Stewart James gives an account of this important new pending directive
The vulnerability of computer systems to malign events has been a regular feature in the news over the last couple of years, particularly following events such as the TalkTalk data breach in October 2015 or the repeated Sony Playstation hacks since 2011. The UK government estimates that online crime now costs the country £27bn a year, and a recent report by PricewaterhouseCoopers indicated that cyber incidents have risen by 38% since 2014.
The conduct of any malign online activity is frequently referred to collectively as 'cybercrime', which covers a broad range of activities including crime, data breaches, activism, terrorism or even acts of war. However, this categorisation tends to mask the potential impact that such activities can have on commerce and the potential threat to infrastructure and the wider economy.
The borderless nature of the Internet means that cybercrime can and frequently is conducted from outside the target's jurisdiction, making collaboration and co-operation between states particularly important. International conventions, such as the Budapest Convention on Cybercrime 2001, provide for cooperation between member states and their national law enforcement agencies, but its sanctions were diluted by the need to achieve consensus and its effect is limited, in any event, to those states that have ratified it.
In February 2013 the EU Commission proposed a directive to ensure a common level of network and information security (NIS) within the EU. Colloquially referred to as the 'Cybersecurity' Directive, the draft achieved agreement between the EU Parliament, Council and Commission on 7 December 2015 and was endorsed by the Committee of Permanent Representatives on 18 December 2015.
The draft has naturally evolved during its passage through the trialogue, but it aims to establish minimum standards of NIS and reporting requirements for serious breaches. Member States will also be required to co-operate on NIS, exchange information in relation to breaches and offer assistance in relation to best practices to prevent breaches and assist members to secure their infrastructure.
Once the text has been finalised, it will need to be formally approved by the Council and by the Parliament. The procedure is expected to be concluded in the spring of 2016 and Member States will then have 21 months to implement the Directive into national law. They will then have a further six months to identify their national Operators of Essential Services.
The draft directive requires Member States to adopt a national strategy that will define the strategic objectives, policy and regulatory measures, and designate a national competent authority, for the implementation and enforcement of the Directive. This will include the establishment of Computer Security Incident Response Teams (CSIRTs) with responsibility for handling incidents and risks.
The draft directive also requires the creation of a 'Cooperation Group' between Member States in order to support and facilitate strategic cooperation between Member States, the exchange of information among them and to develop mutual trust and confidence. The Commission will provide the secretariat for the Cooperation Group, which will be composed of representatives from the Member States, the Commission and the European Network and Information Security Agency (ENISA).
Each Member State must also designate a national single point of contact for cooperation on NIS, which may be an existing authority. Where a Member State designates only one competent authority, that competent authority will also be the single point of contact.
The single point of contact will be required to exercise a liaison function to ensure cross-border cooperation between reciprocal single points of contact for the other Member States, with the relevant authorities of the other Member States and with the Cooperation Group and the network of CSIRTs. The single point of contact will also be required to submit an annual summary report to the Cooperation Group on the number and nature of notifications received, and the actions taken in response.
Unlike the original draft, which was more uniform in its approach, the revised draft now draws a clear distinction between Operators of Essential Services and Digital Service Providers, with different security and incident reporting rules applying to each.
The differential approach is justified on the basis that Operators of Essential Services are typified by their direct link to physical infrastructure, and that Digital Service Providers are likely to be involved in the provision of cross-border services. Member States will be required specifically to identify the Operators of Essential Services within industry sectors and impose stricter requirements on them. By contrast, the draft directive is based on the belief that Member States should not identify Digital Service Providers, and that the directive should apply a lighter regime to those providers.
The three criteria that bring an organisation within the definition of an Operator of Essential Services are that:
1. they provide a service that is essential for the maintenance of critical societal and/or economic activities;
2. the provision of that service depends on NIS; and
3. an incident impacting the NIS for that service would have significant disruptive effects on the provision of those services.
These criteria will principally apply to organisations within the utilities, transport, banking and financial services, health and digital infrastructure sectors. Digital service providers are identified by reference to Annex III and include online market places, search engines and cloud computing service providers, but hardware manufacturers and software developers are specifically excluded, as are micro and small enterprises and social network providers.
When determining the significance of the disruptive effect, Member States will need to take into account the number of users relying on the services provided by the entity, their dependency on those services and the availability of alternatives, as well as the entity's market share. Member States will also need to consider the impact that an incident could have, in terms of its degree and duration, on economic and societal activities or public safety, and geographic spread.
Once identified as an Operator of Essential Services, an organisation will need to take appropriate measures to prevent and minimise the impact of incidents affecting the security of the NIS it uses with a view to ensuring the continuity of its services. These operators will also need to notify the relevant competent authority or CSIRT without undue delay of any incidents having a significant impact on the continuity of the essential services they provide.
Digital Service Providers are subjected to a less onerous regime, but are required to take appropriate and proportionate technical and organisational measures, having regard to the state of the art, to manage the risks posed to the security of the NIS used in the provision of services within the EU. In doing so, providers are required to take into account: the security of systems and facilities; incident management; business continuity management; monitoring, auditing and testing; and compliance with international standards.
Digital service providers will also be required to notify any incident having a substantial impact on the provision of a service to the competent authority or to the CSIRT without undue delay. To determine the impact of an incident, providers will be required to take into account the extent and duration of the incident and its geographical spread, the number of users affected (including the impact on the vertical supply chain) and the extent of the impact on economic and societal activities.
In both instances, notifications should include sufficient information to enable the competent authority or the CSIRT to determine any cross-border impact of the incident. In accordance with the provisions of the draft directive, notification should not expose the notifying party to increased liability, which is intended to encourage a culture of risk management and ensure that the most serious incidents are reported.
NIS plays a vital role in society, where reliability and availability are essential for economic and societal activities. This is true in any market, but the Commission believes this is particularly important for the functioning of the EU's internal market. The draft Directive therefore seeks to establish a common minimum standard for the security of networks and information and for the exchange of information and cooperation between Operators of Essential Services and Digital Service Providers.
However, the draft Directive gives priority to other regulations or directives that contain provisions concerning NIS where these have equivalent effect. Furthermore, the Directive will not apply to micro and small enterprises, though consideration of the impact of an event may mean that such enterprises, where their role is material, are drawn back within the scope of the Directive. This may not, however, be identified until the specifics of an incident are known.
The duty to notify the competent authority or the CSIRT will apply to Operators of Essential Services and Digital Service Providers who are established in the EU. Where a Digital Service Provider is established outside the EU but provides services within it then it will need to designate a representative. However, the competent authority will have no obligation to supervise Digital Service Providers and entities that fall outside the scope of the Directive will not have an obligation to notify incidents, though they may do so voluntarily.
Whilst one of the objectives of the Directive is to share information, competent authorities must also balance the public interest in being informed about threats with the possible reputational and commercial damage that can be caused by reporting incidents. There is also a particular need to keep information about particular vulnerabilities confidential until the release of the appropriate security solution.
The impact of the Directive on affected businesses will largely depend on the enforcement powers granted to national authorities, and the approach taken by those authorities in exercising those powers. The relevant national authorities and the European Commission are expected to issue further guidance once the Directive is finalised, but penalties should be effective, proportionate and dissuasive.
The nature and frequency of incidents relating to network information and security are changing and evolving rapidly. The challenge for the Commission is to make the draft directive relevant, practical and enforceable. The requirement for a minimum baseline for NIS standards and establishing a culture of cooperation and sharing of information is intended to do this, although arguably organisations like ENISA are already achieving this.
Stewart James is a Partner at Ashfords LLP, based in Bristol. He wishes to thank Nadia Avraham for her help with research and in contributions to the text.