For the first time, we’re about to see in place a Europe-wide regime governing critical infrastructure cybersecurity. Here’s what you need to know about the Network and Information Security (NIS) Directive …
The NIS Directive – what’s it all about?
Affecting the likes of power suppliers and healthcare facilities, last year’s Petya and WannaCry attacks were reminders that when critical infrastructure is hit by cyber attack, the consequences can be severe. European lawmakers have long recognised the need for a stronger, joined-up response to this…
More than four years in the making, the NIS Directive is designed to improve EU Member State preparedness, increase cross-border cooperation and build a “culture of security across sectors which are vital for our economy and society”.
It covers two types of organisation…
- Operators of essential services (OES). This covers Energy and water supply, transport, health, finance and digital infrastructure such as DNS service providers, top level domain name registries and Internet exchange points.
- Digital service providers (DSP).
Definition of a DSP
Digital services are defined in broad terms as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”.
The Directive goes on to describe the type of entity covered…
- Online marketplaces. These are specifically defined as intermediaries between buyers and sellers – and only if sales are actually made on the platform itself. So the Gumtrees and E-bays of this world are included; regular e-commerce stores are not.
- Online search engines. Only those services that allow users to search the entire Web – or websites in a particular language are caught.
- Cloud computing services. This includes organisations that offer b2b software as a service, infrastructure as a service or platforms as a service.
- Micro and small enterprises are excluded. Even if a company meets one of the three criteria above, the NIS Directive will not apply if it has fewer than 50 employees and an annual turnover of less than EUR 10 million.
Security requirements: familiar territory…
Tech laws tend to be drafted broadly – setting out topline principles rather than a blueprint on what to do. The NIS Directive follows this pattern.
For both OES and DSP, Member States are told to ensure that providers “identify and take appropriate technical and organisational measures to manage risks posed to the security of network and information systems…”
Using a phrase that crops up a lot in cybersecurity regulation, providers must have regard to “the state of the art” when enacting measures to reduce risks.
So what will this amount to in real life? Well, for OES, it will mean following sector-specific best-practice guidelines. For DSPs, it’s likely that national governments will drill down the meaning of “appropriate technical and organisational measures” into slightly more prescriptive principles.
For instance, the UK government has already outlined five security principles for DSPs to follow to ensure compliance…
- The need for “proportionate” security measures to protect systems from attack or failure
- Appropriate structures and processes for effective incident management
- Capabilities for incident mitigation – including service restoration
- Ensure defences remain continually effective through threat detection
- To ensure that “internationally recognised cyber security standards” are adhered to.
(N.B.: the law’s not going to tell you which SIEM package to buy or how to configure your firewall – that’s up to you).
The Directive compels Member States to have a comprehensive reporting regime in place. For DSPs, this includes a duty to report “without undue delay” to the “competent authority” any incident “having a substantial impact on the provision of a service”.
Who are the “competent authorities”? The UK’s Information Commissioner Office (ICO) looks set to become the competent authority for DSPs, while sector-specific bodies will be given the role of supervising OESs.
What are incidents with “substantial impact”? It’s all about the level of disruption. A complete outage rendering a service unavailable would be covered. The same goes for services that are running so slowly that they are essentially unusable. A series of shorter incidents causing disruption over time is also likely to be covered.
A 72-hour reporting window looks likely.
The Directive introduces a two-tier system of fines for non-compliance.
For a failure to report or failure to cooperate with the regulatory body, there’s a maximum fine of EUR 10 million or 2% of annual turnover.
For more significant breaches (including failure to implement appropriate security measures) fines are set at a maximum of EUR 20 million or 4% of turnover.
NIS Directive and GDPR
GDPR is concerned with the compromise of personal data. The NIS Directive is focused on keeping essential services running.
Let’s say a SaaS provider is hit by a DDoS attack. Personal data is not compromised – but the service is rendered unusable for an entire day. Although there’s no duty to report under GDPR, the company almost certainly would need to notify the regulator under NIS Directive.
But let’s say there’s a service outage AND loss of personal data. The company will be faced with distinct reporting requirements under both the NIS Directive and GDPR. As the UK regulator puts it, “The requirements of each piece of legislation should be complied with on its own terms”. This raises the possibility of having to submit two reports to the regulator for the same breach!
Issues for contractors…
You’re not a DSP or an OES. So does the NIS Directive affect you?
Let’s say you provide support services (data management or managed security, for instance) to big healthcare facilities in the UK, Germany and France.
As the OES, it’s your client who will end up carrying the can if there’s an NIS breach – so they’ll look to flow down any obligations in their supply chain. Expect big clients to look carefully at their existing contractual arrangements, including indemnity provisions relating to faults at your end.
Check your contract, especially when it comes to notification requirements; if there’s a problem at your end which impacts your client’s service continuity, they’ll need to know about it right away.
EU Member States have until May 2018 to implement the Directive. As a directive as opposed to a regulation, it doesn’t come into force automatically (each country passes its own law). Final drafts and guidelines in the UK are expected imminently; something that’s happening right across the EU.