal branch.
If a digital service provider is not established in a Member State but still provides services within the EU then it must appoint a ‘representative.’ At this stage, there is little guidance on who can perform the role of a representative.
Finally, as a ‘minimum harmonisation’ law, Member States are entitled to adopt or maintain provisions with a view to achieving a higher level of cyber security than set out in the law. For example, certain Member States like Germany and Spain are likely to enact stricter security legislation than other Member States. All in all, the national implementations of the NIS Directive represent an additional issue (though clearly not as significant as tax or employment issues) for an online business to consider when deciding upon its EU country of establishment.
3. DEALING WITH NEWLY ESTABLISHED CYBER SECURITY AUTHORITIES
Online businesses in scope should acquaint themselves with the new authorities/bodies established by the NIS Directive. This is crucial so that a business knows the following: (i) to which authority incidents should be notified; and (ii) the authority that has the power to sanction non-compliance.
The NIS Directive refers to two bodies of importance to online businesses. The first is the national competent authority (‘NCA’). An NCA will be formed in each Member State and will be in charge of regulating the law’s application at national level. It may be an existing regulator or a new body (the UK Information Commissioner’s Office has already made known its reluctance to perform this role). Each NCA will have differing powers in relation to operators of essential services and digital service providers.
Unlike with operators of essential services, the NCA will have no general power to regulate the conduct of digital service providers. However, it will be able to take ‘action’ when provided with ‘evidence’ that a digital service provider is failing to comply with the NIS Directive. Such evidence can be provided by the digital service provider itself, a user of its service or another NCA.
In an environment of user activism regarding data protection and cyber security, it is reasonable to think that evidence will be submitted. Thus, online businesses should prepare themselves for such scenarios. The ‘action’ that the NCA will be able to take will be to require the digital service provider to remedy any failure to fulfil its security and incident notification requirements. No explanation is provided as to how the NCA will require remedial action to be taken. This, along with other enforcement measures (like fines, undertakings etc.) will be determined by each Member State and then set out in the national law.
The second body of importance is the Computer Security Incident Response Team (‘CSIRT’). Each Member State will have a CSIRT, which will provide guidance to operators of essential services and digital service providers on cyber security issues as well as cooperate internationally to ensure that cross-border threats are detected and handled. Online businesses may wish to liaise with a CSIRT regarding the practical issues/questions relating to incident preparedness.
At present, the precise powers and responsibilities of the NCAs and CSIRTs are uncertain. For example, the NIS Directive provides that incident notifications can be made to an NCA, a CSIRT or both. Clearly, this is not ideal since an online business needs certainty on the appropriate notifying body and also to bake this information into its incident handling policies/procedures. Hopefully, this point will be resolved in the implementing acts or national transpositions. Online businesses should keep a watching brief on these and the formation of the NCAs/CSIRTs to determine their regulatory approach.
4. PUTTING IN PLACE SECURITY MEASURES
Online businesses in scope will be required to put in place ‘appropriate and proportionate technical and organisational measures’ to protect NIS. These measures must ensure that digital service providers manage the risks posed to the security of networks and information systems that they use in the provision of their service.
In implementing these security measures, digital service providers must take into account the following elements: (i) security of systems and facilities; (ii) incident management; (iii) business continuity management; (iv) monitoring, auditing and testing; and (v) compliance with international standards.
The European Commission will adopt implementing acts that set out in more detail the specifications of the security measures. These are intended to be harmonised across Member States for digital service providers. Putting in place security measures is a key requirement under the NIS Directive but one that remains up in the air (despite the fact that it is similar to the ‘data security’ requirement in the Data Protection Directive). In light of this uncertainty, an online business should monitor the publication of European Commission implementing acts and then conduct a review of its security measures for compliance.
5. DEVELOPING AN EFFECTIVE CYBER INCIDENT NOTIFICATION PROCESS
Online businesses in scope will be required to notify any incident having a ‘substantial impact’ to the provision of its digital service. The European Commission will adopt implementing acts on the notification requirement, which is intended to be harmonised across Member States for digital service providers. However, what we know so far is that the notification should be made to the NCA or the CSIRT ‘without undue delay.’ The notification should contain information to enable the NCA or the CSIRT to determine the significance of any cross-border impact. After consulting with the digital service provider, the NCA or the CSIRT may choose to publicise the incident in certain circumstances.
In order to determine whether the impact is ‘substantial,’ the digital service provider should consider the following parameters: (i) the number of users affected by the incident, in particular users relying on the service for the provision of their own services; (ii) the duration of the incident; (iii) the geographical spread with regard to the area affected by the incident; (iv) the extent of the disruption of the functioning of the service; and (v) the extent of the impact on economic and societal activities.
No guidance has been provided as to how overlapping notification obligations (e.g. under the NIS Directive and the General Data Protection Regulation) will work in practice. Hopefully this business headache will be resolved in the implementing acts.
This is a landmark requirement since digital service providers are not currently obliged to notify data security or cyber security incidents in EU Member States. Therefore, the new law mandates notification (which is voluntary in most Member States) thereby meaning that digital service providers need to take incident handling and notification more seriously than ever before. This means that online businesses in scope should formulate and agree upon incident handling and notification policies and procedures to ensure they are ready to deal with likely incidents and mitigate commercial, reputational and regulatory risks.
This article first appeared in the January 2016 edition of E-Commerce Law and Policy.