More and more business value and personal information is migrating into digital form on worldwide interconnected platforms. This brings an equally large risk of cyberattacks. You just need to go back to October 2015 when the telecom group TalkTalk suffered from a cyberattack that cost the company over €41 m. Nearly 157,000 of its customers’ personal details were accessed and 28,000 stolen credit and debit cards were “obscured”. The cyberattack caused TalkTalk shares to loose one third of their value. Conscious of the real cost of cybercrime, in July 6 2016 the European Parliament adopted the Network and Information Security Directive (Directive (EU) 2016/1148) (the “NIS Directive”), which will enter into force on 8 August 2016. EU member states have until 10 May 2018 to adopt national measures to transpose the requirements of the Directive.
The NIS Directive responds to the threat posed by cyberattacks against critical infrastructure and the need to strengthen Europe’s cyber resilience. It has a significant impact on businesses supplying essential services and operating critical infrastructure in the field of energy, transport, banking, health or digital services. In addition, at member state level, it will require the adoption of domestic structures and cooperation mechanisms. Faced with a Directive with implications for both public bodies and businesses, it is essential to understand the key aspects and controversies around it.
Five key features
National frameworks: The Directive requires national strategies that allow for concrete policy and regulatory measures to safeguard a minimum level of network and information security. This will imply the designation of a national competent authority responsible for managing incidents and risks.
Cooperation networks: The European Commission, member states and the European Network and Information Security Agency will establish a cooperation group with the objective of collaborating to counter cybersecurity threats.
Notification requirements: Operators of essential services have to put in place procedures to assess the significance of network and information security incidents. An operator of essential services is not required to notify other parties. However, a national competent authority may decide to inform the public.
Use of standards: To encourage convergent implementation, member states must use European or internationally accepted standards relevant to the security of networks and information systems. Such standards have not been expressly defined in the NIS Directive.
Enforcement: Competent authorities at a national level are given the license to investigate cases of non-compliance. They may report criminal incidents to law enforcement agencies and collaborate with data protection authorities when incidents involve personal data.
Potential legal vacuum
There are two aspects that remain ambiguous and could potentially lead to a situation of legal uncertainty. One is the system of penalties (Article 21), as the Directive simply requires member states to put in place “effective, proportionate and dissuasive” sanctions. It remains to be seen what sanction regime member states develop before the deadline of 8 May 2018.
The other delicate issue concerns the mechanism of incident notification (Article 14.3 and 5, and Article 16.3 and 6). The directive falls silent on the terms for the public disclosure of an incident. Publishing this information could have a great impact on the company’s economic and corporate reputation.
Three years after its initial proposal, we should acknowledge and acclaim the joint institutional effort to create a more secure and trusted online environment in. However, it is notable that the NIS Directive is a minimum harmonisation instrument. This means all eyes will now focus on member state’s ability to make this Directive a reality at national level.