Cyber security is a prominent issue on the EU’s digital agenda. Many governments and companies are vulnerable to cyber security threats. For this reason, there has recently been a push for a directive which would harmonise member state rules on cyber security. This led to a proposal by the European Parliament and of the Council for a Directive concerning measures for a high common level of security of network and information systems across the Union. An agreement on the proposal was reached on the 7th of December 2015, and on the 14th of January 2016, the EU’s internal market committee voted to support the agreement. Companies affected by this legislation are twofold: those which are considered to be “providers of essential services” and “digital service providers”.
Providers of essential services include:
- Financial Market Infrastructures
- Digital Infrastructure
- Internet exchange points
- Domain name system (DNS) providers
- Top-level domain name registries
- Health Sector
- Drinking water supply and distribution
- Processing of Personal Data (Electronic Communications Sector) Regulations
This list is not exhaustive. It is left up to each Member State to decide which entities will constitute “operators of essential services”. An operator of an essential service has certain duties under the new Directive, including:
- The duty to take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provisions of such essential services.
- The duty to notify the competent authority without undue delay, incidents having a significant impact on the continuity of the services they provide.
The following parameters are to be taken into account when determining the significance of the impact of an incident:
- The number of users affected by the disruption of the essential service
- The duration of the incident
- The geographical spread with regard to the area affected by the incident
The competent authority will have the powers and means to require the operators of essential services to:
- Provide the information needed to assess the security of their networks and systems; and
- Provide evidence of effective implementation of security policies
Obligations are likewise imposed on providers of “digital services”. These include:
- Services which allow online consumers or traders to conclude online contracts (sales or service);
- Online search engine services – in-built website search functions do not fall under the scope of this Directive
- Different types of cloud computing services.
The digital service provider will fall under the jurisdiction of the Member State where it has its main establishment, or head office. If established outside of the EU but offers services within a Member State, it shall designate a “representative” establishment within that Member state and will fall under the jurisdiction of that Member State where such representative is established. Therefore, a non-EU establishment offering services within the EU will still need to comply with the provisions outlined in this directive.
Duties of Providers of Digital Services
The digital service providers falling within the scope of this Directive must:
- Identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their networks and information systems, whilst taking into account the following elements:
- Security of systems and facilities;
- Incident management;
- Business continuity management;
- Monitoring, auditing and testing; and
- Compliance with international standards
- Take measures in order to ensure the continuity of the services by preventing and minimising the impact of incidents that affect the security of the networks and information systems used; and
- Conform with a reporting scheme which is to be established by the Member State in question, whereby it must notify, without undue delay, to the competent authority, any incident which may have a substantial impact on the provision of the service.
In order to determine the impact of an incident, the following parameters are to be taken into account:
- The number of users affected by the incident, particularly the number of users which rely on the service in order to provide their own services;
- The duration of the incident
- The geographical area affected by the incident
- The extent of the disruption of the functioning of the service
- The extent of the impact on economic and societal activities.
Competent authorities will have the necessary powers and means to:
- Require the digital service providers to provide information needed to assess the security of their networks, including documented security policies; and
- Require the digital service providers to remedy any failure to fulfil the previous requirements.
Companies which are not providers of essential services may still report incidents which have a significant impact on the services which they provide. This may be done through a voluntary notification and the company will not be subjected to any other obligations found within this Directive.
Smaller companies may also be affected by this directive, as they may need to implement security protocols into their system in order to fall in line with these laws. By the time this Directive comes into force, which will be in 2018, all companies falling within its remit will need to be fully compliant.
It is therefore recommended that companies:
- Implement a wide cyber policy in order to ensure IT and information security
- Identify any areas within their IT networks which might be vulnerable to an attack
- Prepare a network and information security response plan
- Set up an incident response team
- Ensure that suppliers and subcontractors implement security measures and provide periodical evidence that these measures are appropriate and effective
- Implement training and awareness programmes and ensure employees and suppliers are aware of the security response plan, and are able to comply with it.