Europe's first ever EU-wide cyber-security rules "agreed"
On 7 December 2015 a European Parliament press release reported that EU MEPs had closed a deal with the European Council on the first ever EU rules on cyber-security.
Though we're yet to see the full text, we now know that the final text of the Network and Information Security Directive ("NIS Directive") has been agreed. We're just over two years away from implementation of NIS Directive (and potentially the General Data Protection Regulation) – a cyber and data revolution that will test many a legal team.
Why do we need it?
The NIS Directive aims to bolster the security of Europe's critical infrastructure. When NIS incidents occur, they can have a huge impact by compromising services or by interrupting the day-to-day operations of business. It is recognised that with increasing cross-border technological co-dependencies, a NIS incident in one country can may have impact across the whole EU and undermine both market and consumer confidence.
By introducing more consistent risk management measures and systematic reporting of incidents the NIS Directive aims to help sectors dependent on IT systems to be more reliable and stable. The European Commission's proposed the NIS Directive back in February 2013, is part of a wider EU cybersecurity strategy aimed at creating a secure and trustworthy digital environment. The stated aims at that time were to ensure that key institutions such as banks, energy companies and other entities involved in critical infrastructure maintain secure information systems.
The rhetoric is clear; the NIS Directive aims to impose a minimum level of security for digital technologies, networks and services across all Member States. It also proposes to make it compulsory for certain businesses and organisations to report significant cyber incidents.
At its inception, Neelie Kroes, then EC Vice-President for the Digital Agenda, emphasised: “The more people rely on the internet the more people rely on it to be secure. A secure internet protects our freedoms and rights and our ability to do business. It's time to take coordinated action - the cost of not acting is much higher than the cost of acting.”
The threat of a cyber-attack is more immediate now than ever
Though increasingly common, the risks and damage posed by cyber-threats has been a reality for some time. The NIS Directive will impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the EU. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”).
Key question – which market operators actually fall within its scope?
Ever since 2013, there has been extensive lobbying and debate about which of market operators would be caught within its terms and the scope of the "market operators" definition has been a bone of contention throughout negotiations. Even following this week's press release we're still not clear about where this debate has fallen out. At inception, the proposed Directive had in its sights operators including "search engines, cloud providers, social networks, public administrations, online payment platforms like PayPal, and major eCommerce websites, such as Amazon".
Recent word from Brussels indicates that market operators will take on a broad definition and be categorised as either "digital service providers" or "operators providing essential services" in the final law, thereby catching the likes of e-commerce platforms and cloud service providers. Despite reaching an agreement, the December 7th press release does not clarify all the ambiguity but it does confirm the sectors and services already known to be in scope:
"MEPs put an end to current fragmentation of 28 cybersecurity systems by listing sectors - energy, transport, banking, financial market, health and water supply - in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These companies must also be ready to report serious security breaches to public authorities."
Critical infrastructure is in - but are "digital service providers" caught?
Among others, the UK Government had long argued that "digital services" should not be required to report cyber-threat issues to the NCA. The press release confirms that Member States will have to identify concrete "operators of essential services" from these sectors using certain criteria: whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety. Signs of a test emerging?
A leaked memo from the Presidency to the Council (dated 8 December 2015) and published on www.statewatch.org indicates little more:
"On substance, the co-legislators agreed to provide for uniform rules on certain aspects in the area of digital service providers. In particular, Member State should not impose stricter security and notification requirements on those providers and the European Commission will have the power to further specify certain elements in implementing acts. Moreover, both institutions agreed to link jurisdiction of operators of essential services to an establishment on the Member States' territory and also reached an agreement on the role of the cooperation group and on the remaining horizontal issues." (My emphasis)
So we're actually no closer to understanding which "digital service platforms" the NIS Directive will extend to and therefore which "digital service providers" will incur the mandatory obligation to report security incidents to a national competent authority (“NCA”). We only learn that: "In addition, some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the deal says." The "and clouds" mention had the Team here in Silicon Valley laughing as it's unclear quite what is meant by this and in reality the vast majority of businesses have a cloud-based element to their services these days.
So while the EU is consulting around the definition of "online platforms" and "cloud" under the Digital Single Market initiative, it seems that here it has made up its mind. To be fair the press release quotes the European Parliament's rapporteur Andreas Schwab (EPP, DE) saying:
"……. this directive marks the beginning of platform regulation. Whilst the Commission's consultation on online platforms is still on-going, the new rules already foresee concrete definitions – a request that Parliament had made since the beginning in order to give its consent to the inclusion of digital services".
Equally, the ink hasn't yet dried on the drafts and it's wrong to speculate too much until the future rules are agreed once and for all. We'll update you soon on exactly what this "concrete definition" is and its impact once we know more.
What next
We're not quite there yet. This provisionally-agreed text still needs to be formally approved by Parliament's Internal Market Committee and the Council Committee of Permanent Representatives. The leaked memo establishes the Presidency's aim is to present the agreed text for approval by the Permanent Representatives Committee (Coreper) on 18 December 2015. This will be followed by the legal-linguistic revision by quality advisors of both institutions early next year. To conclude the procedure, formal adoption by both the Council and the Parliament is required.
As a directive, EU Member States would then have 21 months to publish national regulations implementing the NIS Directive's principles and a further six months to bring those new rules into force (during which time it seems Member States will be expected to carry out the identification of operators of essential services). We we anticipate key elements of this directive will stipulate maximum harmonisation so, in certain areas, Member States will be restricted from implementing rules that go further than the NIS Directive's terms.
Further comment will be possible as and when the final text is released (or leaked) as a public document. As we all monitor www.statewatch.org and the press for the all-too-common leak your Fieldfisher team will update you.
In the meantime – what's the practical consequence?
This is an entirely new obligation for businesses that fall within the NIS Directive's ambit. Those businesses that are caught will need to take a serious look at their preparedness for preventing, managing and responding to a cyber-security breach. This will necessitate system-wide security reviews and the creation of cyber breach management policies, incident response teams and awareness-raising programs. This is of course the reaction the EU is looking for.
The agreement of the NIS Directive represents one step in ongoing changes to wider ongoing regulatory reform around digital platform regulation and data privacy rules. 2016 will herald a wealth of legal development – including the General Data Privacy Regulation (reforming the EU's privacy laws)?
Mark Webber – Partner, Silicon Valley California mark.webber@fieldfisher.com
Why do we need it?
The NIS Directive aims to bolster the security of Europe's critical infrastructure. When NIS incidents occur, they can have a huge impact by compromising services or by interrupting the day-to-day operations of business. It is recognised that with increasing cross-border technological co-dependencies, a NIS incident in one country can may have impact across the whole EU and undermine both market and consumer confidence.
By introducing more consistent risk management measures and systematic reporting of incidents the NIS Directive aims to help sectors dependent on IT systems to be more reliable and stable. The European Commission's proposed the NIS Directive back in February 2013, is part of a wider EU cybersecurity strategy aimed at creating a secure and trustworthy digital environment. The stated aims at that time were to ensure that key institutions such as banks, energy companies and other entities involved in critical infrastructure maintain secure information systems.
The rhetoric is clear; the NIS Directive aims to impose a minimum level of security for digital technologies, networks and services across all Member States. It also proposes to make it compulsory for certain businesses and organisations to report significant cyber incidents.
At its inception, Neelie Kroes, then EC Vice-President for the Digital Agenda, emphasised: “The more people rely on the internet the more people rely on it to be secure. A secure internet protects our freedoms and rights and our ability to do business. It's time to take coordinated action - the cost of not acting is much higher than the cost of acting.”
The threat of a cyber-attack is more immediate now than ever
Though increasingly common, the risks and damage posed by cyber-threats has been a reality for some time. The NIS Directive will impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the EU. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”).
Key question – which market operators actually fall within its scope?
Ever since 2013, there has been extensive lobbying and debate about which of market operators would be caught within its terms and the scope of the "market operators" definition has been a bone of contention throughout negotiations. Even following this week's press release we're still not clear about where this debate has fallen out. At inception, the proposed Directive had in its sights operators including "search engines, cloud providers, social networks, public administrations, online payment platforms like PayPal, and major eCommerce websites, such as Amazon".
Recent word from Brussels indicates that market operators will take on a broad definition and be categorised as either "digital service providers" or "operators providing essential services" in the final law, thereby catching the likes of e-commerce platforms and cloud service providers. Despite reaching an agreement, the December 7th press release does not clarify all the ambiguity but it does confirm the sectors and services already known to be in scope:
"MEPs put an end to current fragmentation of 28 cybersecurity systems by listing sectors - energy, transport, banking, financial market, health and water supply - in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These companies must also be ready to report serious security breaches to public authorities."
Critical infrastructure is in - but are "digital service providers" caught?
Among others, the UK Government had long argued that "digital services" should not be required to report cyber-threat issues to the NCA. The press release confirms that Member States will have to identify concrete "operators of essential services" from these sectors using certain criteria: whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety. Signs of a test emerging?
A leaked memo from the Presidency to the Council (dated 8 December 2015) and published on www.statewatch.org indicates little more:
"On substance, the co-legislators agreed to provide for uniform rules on certain aspects in the area of digital service providers. In particular, Member State should not impose stricter security and notification requirements on those providers and the European Commission will have the power to further specify certain elements in implementing acts. Moreover, both institutions agreed to link jurisdiction of operators of essential services to an establishment on the Member States' territory and also reached an agreement on the role of the cooperation group and on the remaining horizontal issues." (My emphasis)
So we're actually no closer to understanding which "digital service platforms" the NIS Directive will extend to and therefore which "digital service providers" will incur the mandatory obligation to report security incidents to a national competent authority (“NCA”). We only learn that: "In addition, some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the deal says." The "and clouds" mention had the Team here in Silicon Valley laughing as it's unclear quite what is meant by this and in reality the vast majority of businesses have a cloud-based element to their services these days.
So while the EU is consulting around the definition of "online platforms" and "cloud" under the Digital Single Market initiative, it seems that here it has made up its mind. To be fair the press release quotes the European Parliament's rapporteur Andreas Schwab (EPP, DE) saying:
"……. this directive marks the beginning of platform regulation. Whilst the Commission's consultation on online platforms is still on-going, the new rules already foresee concrete definitions – a request that Parliament had made since the beginning in order to give its consent to the inclusion of digital services".
Equally, the ink hasn't yet dried on the drafts and it's wrong to speculate too much until the future rules are agreed once and for all. We'll update you soon on exactly what this "concrete definition" is and its impact once we know more.
What next
We're not quite there yet. This provisionally-agreed text still needs to be formally approved by Parliament's Internal Market Committee and the Council Committee of Permanent Representatives. The leaked memo establishes the Presidency's aim is to present the agreed text for approval by the Permanent Representatives Committee (Coreper) on 18 December 2015. This will be followed by the legal-linguistic revision by quality advisors of both institutions early next year. To conclude the procedure, formal adoption by both the Council and the Parliament is required.
As a directive, EU Member States would then have 21 months to publish national regulations implementing the NIS Directive's principles and a further six months to bring those new rules into force (during which time it seems Member States will be expected to carry out the identification of operators of essential services). We we anticipate key elements of this directive will stipulate maximum harmonisation so, in certain areas, Member States will be restricted from implementing rules that go further than the NIS Directive's terms.
Further comment will be possible as and when the final text is released (or leaked) as a public document. As we all monitor www.statewatch.org and the press for the all-too-common leak your Fieldfisher team will update you.
In the meantime – what's the practical consequence?
This is an entirely new obligation for businesses that fall within the NIS Directive's ambit. Those businesses that are caught will need to take a serious look at their preparedness for preventing, managing and responding to a cyber-security breach. This will necessitate system-wide security reviews and the creation of cyber breach management policies, incident response teams and awareness-raising programs. This is of course the reaction the EU is looking for.
The agreement of the NIS Directive represents one step in ongoing changes to wider ongoing regulatory reform around digital platform regulation and data privacy rules. 2016 will herald a wealth of legal development – including the General Data Privacy Regulation (reforming the EU's privacy laws)?
Mark Webber – Partner, Silicon Valley California mark.webber@fieldfisher.com