On December 7, 2015, more than two and a half years after the first draft, the European Union Council finally reached an important, informal agreement with the Parliament on important network and information security rules (“NIS-Directive”) affecting companies across the EU. The culmination of the European Commission’s Cybersecurity strategy effort that began in February 2013 with the European Commission’s proposed draft directive on measures to ensure a common level of network and information security. Final adoption of the NIS-Directive will have several important consequences, including increased focus by Boards of Directors of cybersecurity risk, the need for companies to increase their investment in information security, to prepare and implement cybersecurity incident response plans, to conduct internal comprehensive investigations into the circumstances of a cybersecurity event in order to comply with forthcoming reporting obligations.
As initially proposed by the Parliament on March 13, 2014, the NIS-Directive would, for the first time, set out various cybersecurity and reporting obligations for digital service providers and also for operators of essential services, as well as form a strategic cooperation network to facilitate information sharing. The agreed text will be presented to the member states’ representatives on December 18, 2015, and then need to be formally adopted by the Council and Parliament. The member states will then have 21 months to adopt the necessary national provisions once the NIS-Directive enters into force and they will have an additional six months to identify their operators of essential services.
Brief overview of the NIS-Directive
The NIS-Directive introduces a number of measures aimed at generally improving the state of cybersecurity across the EU, with emphasis on establishing a high level of network and information security through improved cooperation between the member states and between public and private sectors and the establishment of computer security incident response teams.
Although the specific language of the recently approved draft NIS-Directive is not yet publicly available, the following features are widely expected to be included:
- Implementation of clearly defined consistent cybersecurity standards for companies in “critical” sectors (sometimes referred to as critical infrastructure), such as energy, transport, banking, health care and water supply, as well as some providers of online marketplaces, search engines and cloud platforms, much like the U.S. has already done in the context of National Institute of Standards and Technology (NIST).
- Mandatory reporting to national authorities of cybersecurity incidents and data breaches in critical infrastructure.
- Creation of a cooperation network between the competent authorities and the Commission to share information and tactics to better understand and address cybersecurity risk, which could facilitate sharing of early warnings on risks, threat indicators, cybersecurity intelligence, and best practices on protecting networks.
- Establishment of Computer Security Incident Response Teams, national competent authorities on cybersecurity with adequate technical, financial, and human resources, which would be responsible for consulting, cooperating, and coordinating with the relevant law enforcement national authorities and data protection authorities.
- Requirement that member states establish rules imposing sanctions on organizations that fail to comply with national provisions adopted pursuant to the NIS-Directive, and requiring member states to take measures necessary to ensure that the sanctions are implemented. The sanctions provided for must be effective, proportionate and dissuasive.
Impact on Businesses
The NIS-Directive will not only require critical infrastructure and companies that are digital service providers to take actions aimed at improving their networks’ ability to resist cyber-attacks, but organizations will now have to consider establishing a compliance function around the new requirements. Accordingly, many organizations – specifically cloud service providers, online search engine providers, online marketplaces and other internet service providers – will need to actively assess the security and integrity of their network resources.
The reporting obligations also mean that companies should strongly consider conducting post-attack investigations, directed by legal counsel, to identify the extent of reporting obligations, especially given the likelihood of significant fines and penalties from national authorities for companies that do not comply with these obligations. Moreover, given that companies will no longer be able to remain silent in the event of a security breach, they should strongly consider proactively planning for how they will manage brand and reputation after an incident. These complicated considerations are best handled through preparation and incident response planning.
Special Considerations in Germany
In July 2015, the new Act to Increase the Security of Information Technology Systems (“IT Security Act”) came into force in Germany. This IT Security Act affects companies in the sectors energy, transportation, health, water utilities, telecommunication, finance and insurance (“critical infrastructure”). The respective companies have two years to introduce necessary cybersecurity measures to ensure that the functionality and availability of their services will not get jeopardized by cyber-attacks. They also have to report major incidents and/or security breaches. Fines up to EUR 100,000 can be imposed if the companies do not follow these regulations.
Guidelines for companies are already available for some services, helping companies to avoid making mistakes while offering their digital services. For example, in July 2015, the German Federal Government IT Advisory Committee issued new cloud computing service criteria for all prospective vendors to German Federal Agencies (see Orrick’s client Alert German Federal IT Committee Issues New Restrictions for Cloud Service Providers).