The Network and Information "Cyber" Security Directive ("NIS Directive") sets out standards for Network and Information Security ("NIS") in the European Union ("EU").
It is anticipated that the directive may be formally adopted as early as spring 2016. National laws implementing the directive will then be required within two years.
The following is a summary of some of the most significant issues of which in-house solicitors should be aware:
The NIS Directive is applicable to "Operators of Essential Services" ("OES's") and "Digital Service Providers" ("DSP's"):
- Services essential to critical societal and/or economic activities.
- The provision of such services must be dependent on NIS, and therefore an incident would have a significant disruptive effect on the provision of those services.
- OES's are typified by their direct link to physical infrastructure.
- It is expected that member states will be required to identify their OES's during implementation of the NIS Directive.
- Digital services are electronic services provided at the request of and paid for by the recipient, that is either an online marketplace, online search engine, or a cloud computing service.
- Digital services are provided remotely.
- DSP's are often likely to be involved in the provision of cross-border services.
Security and Reporting Requirements
Both OES's and DSP's will be required to take measures to prevent and mitigate impacts of incidents affecting NIS with a view to ensuring the continuity of their services. The general difference between the two types is explained below.
- OES's are required to take all necessary steps to ensure the continuity of their services.
- DSP's are required to take all precautions that are reasonable, taking into account the 'state of the art' of such measures.
Both entities will also be required to notify an appointed competent authority, or the national Computer Security Incident Response Team ("CSIRT"), of an incident without undue delay.
Practical Effects of the Requirements
In order to determine the effect of the NIS Directive's requirements on a DSP, it is important to consider some factors, including the following.
- The number of users relying on the services.
- The dependency and availability of alternative suppliers of analogous services.
- The geographical spread, degree, and overall prominence of the services that are being provided.
The NIS Directive states that the requirements for DSP's should be "proportionate to the risk presented by the network or information system concerned".
The NIS Directive provides no specific penalties but member states are entitled to set their own penalties. However, penalties imposed by member states should be "effective, proportionate and dissuasive". Businesses should be aware of the increased focus of legislation on improving the standards of NIS as also seen with the Cyber Essentials scheme, a UK government scheme encouraging businesses to adopt good practice in information security.