The Network and Information "Cyber" Security Directive ("NIS Directive") sets out standards for Network and Information Security ("NIS") in the European Union ("EU").
It is anticipated that the directive may be formally adopted as early as spring 2016. National laws implementing the directive will then be required within two years.
The following is a summary of some of the most significant issues of which in-house solicitors should be aware:
Applicability
The NIS Directive is applicable to "Operators of Essential Services" ("OES's") and "Digital Service Providers" ("DSP's"):
OES's
DSP's
Security and Reporting Requirements
Both OES's and DSP's will be required to take measures to prevent and mitigate impacts of incidents affecting NIS with a view to ensuring the continuity of their services. The general difference between the two types is explained below.
Both entities will also be required to notify an appointed competent authority, or the national Computer Security Incident Response Team ("CSIRT"), of an incident without undue delay.
Practical Effects of the Requirements
In order to determine the effect of the NIS Directive's requirements on a DSP, it is important to consider some factors, including the following.
The NIS Directive states that the requirements for DSP's should be "proportionate to the risk presented by the network or information system concerned".
Penalties
The NIS Directive provides no specific penalties but member states are entitled to set their own penalties. However, penalties imposed by member states should be "effective, proportionate and dissuasive". Businesses should be aware of the increased focus of legislation on improving the standards of NIS as also seen with the Cyber Essentials scheme, a UK government scheme encouraging businesses to adopt good practice in information security.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up