Cybersecurity issues are regularly in the news. Whether it concerns the WannaCry and NotPetya attacks earlier this year, or the Meltdown and Spectre vulnerabilities found this month, these issues pose a serious threat to the integrity and security of IT systems and networks in the European Union and around the globe.
As stated in my previous blog, the EU is taking steps to improve overall network and information security and (personal) data protection. A lot of attention is being given to the imminent application date for Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) on 25 May this year. The GDPR will replace Directive 95/46/EC (the Data Protection Directive from 1995). The Regulation aims to (further) harmonise personal data protection obligations in the EU. Under the GDPR, large fines can be imposed in cases of infringement of the obligations of the Regulation (see Article 83 GDPR). Mostly because of these possible fines, law firms and legal advisors can barely handle the work resulting from assisting companies and institutions in being GDPR compliant before the Regulation applies.
Considerably less attention is being given to Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive). The NIS Directive provides security requirements and incident notification obligations for specific categories of entities regarding security issues of their IT systems, regardless of whether personal data is affected.
The Directive covers, on the one hand, operators of sectors deemed to be vital to the economic and societal activities of the EU (previously often referred to as ‘critical infrastructures’), called operators of essential services (OESs), and, on the other hand, digital service providers (DSPs). According to the Directive, there are seven sectors of essential services, these being energy, transport, banking, financial market infrastructures, the health sector, drinking water supply and distribution, and digital infrastructures. DSPs are online marketplaces, online search engines, and cloud computing services.
It is not my intention to provide a comparison between the GDPR and the NIS Directive. The aim, legal basis, subject matter and scope for each are very different and I shall not discuss the GDPR in detail any further. My argument is that in terms of cybersecurity, these two pieces of regulation are both important and influential, as both contain (partly comparable) security requirements and incident notification obligations. Also, they will both apply from May 2018 onwards, and the general focus seems to lean disproportionately towards the GDPR. This emphasis on the GDPR may be understandable, but the NIS Directive may be just as important and influential. For instance, the issues mentioned above do not necessarily have much to do with personal data. Because the NIS Directive is a directive, it does not contain specific requirements regarding penalties for infringements. But even though fines are not specified, Article 21 NIS Directive requires Member States to ‘lay down the rules on penalties applicable to infringements’ of the national security obligations. In all likelihood there will be fines for infringements, and these fines may also turn out to be substantial.
As for the application of the Directive, obligations laid down in the Directive must be transposed into national law in all the Member States by 9 May 2018 (see Article 25(1) NIS Directive). This means that by then, Member States must abide by the following obligations. First, each Member state must have a national strategy on the security of network and information systems in place. Second, they must designate one or more national competent authority (to monitor the application of the Directive) and a national single point of contact (as a liaison for cross-border cooperation). Third, each Member State must designate one or more computer security incident response teams (CSIRT). Fourth, and most relevant for this discussion, all Member States must implement specific security requirements and incident notification obligations for OESs and DSPs.
In being able to properly implement the security obligations, all Member States must specify which entities must be designated as OESs. The deadline for this identification is 9 November 2018, and several Member States have already made progress. The development of cybersecurity incident notification regulation in the Netherlands predates the 2013 proposal of the NIS Directive. A plan for cybersecurity breach notification obligations was proposed in 2012, as a political reaction to the Diginotar breach in 2011, and was later incorporated into the Law on the processing of data and on the cybersecurity notification obligation (Wet gegevensverwerking en meldplicht cybersecurity (Wgmc)). The Wgmc went into effect partially on 1 October 2017 and in full in January 2018. Its articles 5-8 on the notification obligation for operators of vital services were scheduled to go into effect three months later than the other articles, when the operators would have been identified by administrative decree. The reason for having the rest of the Wgmc go into effect earlier, is so that the National Cyber Security Centre (NCSC) quickly had clarification of its tasks and competences. The specific law for the implementation of the NIS Directive in the Netherlands, the Cybersecurity Law (Cybersecuritywet (Csw)) will incorporate the Wgmc wholly and without alteration.
By 12 December 2017, the list of operators of vital services for the Netherlands was published by means of administrative decree. On 1 January 2018, it went into effect. There are some differences between the list of types of essential services prescribed in Annex II of the NIS Directive and the List of identified vital operators for the Netherlands. On the one hand, the Netherlands has added the nuclear energy sector as an essential service, as well as telecommunications networks (specifically excluded by the NIS Directive), and the water authorities. On the other hand, certain sectors specifically prescribed by the NIS Directive have been omitted, such as the health sector and digital infrastructure, and the sectors for transport and financial institutions have been simplified. This is rather odd, since Article 3 NIS Directive states that Member States can have a higher level of security than that prescribed by the Directive, but not that they can pick and choose, or disregard certain elements. Some other Member States also deviate from the Directive in their (proposals for) implementation of the Directive. For instance, the UK Consultation on the NIS Directive lacks the sectors Banking and Financial market infrastructures.
This presents us with a problem. The notification obligations are meant to further cooperation and communication in cases of (especially cross-border) attacks or incidents, as well as accumulation of knowledge. In order to further this aim, the NIS Directive should apply to the same sectors across the Union. The Netherlands so far clearly takes a different approach than that of the Directive. On the one hand this is understandable, especially since there is variation in how vital certain sectors are in different Member States. The water authorities are a telling example in the Netherlands, since this Member State has a unique dependence on water infrastructure such as canals, rivers, locks and dikes. On the other hand, if all the Member States have very different sectors to which the obligations apply, the NIS aim may not be achieved.
On 9 May 2018 (when the NIS Directive implementations will apply), the Commission must submit a report to the European Parliament and to Council on the consistency of the approach taken by Member States in the identification of operators of essential services. Should there be large differences in which sectors Member States designate as essential services across the Union, then it would be useful to pay more attention to cooperation and communication across different sectors, so that the problem of varying identification of OESs may be mitigated.