Noting that security incidents affecting information systems “are becoming bigger, more frequent, and more complex,” and that the majority of respondents to its consultation on the topic reported having experienced such an incident in the past year, today the European Commission released a proposal for a Directive “concerning measures to ensure a high common level of network and information security across the Union” (“Proposed Cybersecurity Directive”).
The stated aim of the Proposed Cybersecurity Directive is to achieve a high common level of network and information security (“NIS”) throughout the EU “by requiring the Member States to increase their preparedness and improve their cooperation with each other, and by requiring operators of critical infrastructure . . . as well as public administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities.” Once such a Directive is adopted, Member States would have 18 months to implement its requirements via national law.
The Proposed Directive would require Member States to ensure that public administrations and so-called “market operators” take appropriate technical and organizational measures to manage the risks posed to the security of networks and information systems and to report significant incidents to regulators and, if so required, to the public. “Market operators” is defined to include providers of information society services (e.g., e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services, and application stores) and operators of critical infrastructure (e.g., energy companies, transport carriers, credit institutions, stock exchanges, and hospitals). Hardware and software providers seem to be exempted from the requirements to report incidents and take risk management measures.
With this proposal, Europe has now joined the United States in proposing broad legislation and cooperation strategies intended to improve public and private-sector cybersecurity. And, as in the United States, it is likely that a number of the proposed measures will be the subject of considerable debate. Another consideration for industries that would be subject to the Proposed Cybersecurity Directive, is its relationship with the security breach notification and other provisions of the pending General Data Protection Regulation, which as proposed by the Commission calls for 24-hour reporting of suspected breaches of personal data, and carries very significant penalties for noncompliance. As previously reported, the proposed Data Protection Regulation itself has been the subject of lively debate.
The key elements of the Proposed Cybersecurity Directive are:
- Development of a “national NIS strategy” by each Member State (Article 5)
Each Member State will have to create a national Network and Information Security “NIS” strategy defining the strategic objectives and concrete policy and regulatory measures to achieve and maintain a high level of network and information security. The national NIS strategy shall address particularly issues listed in Article 5, para. 1 of the Proposed Cybersecurity Directive, e.g., a definition of the objectives and priorities of the strategy based on an up-to-date risk and threat analysis; identification of measures for preparedness, response and recovery, including cooperation mechanisms between the public and private sectors; and an indication of education, awareness raising and training programs or research and development plans.
The national NIS strategy shall include a national NIS cooperation plan complying with the minimum requirements set out in Article 5, para. 2, such as a risk assessment plan to identify vulnerabilities and threats and assess the impacts of potential incidents or the definition of cooperation and communication processes ensuring prevention, detection, response, repair and recovery, and modulated according to the alert level.
- Creation of a “national competent authority on the security of network and information systems” (“Competent Authority”) in each Member State (Article 6)
The Competent Authorities shall not only monitor the application of the Directive and receive breach notifications, but shall also enforce the obligations on market operators under Article 14. This includes the power to require market operators and public administrations to provide information needed to assess the security of their networks and information systems, including documented security policies and auditing rights.
- Creation of a “Computer Emergency Response Team” (“CERT”) for each Member State (Article 7)
Each Member State has to set up a CERT meeting the requirements of Annex I, which also outlines a minimum set of a CERT’s tasks, from building broad public awareness of the risks associated with online activities to responding to incidents. The CERT can be part of the Competent Authority but this is not necessary.
- Obligations for public administrations and market operators to implement security measures and to report certain incidents (Article 14)
The market operators’ obligations to take appropriate technical and organizational measures to manage the risks posed to the security of the networks and information systems and to report incidents having a significant impact on the services they provide cannot only be enforced under Article 15, but are also subject to penalties to be implemented by the Member States (Article 17).
- Implementation of a “cooperation network” (Article 8);
The purpose of the cooperation network is to enable the national Competent Authorities, the EU Commission and in certain cases the ENISA and the Europol Cybercrime Center to share information enabling them to cooperate against NIS risks and threats. The cooperation network shall also include a “secure information-sharing system” (Article 9) for the exchange of sensitive and confidential information. Furthermore, “early warnings” shall be provided within the network (Article 10).
- Creation of a “Network and Information Security Committee” (Article 19).
The task of the Network and Information Security Committee is to assist the EU Commission in supervising the implementation of the Directive.
An EU-wide approach to cybersecurity risk management likely will be welcomed by key stakeholders in business and government as a better alternative to potentially conflicting actions by each European Member State. However, criticisms of some of the measures suggested by the Draft Cybersecurity Directive have already surfaced. In addition to mandates on key industry sectors, the creation of centralized national authorities with potential access to information stored in internet payment gateways, social networks, search engines, and cloud computing services and which cooperates with law enforcement authorities will most likely become an issue during the further legislative process.
This post was written by Hogan Lovells partners Harriet Pearson (Washington, D.C.) and Marcus Schreibauer (Dusseldorf).