New EU cyber security legislation: a Q & A with Andreas Schwab
On 6 July, the European Parliament voted to adopt the Directive on Security of Network and Information Systems (the NIS Directive). The first comprehensive EU-wide legislation on cyber security aims to create a more secure and trusted online environment in Europe. Hannfried Leisterer, cyber security researcher at the Humboldt Institute for Internet and Society (HIIG) Berlin, conducted an interview with Member of European Parliament Andreas Schwab, rapporteur for the NIS Directive.
Companies in critical sectors such as energy, telecommunication, transport, banking and health are required to adopt risk management practices and to report major security incidents that can affect businesses in other EU member states. Furthermore, the NIS Directive is intended to support and facilitate strategic cooperation between EU member states as well as the exchange of information among Computer Security Incident Response Teams (CSIRTs).
The network and information security (NIS) Directive was proposed by the European Commission on 7 February 2013 as part of its cyber security strategy for the European Union. The Council of the European Union, which comprises representatives of the EU member states’ governments, formally adopted on 17 May 2016 new rules to increase the security of network and information systems across the EU. The NIS Directive was approved by the European Parliament on 6 May 2016, becoming effective EU law in August 2016 and will give EU member states 21 months to adopt the necessary national provisions.
1. What is the difference between the European Commission’s initial proposal and the amended version that is about to become EU law?
The Commission proposal’s key elements were:
Under the Commission proposal, “operator[s] of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health”, were supposed to fall under the directive, as well as “provider[s] of information society services which enable the provision of other information society services”. This includes cloud computing services, platforms of economic commerce or search engines. Also public administrations were included explicitly. These market operators were therefore obliged to notify incidents to the competent authority with “a significant impact on the security of the core services they provide” and take appropriate measures simultaneously. Moreover, each EU member state was supposed to designate authorities, which were competent for NIS, appoint Computer Emergency Response Teams and create national NIS strategies as well as NIS cooperation plans.
Substantial changes through Parliament’s first reading
In the first reading, the Parliament supported the main objectives of the Commission’s proposal. However, the EU member states mainly lacked adequate resources to conduct the supervision and the confidence to cooperate. The industry criticised that the draft directive would not adequately take any consequential damage into account. In this context, the Parliament changed the following key aspects in March of 2014:
- The designation of one or more authorities, which are competent for NIS, per EU member state and a “single point of contact” to comply with the federal character of some EU member states.
- The restriction of the scope of the directive to privately or publicly organised operators of critical infrastructures in the sectors of energy, transport, health care, food supply, water extraction and supply as well as internet exchange points. The applicability of the directive must not be dependent on the legal form a company has.
- Non-inclusion of micro enterprises; these are companies with fewer than ten employees and an annual turnover or annual balance sheet total not exceeding EUR 2 million.
- The adoption on a voluntary basis by public administrations (e.g. ministries), because they have to be resilient ex officio.
- The exclusion of information society service providers because of a lack of real criticality. When it comes to criticality of critical infrastructures, it is all about the significance in relation to the consequences of a malfunction of important goods and services to the society’s security of supply, which also includes the functioning of the internal market. Information society service providers are not those critical infrastructures, which are not absolutely necessary to the internal market.
- In addition, the EU Parliament’s text included small changes regarding reporting obligations.
- A consideration of breaches only in cases of willful intent or gross negligence.
Substantial changes through Parliament’s second reading
In the second reading, an agreement was reached on 7 December 2015. After lengthy discussions, also within the Council, the European Parliament was able to include the following important points in the directive:
- The directive now includes that EU member states have to name agencies which are in charge of the IT security, according to article 6 of the directive, coordinate intelligence of the Computer Emergency Response Teams (CSIRT). Usually, they are also meant to be the central contact point for trans-border cooperation.
- Providers of essential services, in the sectors of energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure have to fulfill certain security requirements. They are also obliged to notify the national cyber security agencies about relevant cyber-attacks. For the identification of providers of essential services, criteria are defined in the directive. Thereby, the directive establishes a minimum harmonisation. This helps to ensure the consistency of the identification of essential services in the different EU member states. In principle, the public administration is not incorporated into the scope of the directive.
- Certain providers of digital services (in particular cloud providers, search engines and online marketplaces) were excluded from the Commission proposal, but were readopted under pressure from the Council. Those are defined for the first time in this directive. They are subject to new rules as long as they are not small- or micro-entrepreneurs. They follow a simplified procedure (security requirements, report of significant cyber-attacks). They also have to meet proportional state-of-the-art security requirements. The definition of providers of digital services and the procedural obligations are fully harmonised so the EU member states cannot deviate from them anymore.
- The directive introduces strategic collaborations between the EU member states as well as collaborations on a technical level between the CSIRT networks. For example, the EU member states themselves are meant to elaborate strategic guidelines for the operations of the CSIRT networks, to exchange ideas or to cooperate on the establishment of critical infrastructures. This is also possible through the involvement of different agencies (e.g. the European IT security agency ENISA), standardisation bodies or stakeholders.
- The Computer Emergency Response Teams are to counsel EU member states on how to solve cross- border cyber incidents.
- Critical infrastructures are supposed to comply with proportional, state-of-the-art security constraints.
- Providers of essential services are to report cyber-attacks, which have significant impacts on the continuity of their services, immediately.
- EU member states have to establish penalties for non-compliance with the NIS Directive, which are implemented in national law.
2. Which industries and businesses will be affected by the new rules? Will the directive impose obligations on “over the top” (OTT) providers (such as Skype) – who may have enjoyed a financial advantage from being unregulated on cyber security issues – be caught by the new directive? Will the directive be a financial burden for web-companies (e-commerce, social media, app developers, etc) operating in Europe?
The new rules will concern first and foremost providers of critical infrastructures in the following sectors: energy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution and digital infrastructures. Furthermore, it will concern providers of digital services, namely online marketplaces, online search engines and cloud computing services.
OTT providers will have obligations under the directive as far as the services they provide fall under the scope of the directive. This means that if an OTT provider offers services such as an online marketplace, an online search engine or a cloud computing service, it falls under the directive and has to fulfill the obligations the directive imposes.
To avoid imposing a disproportionate financial and administrative burden on operators of essential services and digital service providers, the requirements the directive imposes do not apply to micro- and small enterprises.
3. What is the scope of application in relation to other EU legislation (e.g., ePrivacy Directive, General Data Protection Regulation, Regulatory framework for electronic communications)?
The NIS Directive explicitly states that it respects the fundamental rights, and observes the principles, recognised by the Charter of Fundamental Rights of the European Union, in particular the right to respect for private life and communications, the protection of personal data, the freedom to conduct a business, the right to property, the right to an effective remedy before a court and the right to be heard.
Regarding the regulatory framework for electronic communications, the directive states that the obligations on operators of essential services and digital service providers should not apply to undertakings providing public communication networks or publicly available electronic communication services within the meaning of directive 2002/21/EC of the European Parliament and of the Council [editor’s note: e.g. Internet access providers], which are subject to the specific security and integrity requirements laid down in that directive.
4. The NIS Directive will establish a strategic Cooperation Group to facilitate the exchange of information and best practices among EU member states. In addition, a network of national Computer Security Incidents Response Teams (CSIRTS) will be established to discuss cross border security incidents and identify coordinated responses. What kind of cooperation among the EU and EU member states will the NIS Directive create? Will there be an increased and better information sharing among EU member states?
The directive aims to create a strong cooperation with regard to network and information security in the European Union. The EU member states will from now on have the obligation to establish national cyber security agencies for NIS and adopt national NIS strategies and national NIS cooperation plans.
The national cyber security agencies will be charged with the coordination of the different international teams in case of an information security incident. They will also hold the function of ‘single point of contact’ for the cooperation between the EU member states regarding cyber security. National cyber security agencies will cooperate with one another and information will be shared between the private and public sectors.
The NIS Directive will help improve information sharing between the EU member states and put in place a culture of risk management.
5. What is the purpose of reporting cyber security incidents? What will the agencies and authorities do with the data? Can European and national players inform the public about important incidents and vulnerabilities?
Cyber security incidents very often have a cross-border element and thereby concern more than one EU member state. The NIS Directive obliges EU member states to ensure that operators of essential services or digital service providers notify the competent authority or the CSIRT of incidents having a significant impact on the service they provide. The notification shall include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident, in which case the other EU member states affected will be informed. This way, security measures in other EU member states can be taken and cyber security incidents can be handled more quickly. The competent authority or the CSIRT may also provide the notifying operator with relevant information regarding the follow-up of its notification, such as information that could support the effective incident handling.
The public may be informed about individual incidents where public awareness is necessary, in order to prevent an incident or to deal with an ongoing incident.
6. What will be the EU member states be required to do?
To guarantee a high level of security all over the European Union, EU member states will from now on be obliged to adopt a national NIS strategy, defining the strategic objectives and appropriate policy and regulatory measures with a view to achieving and maintaining a high level of security of network and information systems. They also have to define national cyber security agencies, single points of contact and CSIRTs with tasks related to the security of network and information systems. Furthermore, EU member states have to put in place a national NIS cooperation plan.
7. Ahead of the NIS Directive, the German Parliament adopted the IT Security Act (IT- Sicherheitsgesetz) in June 2015 under which so-called critical infrastructures will have to implement and audit state-of-the-art technical and organisational measures regarding their IT. Do you still see a need for the German legislator to act? Which EU member states will have to rethink their cyber security strategy?
A considerable fragmentation exists between the different EU member states with regard to cyber security, due to a nationalisation of the issue. In many EU member states, cyber security is considered a matter of national security that should be regulated by the EU member state itself. EU member states such as Germany, France and Great-Britain have already established cooperation among themselves. The network and information security in these countries is already well developed, however in other countries, especially in several Eastern-European countries, the level of security is not yet sufficient. Because of the interconnection between different systems and the cross-border aspect, a fragmentation with regard to cyber security presents an important vulnerability of the network and information security systems and a big risk for the security situation in Europe as a whole. The NIS Directive will establish a minimum common level of network and information security and is a big step in preventing fragmentation within the European Union.
8. ENISA, the EU’s agency for Network and Information Security, will also play a key role in the new regime, for example in relation to improving coordination and cooperation between EU member states. How would you describe the new mission? How long will it take to be fully operational?
The role of ENISA is to assist the EU member states and the European Commission. They may ask ENISA for expertise and advice and ENISA will also help facilitate the exchange of best practices. EU member states, especially national cyber security agencies may request the assistance of ENISA in developing national strategies on the security of network and information systems.
ENISA will have to fulfill its new role from the beginning, as soon as the NIS Directive enters into force.
9. What are the main conflicts and fault lines that you expect with the introduction of the directive, between national cyber security agencies and ENISA?
While ENISA mainly has an advisory role, the national cyber security agencies are in charge of monitoring the application of the directive at the national level. The tasks of ENISA as well as the national cyber security agencies are clearly defined in the directive.
10. How does the EU legislator ensure that EU member states will not take too different approaches to risk management and incident reporting for companies?
Regarding operators of essential services, the directive introduces a minimal harmonisation. EU member states have to adhere to a minimum security standard, but may put in place higher security requirements than what the directive requires. To avoid fragmentation in the area of network and information security between the EU member states, the European Commission as well as the Cooperation Group ensure that the identification of operators of essential services is consistent in the different EU member states.
With regard to digital service providers, the directive puts in place a full harmonisation, meaning that rules concerning digital service providers have to be the same in all EU member states. Since there is nearly always a cross-border element in the provision of digital services, a full harmonisation on the European level is indispensable to provide for legal certainty.
This blogpost was published first on Internet Policy Review.
This post is part of a weekly series of articles by doctoral canditates of the Alexander von Humboldt Institute for Internet and Society. It does not necessarily represent the view of the Institute itself. For more information about the topics of these articles and asssociated research projects, please contact email@example.com.
This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact firstname.lastname@example.org.