On December 7, 2015, after more than two years of legislative consideration, the European Parliament and the European Council reached a political agreement concerning the Directive on Network and Information Security (“NIS Directive”). Under the NIS Directive, operators of essential services will be required to take appropriate security measures and report cybersecurity incidents. The amended draft NIS Directive is not available but is expected to be published on or around December 18, 2015.
The so-called “trilogue” negotiations among the EU institutions revealed substantial differences on key elements, including: (1) the scope of the operators subject to security breach notification requirements; (2) the definition of a reportable cybersecurity incident; and (3) the procedure that will apply in case of cross-border incidents affecting various Member States
- Scope of Operators
In its proposal, the European Commission, established two categories of operators of essential services that would be subject to requirements:
(i) Operators of critical infrastructures in the fields of energy (e.g. electricity and gas markets), transport, banking (including saving and mortgage banks and electronic payment providers), stock exchanges and health; and
(ii) Providers of “Information Society Services” (i.e., on-line services) that enable the provision of other Information Society Services, including e-commerce platforms, internet payment gateways, social networks, search engines, cloud providers and application stores.
Following intense debate at Member State and EU level, the European Parliament proposed excluding Information Society Services providers from the scope of the Directive.
The Council of Ministers, however, sought to have Information Society Service providers covered, to the extent substantial numbers of market participants rely on the provider concerned for their economic or trading activities.
Although the final text of the NIS Directive is not yet available, it appears that important or large-scale providers of Information Society Services will be subject to requirements, including online marketplaces, cloud computing services and search engines. It is unclear at this stage, however, whether these providers will be subject to the same security and breach notification requirements as the other operators of critical infrastructure.
2. Breach Notification
The Directive will require covered operators to notify the relevant national authority of security breaches that have a significant impact or serious disruptive effects on the provision of essential services and public safety. The following parameters will be taken into account in assessing the significance of security incidents: i) the number of users whose core service is affected; ii) the duration of the incident; and iii) the geographic spread of the incident.
Importantly, a cybersecurity incident under the NIS Directive may involve personal data as it might involve systems that do not contain such personal data. It should be noted that cybersecurity incidents that involve personal data may also trigger an obligation to notify under the forthcoming General Data Protection Regulation (“GDPR”). Thus operators falling within the scope of the NIS Directive may be subject to overlapping breach notification requirements.
One question that divided the Member States and the EU institutions concerned designation of the appropriate authority for notifying and investigating cybersecurity breaches in cross-border cases. In keeping with discussions over the GDPR concerning the “one-stop-shop,” the EU institutions have been debating whether one point of contact should carry out investigations on behalf of the other regulators or should mainly coordinate such investigations. Although a supervisory authority’s jurisdiction over breach will clearly be linked to an establishment of the operator concerned on the Member State’s territory, the exact coordination mechanism is not revealed yet. The NIS Directive will be officially adopted by the European Council and the European Parliament in the coming months.
Member States will be required to implement the Directive into their national laws within 21 months and will have an additional 6 months to identify the operators of essential services subject to reporting requirements. Member States will be able to subject additional sectors and operators beyond those identified in the Directive to security and reporting requirements.
The Commission’s press release is available at: http://europa.eu/rapid/press-release_IP-15-6270_en.htm.
The Parliament’s press release is available at: http://www.europarl.europa.eu/news/en/news-room/20151207IPR06449/MEPs-close-deal-with-Council-on-first-ever-EU-rules-on-cybersecurity
The Council’s press release is available at: http://www.consilium.europa.eu/register/en/content/out/?&typ=ENTRY&i=ADV&DOC_ID=ST-14673-2015-INIT.