Whilst everyone in the European Union was leaving the last couple of weeks the frantic rhythms of preparation for the adaptation of the GDPR (May 25, 2018), another crucial EU legislation was getting into effect, regarding cybersecurity. Specifically, by the 9th of May 2018, all Member States should have transposed into their national legislation the Directive (EU) 2016/1148 on the security of network and information systems throughout the Union (known as the NIS Directive from the initials “Network and Information Systems”) and to implement the measures it provides from the 10th of May 2018.
The NIS Directive was proposed in 2013, as a means of implementing the European Commission’s Cyber Security Strategy, aiming to achieve a high common level of network and information security across the European Union by:
- improving national capabilities in the field of cyber security,
- developing cooperation at EU level, and
- promoting risk management and event reporting amongst the main economic operators, in particular, key service providers for the maintenance of economic and social activities and digital service providers.
The NIS Directive applies to two types of organizations: (a) ‘Operators of Essential Services (OES)’ in the fields of energy, transport, banking, the financial market, health, drinking water and digital infrastructure, and (b) Digital Service Providers (DSPs), including online marketplaces, online search engines and cloud computing providers.
Both OESs and DSPs should adopt a “risk management culture” that includes risk assessment and risk-based measures, in order not to face disproportionate financial and administrative burdens. Risk management measures should include measures to identify event risks, as well as measures to prevent, detect and deal with incidents & mitigate their impact. The security of network and information systems should include the security of data that is stored, transmitted and processed. OESs and DSPs should:
- take appropriate and proportionate technical and organizational risk management measures that ensure a level of security of network and information systems comparable to the appearing risk
- take appropriate measures to prevent and minimize the impact of incidents
- report without undue delay to the competent authority or CSIRT of events having a serious impact on the flow of mainstream services they offer (OES) and on the provision of the type of service they offer (DSPs).
However, with respect to DSPs and unlike basic service providers (OESs), the NIS Directive states that competent authorities should not have an obligation of “general oversight for digital service providers” and that they should act only when they receive information that a digital service provider does not comply with the requirements of this Directive, especially once an event has taken place. Article 49 of the NIS Directive states that “the degree of risk to key service providers is higher than for digital service providers. Therefore, the security requirements for digital service providers should be less stringent. Digital service providers should be able to take the measures they deem appropriate for managing the risks to the security of their networks and information systems”.
The European Commission has drafted an implementing law, laying down minimum security measures and incident reporting, while the European Network and Information Security Agency (ENISA) has published technical guidelines for the implementation of minimum security measures for providers of digital services (DSPs). These guidelines describe a system of security targets generally applicable to DSPs, ranging from information security policy development to tracking of customers and access rights. They also describe different levels of complexity for each goal. This is reflected in a set of specific security measures of increasing complexity, that can help an enterprise pursue and achieve high level compliance with the NIS Directive.
In addition, according to Article 19 (Standardization) of the NIS Directive, Member States “encourage the use of European or internationally accepted standards and specifications relating to the security of network and information systems”. There are two relevant international standards illustrating a best practice approach:
- ISO / IEC 27001: 2013, International Standard on Information Security Management Systems (ISMS),
- ISO 22301: 2012, International Standard for Business Continuity Management System (BCMS).
In conclusion, OESs and Digital Service Providers (DSPs) are required to carefully review the existing security network, as well as implement appropriate incident notification measures to meet the legal requirements of the NIS Directive.
Organizations falling within the scope of the NIS Directive are required to implement modern technology measures that will ensure a level of systems security, proportionate to the risk involved. To implement this security level, businesses will need to develop a comprehensive security program. Some of the key actions to move forward include the following:
- Assessing the applicability of the NIS Directive to the business and developing a readiness plan.
- Performing impact assessment on system security.
- Check all internal security procedures.
- Adopt an internal security and response strategy.
- Develop and implement a rapid security incident response program.
- Use of European or internationally accepted standards and specifications relating to the security of network and information systems.
The relationship between the NIS Directive and GDPR
Persons handling and processing personal data may be subject to both the NIS Directive and the General Data Protection Regulation 2016/679, known as the “General Data Protection Regulation” (GDPR), which contains several new safeguards for the subjects of data, as well as significant fines and penalties in case of non-compliance. Therefore, a data security incident could trigger notification obligations under both legislative texts.
However, there is a significant distinction between the NIS Directive and GDPR, on the type of data protected by the above legislative texts. Whilst the NIS Directive covers any data breaches, data protected under the General Rules (GDPR) is limited to “personal data”. In addition, the NIS Directive includes not only data breaches but also any “incidents” that could affect network security and affect the provision of services.
In combination, the NIS Directive and the General Data Protection Regulation (GDPR), will radically change the context in which businesses move.
George Apostolopoulos, PhD
Open Technology Services S.A.