Briefing: the NIS Directive on cybersecurity

This week the EU’s NIS Directive on cybersecurity went into effect across Europe.

Relax: this legislation only impacts digital businesses which provide critical systems and networks.

You do, however, need to spend some time learning about the Directive and whether it will impact you.

What is the NIS Directive about?

The Directive on Security of Network and Information Systems, or the NIS Directive, requires companies working in “essential sectors” to up their game on network security and incident reporting. “Essential” means sectors like transport, health, banking, food supply, water and energy, and so forth: sectors which, in our increasingly ugly world, are the target of potentially catastrophic network attacks.

These impacted sectors will be required to improve their standards and procedures on network and infrastructure security.

It’s likely that many of these businesses across Europe will already have national, sector-specific security standards and guidelines in place. Where that is the case, the sector-specific standards will stand as the compliance requirement over the specifications of the NIS Directive.

Impacted sectors and businesses will also be required to report major incidents, in real time, to new national cybersecurity authorities which will be set up in each member state as part of this regulation. Working together, these national authorities will create an advanced European security hivemind which will proactively monitor and communicate incidents in real time across sectors.

It’s easy to understand why a system like this is needed, even if that comprehension is rather depressing. These incidents rarely occur in isolation, and our continent has no borders.

What about digital businesses?

For our purposes, the Directive also applies to digital service providers whose activities have a major and proportional impact on the functioning of the economy. These include:

  • Internet exchange points
  • DNS service providers
  • TLD registries
  • Search engines
  • Online marketplaces
  • Cloud computing services

The definitions of what businesses will qualify under each category are flexible and open to interpretation by each member state. We’ll come to this a little later.

The NIS Directive is not about everyday digital businesses, nor is it about garden variety hacking attempts or malware. The Directive is about identifying and responding to large-scale, targeted attacks on systems which could have a domino effect across the continent.

Are there any exemptions?

There’s a pleasant surprise here: digital businesses which fall under the EU’s definition of micro- and small digital enterprises are specifically exempted from the NIS Directive. The official definition of a micro- or small enterprise is one which employs fewer than 250 people and has an annual turnover not in excess of €50 million.

(Obviously they never played hardball with Jon Postel.)

That being said, to use just one example, a cloud hosting provider with fewer than 250 employees but a turnover over €50 million could be considered critical enough to fall under the scope of the Directive, depending on many other factors.

Another group exempted from compliance requirements is hardware and software developers. This regulation is about wider issues of network security, not the tools themselves, and the EU notes that their output is already subject to existing rules on product liability.

What happens next?

The NIS Directive is, obviously, a directive. This means that as of this week it has been sent to every European member state for implementation into national legislation. That must be done by 21 months from now. In other words, your compliance obligations begin in May 2018.

If that date sounds familiar it’s because GDPR also takes affect in May 2018. As network security and data protection work hand in glove, you would be wise to work towards compliance with both laws as if they were one and the same.

Each member state will now legislate the definitions of the security measures required, the definitions of affected businesses, the reportage requirements for impacted sectors, and the definitions of a major reportable incident. They will also begin planning the cybersecurity monitoring unit required under the Directive.

How do you comply?

If your digital business falls under the NIS Directive, your next step will depend on how your business is incorporated within in Europe. If you are based in an EU member state, you need to monitor and comply with that state’s implementation of the NIS Directive. For example, a Dutch business must comply with the Dutch NIS Directive.

If you do not have an incorporated presence in Europe, but do business in Europe or target European customers in a way that passes the obvious tests, you will need to designate a representative within Europe for the purposes of the Directive. Any notifications would be made to that representative under the law and jurisdiction of that member state as if you were located there. (Many of you will already have chosen a member state for VATMOSS purposes.)

As with all Directives, member states can legislate additional requirements over and above the EU baseline to meet specific national needs. This is why you must carefully monitor your own member state’s implementation of the Directive.

What about Brexit?

What about it? There is no date for Britain leaving the EU, nor might there ever be. It is certainly not 2018.

Even if that does happen, network-level cybersecurity attacks do not stop at Calais. For that reason, impacted UK businesses trading in the EU after any Brexit would need to designate a European representative member state for NIS Directive purposes, as discussed above.

What about noncompliance?

One of the areas being left to individual member states is the form that noncompliance penalties will take.

The good news is that regulation will be light-touch and reactive. There will be no active or heavy-handed pre-emptive supervision of impacted digital sectors by national cybersecurity authorities.

National cybersecurity authorities will only take action when provided with concrete evidence regarding an incident, which of course is likely to be submitted after the fact. This can be done through self-reporting, a report from another member state, or a report from a service user.

Further reading:

Full text of the NIS Directive

EU press briefing

Field Fisher blog post