On 6 July 2016, the European Parliament adopted the Network and Information Security Directive, which establishes EU-wide rules on cyber security and is the result of negotiations over three years. Political agreement was finally reached in December 2015. EU Member States have 21 months to transpose these new rules into their national laws.
The main objectives of the Directive are to place obligations on the EU member states to: adopt national cyber security strategies; to create a Cooperation Group to enable strategic cooperation and information exchange; to create a Computer Security Incident Response Teams (CSIRT) network to build trust and foster operational cooperation; to establish security and notification requirements for operators of essential services and digital service providers; and to create national single points of contact. This post will focus on the requirements created for the operators of essential services.
Operators of essential services
The NIS Directive defines ‘operator of essential service’ as a public or private entity in the following sectors:
- Energy, including subsectors such as electricity (suppliers, distribution system operators, and transmission system operators), oil (operators of oil transmission pipelines and operators of oil production, refining, and treatment facilities, and storage and transmission) and gas (suppliers, distribution system operators, transmission system operators, storage system operators, LNG system operators, natural gas undertakings and operators of natural gas refining and treatment facilities).
- Transport, including subsectors such as air transport (air carriers, airport managing bodies, and traffic management control operators providing air traffic control), rail transport (infrastructure managers and railway undertakings), water transport (inland, sea and coastal passenger and freight water transport companies, managing bodies of ports and entities operating works and equipment contained within ports, and operators of vessel traffic services), road transport (road authorities responsible for traffic management control and operators of intelligent transport systems).
- Banking, including credit institutions.
- Financial market infrastructures, including operators of trading venues and central counterparties.
- Health sector, including hospitals and private clinics.
- Drinking water supply and distribution, including suppliers and distributors of water intended for human consumption. This excludes distributors of commodities that include goods other than water.
- Digital Infrastructure, including Internet Exchange Points (IXPs), Domain Name System service providers (DNS), and Top Level Domain (TLD) name registries.1
The Directive also notes that, in areas that have already been regulated by sector-specific EU legal acts such as the telecommunications sector, and which are equivalent in effect to the obligations of the NIS Directive, those legal acts should apply.2 The original Commission Proposal for the Directive also included public administration, which has surprisingly been left out of the scope of the Directive.
Member states of the EU are given the choice of determining which entities fall under the definition of operators of essential services. In so doing, member states should:
- Determine which services should be considered essential for the maintenance of critical societal and/or economic activities;3
- Establish that part of the essential service is dependent on network and information systems;4 and
- Assess whether an incident would have a significant disruptive effect on the provision of the service.5
When assessing the disruptive effect of the service, the following factors are to be taken into account:
- Number of users relying on the service;
- Degree of dependencies to other essential services;
- Impact of incidents in terms of degree, duration, economic and societal activities or public safety;
- Market share;
- The geographic spread of the area that could be affected; and
- The importance of the entity for maintaining a sufficient level of the service.6
Member states should also consider sector-specific considerations in determining how disruptive the effect of a certain incident may be.
Where operators of essential services also provide non-essential services, the provisions of the NIS Directive should only apply to services that are essential for the maintenance of critical societal and economic activities. The list of essential services should be updated at least every 2 years. The Directive also notes that when essential services are provided in two or more EU countries, those countries should engage in bi- or multilateral consultations in order to help them assess the critical nature of the operator in terms of cross-border effect.
Security aspects of the operators of essential services
The operators of essential services are required to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the network and information systems that they use in their operations. Such measures must ensure a level of security appropriate to the risk posed, taking into account the state of the art. In so doing, the operator must try to prevent and minimise the impact of incidents affecting the security of its networks in order to ensure the continuity of its services.
The Directive sets obligations on operators to notify any incidents having a significant impact on the continuity of the essential services they provide. This notification must be made without undue delay to the competent authority or the CSIRT, and must include information that will enable the CSIRT to determine any cross-border impact. The Directive also precludes increased liability for operators arising from this notification.
The significance of the impact of the incident is measured by the number of users affected, the duration of the incident, and its geographical spread. Following incident notification to CSIRT, the operator is given the opportunity to receive any information that could aid in incident handling. The CSIRT can also forward the incident notification to the national single point of contact, which can then forward this to other affected member states. In addition, the public may also be informed of the incident, if necessary.
Digital Service Providers (DSPs)
The Directive also covers DSPs, which are defined as ‘any legal persons that provide a digital service’. This is an important development, since one of the main obstacles to passing this Directive was whether to include these entities or not. The fact that they have been included is a significant development for the EU.
The types of digital service that are included under this Directive include:
- Online marketplaces – digital services that allow consumers and traders to conclude online sales or service contracts, either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace;
- Online search engines – digital services that allow users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and which returns links in which information related to the requested content can be found; and
- Cloud computing service – digital service that enables access to a scalable and elastic pool of shareable computing resources.7
The degree of risk that DSPs are under is less than that of the operators of essential services; therefore, the security requirements for DSPs in the Directive are lighter. They must take and identify appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems. The Directive lists measures that they should take into account:
- Security of systems and facilities;
- Incident handling;
- Business continuity management;
- Monitoring, auditing and testing; and
- Compliance with international standards.
Member states must also ensure that DSPs report any incidents having a substantial impact on the provision of the services they offer. The Directive lays out criteria to determine whether an incident was substantial, which includes two additional elements than for the operators of essential services – the extent of the disruption and the extent of the impact on economic and societal activities.8
In addition to the 21 months that member states have for implementation, they have another 6 months to identify the operators of essential services. There are concerns that the flexible rules on implementation might lead to some regulatory unpredictability if not coordinated properly between member states. This may happen if the methodology to determine which entities fall under the umbrella of operators of essential services and the criteria for defining security and incident notification requirements are not implemented uniformly across member states.
The Cooperation Group and the CSIRTs network will assume their tasks already on 9 February 2017, in order to provide the member states with additional possibilities of cooperation during the transposition period.
Other EU developments in cyber security
In addition to adopting the NIS Directive, the European Commission has stepped up its efforts with the private sector in signing a contractual Public-Private Partnership in Cybersecurity on 5 July 2016 which will trigger €1.8 billion of investment by 2020 by both the private and the public sector, and help to strengthen the competitiveness of the EU’s cyber security industry.
Mari Kert-Saint Aubyn
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.