May 9, 2018
Today (May 9, 2018) is the deadline for the new Network and Information Security (NIS) Directive to be transposed into EU member states’ national legislation. This new regulation is aimed at creating a base level of security for organizations that are operating essential services within the EU. The primary sectors covered by this regulation are: energy providers, transport, banking, financial services infrastructure, health, water, and digital infrastructure providers. Organizations in this scope are termed “operators of essential services” and must implement the provisions of the directive to form the required base level of security for those services.
This EU directive was passed on July 6, 2016, and member states were given 21 months to transpose the directive into their national legislation, which is due today. While much of the preparation over the past two years was concerned with the building of capabilities at a member-state level, it is only now that the directive is going to start impacting your company directly.
You will start to find out over the next six months whether you are in scope of the directive (by November 9, 2018 at the latest). Here are some of the key ways in which you will be impacted:
- Financial penalties for breaches of the directive. There are penalties for breaches impacting essential services. The UK’s £17 million maximum penalty has already made headlines for its size and scale. The size of the fine is not consistent across the EU, as each member state determines the maximum level of fine it will levy.
- Mandatory security breach notification. Organizations will need to notify their designated competent authority of any breach that impacts the services they operate, not just those impacting personal data. Timeframes have not been specified, but some are suggesting mirroring the GDPR 72-hour breach notification requirement.
- Some of your breach data will be shared to help inform others. The breach data received by operators may be distributed to other EU member states through threat intelligence sharing channels. This sharing of information to help other, similar operators is a new and potentially interesting expansion that could take cross-EU cyber cooperation up a level.
- You may need to adjust or implement new security controls. The directive calls for a base level of security controls to be implemented, dependent on the assessment of the key risks facing an organization’s services.
- You will need to take steps to manage your supply chain. While not directly in the scope of the NIS Directive, operators of essential services are expected to assure themselves that their supply chain abides by the same standards that they do.
- Digital service providers are particularly impacted. For the first time, there is an explicit recognition in cyber regulation that many companies and citizens are highly reliant on cloud computing services and digital search facilities. This obliges some of the largest American-based organizations providing software-as-a-service (SaaS) to comply with the NIS Directive.
The good news is that most organizations will already have most of what is required in place.
I have some concerns about the way that the directive is being applied across Europe, which I think creates potential difficulties for organizations impacted by it:
- As NIS is a directive rather than a regulation, it is up to member states to determine how they apply it. This means that different EU member states will have different implementations of required security controls. If your organization operates in multiple jurisdictions, you will need to manage a complex set of potentially competing requirements for demonstrating NIS compliance.
- For fines involving personal data, the GDPR will also apply. A significant concern for your organization would be whether so-called NIS Directive/GDPR “double jeopardy” is an issue. While it is expected that both the applicable NIS competent authority and the relevant GDPR data protection regulator would both wish to investigate, I believe that in these cases one regulator should be designated as the primary authority for the purposes of levying a penalty to ensure that the organization is not punished twice for the same breach.
- Finally, while it allows maximum choice to member states, the ability of each to either select a single centralized authority or adopt a sectoral approach involving multiple regulators will only create confusion for organizations with operations in multiple jurisdictions as to how and whom they report to in which country. A centralized approach to management of competent authorities would have been a simpler approach.
I will be undertaking research later in the year to understand how organizations are getting on with NIS Directive implementation and how member states are applying it.