Impact of the Network and Information Security Directive
June 2018 | LEGALREVIEW | RISK MANAGEMENT
Financier Worldwide Magazine
June 2018 Issue
FW moderates a discussion on the impact of the Network and Information Security Directive between Simon Shooter, Shima Abbady, Roberto Camilli, Alexander Duisberg, and Stéphane Leriche at Bird & Bird.
FW: Could you provide an insight into the driving factors behind the Networks and Information Systems Directive (NISD), and why it was considered necessary?
Shooter: NISD is an EU Directive to be adopted into Member States law on 9 May 2018. The principal driver behind the Directive was the assessment of the importance of the role that network and information systems play in the supply of essential services to society, such as the supply of electricity and water and the provision of healthcare and passenger and freight transport. It was decided that regulation to promote the adoption of an agreed approach to the development of resilience from attacks on networks and information systems was needed to encourage a commonality of approach.
Abbady: The Dutch government was originally not entirely in favour of the NISD proposal. In March 2013, the Dutch government stated that it considered the “top-down approach of detailed cyber security obligations” in the draft NISD to be ineffective and instead promoted a system of mandatory self-regulation, development of technical capacities, best practices and, above all, public-private cooperation. Current Dutch general cyber security legislation includes a duty for ‘vital service providers’ – which entered into force on January 2018 – to notify security incidents with potentially catastrophic consequences. Nonetheless, but in line with the above approach, this law does not include enforcement measures or even supervision. The process is kept as light as possible; there is no supervisory authority and after notification only non-binding advice is provided.
FW: What are the key provisions and potential penalties outlined in the NISD?
Shooter: Member States must have in place a national framework to manage cyber security incidents and oversee the application of the NISD. The Directive also requires the establishment of a cooperation group between the Member States with responsibility for driving strategic cooperation and the exchange of information. The Directive requires the identification of organisations that are to qualify as “operators of essential services” (OES), as well as the enactment of national regulation which requires OES to take appropriate and proportionate security measures to manage risks to their network and information systems and to notify serious incidents to the relevant national authority. The anticipated sanction for a failure to comply is a single fine to a maximum £17m.
Abbady: The current Dutch draft legislation goes further than the core requirements of the NISD. For example, OES are not only obliged to notify incidents which have a significant impact on the continuity of the service, but also incidents which could potentially have a significant impact on continuity, so-called ‘near misses’. Another example is that the notification duty also applies to service operators that are not essential but are deemed ‘vital service operators’ by the Dutch legislator. Neither supervision nor sanctions will apply to these ‘vital operators’. Currently, the maximum penalty for breaching the draft implementing act is €5m. A €1m penalty applies for failing to adequately cooperate with authorities.
Camilli: In Italy, only some preliminary legislative provisions have been adopted to implement the NISD. The so-called Gentiloni Prime Minister’s Decree concerning policies for national cyber security were adopted on 17 February 2017 and, on 8 February 2018, the scheme of a legislative decree was approved by the Italian government, although it is still under parliamentary scrutiny. Due to the current political situation in Italy, the definitive piece of national legislation will probably not be adopted by the deadline of 9 May 2018, and it is likely that Italy will incur resulting sanctions. According to the scheme of legislative decree, in case of failure to comply with the provisions of the same, the competent authorities will be entitled to impose upon OES and digital service providers (DSPs) an administrative fine of up to €150,000.
Duisberg: Alongside the key provisions of the NISD, the sanctions regime in Germany varies according to the relevant sectors in which an OES operates or when there is a failure to comply with notification obligations. For example, in Germany, fines may reach up to 10 percent of the worldwide annual turnover of a group, if an OES operates under the Energy Industry Act.
Leriche: In France, sanctions for failing to comply with the NISD cannot exceed €125,000 and will only be imposed against directors of the defaulting OES or DSP. This may undermine the necessary convergence and consistency in terms of security measures and cyber defence plans implemented by OES and DSPs across the EU.
FW: What entities are likely to be most impacted by the NISD? What do you consider to be the most challenging aspects for them?
Shooter: In the UK, in general terms, we can expect providers of drinking water, electricity, oil and gas providers, distributors and system operators, digital infrastructure operators, domain registries, domain name service providers, internet exchange operators, healthcare providers and transport operators to be the most aware of the impending regulation. Thresholds will ensure that smaller operators do not fall into compliance obligations. In addition, DSPs – the operators of online market places, online search engines and cloud computing service providers – will also be subject to regulations. It is important to note that regulations can be expected to require OES to have compliance responsibility for their relevant suppliers. So the suppliers to OES and DSPs can expect to be contracted into compliance. It is expected that these suppliers will be caught unaware.
Abbady: In the Netherlands, DSPs will likely be impacted most by the NISD implementation act, as no Dutch cyber security legislation currently applies to them. DSPs have not been provided with much guidance regarding their cyber security obligations. Very little awareness exists around the topic of NISD among DSPs and the Dutch government does not seem to be making much of an effort to change this. Moreover, the Dutch government has not provided any guidance with regard to which companies will qualify as DSPs in the context of the NSID. By contrast, the Dutch government has indicated that parties which will be designated as OES will be notified accordingly.
Camilli: Despite the NISD allowing Member States to extend the scope of the provisions of the Directive, the Italian scheme of legislative decree remains limited to the same sectors identified in the Directive: energy, transport, banking, financial market infrastructure, healthcare, drinking water supply and distribution, and digital infrastructure. Italy is waiting for the competent authorities for each sector to identify OES and the Directive requires that definition to be achieved by 9 November 2018.
Duisberg: In Germany, the legislator has prepared governmental ordinances which clarify the categories and sub-categories of OES in various sectors. These have been in place since 2016/2017 as a consequence of the German IT Security Act of 2015, which has been frontrunner legislation to the NISD. While the total number of OES is expected to be around 2000 to 3000 in Germany, the wider impact on the supplier ecosystem to those OES is significant and is expected to affect several hundreds of thousands of companies and organisations.
Leriche: In France, the OES – and the related essential services affected by the regulation – will be determined by a government decree to be adopted on 9 November 2018 at the latest. A sensitivity threshold has been set so that only DSPs employing more than 50 people and whose annual turnover exceeds €10m need to comply with the new regulatory framework.
FW: Generally speaking, how has the NISD been received by operators of essential services and digital service providers?
Shooter: The NISD appears to have gone largely unnoticed. The clamour surrounding the General Data Protection Regulation (GDPR) appears to have left the NISD in the shadows. It may come as a shock to some when they realise the regulation applies to them and when they learn of the maximum fine for transgression. Once the shock has dissipated, it is hoped that access to sector-focused compliance guidance to be issued by the relevant competent authorities will be seen as a useful and much-awaited cyber security yardstick.
Abbady: There is very little awareness about the NISD in the Netherlands. The Directive has been completely overshadowed by the GDPR. In addition, the Netherlands has only recently begun the process of implementing the NISD, as the draft implementing act was only submitted to the Lower House on 15 February 2018 and finalisation of implementation is not expected until the summer of 2018. As a consequence, most DSPs have no idea that they will have cyber security obligations after implementation of the NISD. A slightly greater awareness of the NISD exists among OES, most likely because many of them are already subject to sector-specific cyber security obligations and the currently effective general cyber security law also applies to most of them.
Camilli: The real issue is that most OES and DSPs are not aware that they will have cyber security obligations after implementation of the NISD. Italy has only just begun the process of implementing the NISD, with the scheme of implementing the Legislative Decree only being submitted to parliament on 22 February 2018. The finalisation of the implementation process is slow and complicated by the currently uncertain Italian political situation.
Duisberg: In Germany, the IT Security Act has been in place since 2015. Given the consultation process leading up to the IT Security Act, stakeholders are already aligned to a certain degree, so the NISD represents more of an extension of the national law than an entirely new one. The wider impact into the supplier environment, including adjustments of contracts, processes and related investment, as well as the more challenging categorisation of DSPs, are current challenges yet to be picked up more widely.
FW: Do you expect any particular issues to arise with regard to jurisdiction and differential implementation of the NISD across the EU?
Shooter: As the NISD is not a regulation like the GDPR, Member States have a number of options as to how they will adopt the Directive into their national law. Each Member State will determine what qualifies as OES and DSPs, what regulates the implementation of the regulation, the reporting requirement in the event of a significant incident and the sanctions for transgression. While DSPs will be required to comply with the law of their Member State, there is no such requirement for OES. Accordingly, potential OES will have to analyse each Member State’s definitions of OES to determine if they will need to comply in that country. Being an OES in more than one Member State raises the possibility of being subject to sanctions in each affected Member State.
Abbady: The Dutch implementation law imposes additional obligations beyond the NISD on a few important points, for example ‘near misses’. These differences could lead to difficult issues and considerations when an OES is also active in another country in which ‘near misses’ do not have to be notified, especially if it concerns a listed OES.
Camilli: In Italy, according to the scheme of the Legislative Decree, OES and DPSs which are non-compliant with the regulations will be subject to an administrative fine ranging from €12,000 to a maximum of €150,000.
Duisberg: In Germany, depending on the relevant sector in which an OES operates – and in some instances the OES might be operating in more than one sector – the level of sanctions may differ significantly.
Leriche: In France, sanctions will fall on directors of non-compliant entities with personal fines ranging from €75,000 to €125,000. For legislation that seeks to raise the cyber resilience bar across Europe, the lack of a consistent approach seems regrettable. The compliance obligation from a patchwork approach to adoption placed on entities that are established in multiple Member States is also regrettable.
FW: How should entities go about establishing an NISD compliance programme which satisfies both the requirements of the Directive as well as their own internal cyber security response strategies?
Shooter: The core three requirements for OES and DSPs are to be able to demonstrate they have appropriate and proportionate security measures in place to manage the risks posed to their network and information systems, to be able to demonstrate they have appropriate measures in place to prevent and minimise the impact of incidents affecting the security of their network and information systems and to be ready to report significant incidents to their relevant competent authorities. The first requirement should not be overly taxing. It requires a thorough assessment of networks and systems, the evaluation of current security methods, practices and security assets and the adoption or maintenance of a governance methodology that evidences regular review and revision. The second requirement touches the point where we expect the most attention is needed.
Abbady: In the Netherlands, entities can receive help from the National Cybersecurity Center as well as a private initiative called Cyber Central.
Camilli: In Italy, five ministries have been indicated as competent authorities. These are the Ministry of Economic Development, the Ministry of Infrastructure and Transport, the Ministry of Economics, the Ministry of Health and Ministry of Environment and the Department of Information for Security (DIS). The DIS has been also been appointed as ‘single point of contact’, with a liaison function to ensure cross-border cooperation of Member State authorities. Moreover, the scheme of legislative decree creates a single Computer Security Incident Response Team for Italy to prevent and resolve cyber incidents, in collaboration with the other CSRIT at European Union level.
Leriche: While most businesses assess cyber risk as a top five business risk, many are still unprepared to address a cyber incident. The good news is that putting this right should not be overly expensive. It requires the formulation of incident response plans, the designation of response teams, the establishment of internal and external communication plans, the education of the response teams and staff in general and the testing and practicing of such plans. The reporting requirement requires a methodology to be drawn up and adopted to enable the reporting of significant incidents to be undertaken.
FW: With the number of cyber attacks rising exponentially, do you expect the NISD to reshape the wider cyber security and data protection landscape?
Shooter: The NISD is a very helpful regulation that should underscore a practical approach to the improvement of cyber resilience. The UK proposal for high-level guidance from the UK government and the National Cyber Security Centre (NCSC), supplemented by more granular guidance from sector focused competent authorities, provides the opportunity to have a valuable set of industry relevant codices that can be used as yardsticks for those industry sectors. I expect the impact of the NISD to have a waterfall effect, and not only through the contracting of suppliers into compliance by OES, but by industries using their relevant codex as the measuring point for cyber resilience in their own contracts.
Abbady: In the Netherlands, implementation of the NISD will bring cyber security from the mainly private sphere to the public sphere. The implementation act of the NISD is the first general cyber security legislation which provides for sanctions and supervision. As such, the Directive is certainly expected to reshape the wider cyber security landscape.
Duisberg: In Germany, the role of the Federal Agency of Security in Information Technology (BSI) is further strengthened by the NISD. As well as functioning as the coordination centre for incident reports, it will give guidance on technical security requirements and participate in the international coordination under the NISD.
FW: Looking ahead, do you expect to see a smooth implementation of the NISD? In your experience, do entities need to accelerate their compliance plans?
Shooter: The UK’s Department for Digital, Culture, Media and Sport has indicated that OES will be given time to implement necessary security measures. Reassurances have been given that the first year will principally be used to drive awareness and get guidance in place. While no promises have been made, it seems that the full force of the NISD with attendant enforcement will be phased in after the first year.
Abbady: In the Netherlands, the implementation of the NISD will be finalised after the 9 May deadline. It is currently expected in the summer of 2018, but only if parliament passes the law without delay. Moreover, the Dutch legislator is currently not planning to designate healthcare providers, such as hospitals, as OES in conformity with Annex II of the NISD. The reason for this is that the legislator does not consider the healthcare sector to be sufficiently “high risk”, as it is largely decentralised. This could be considered a failure to correctly implement the NISD.
Camilli: In Italy, the real problem is that national legislation implementing the Directive has not yet been adopted and it will probably take some time for parliament to examine and approve the Legislative Decree submitted by government. The Legislative Decree structure is neither clear nor exhaustive. As a consequence, concerned stakeholders do not have yet a real legislative guide to follow and must still rely on the general principles of the NISD.
Duisberg: Not only should the task of NISD implementation be accessible and affordable, but there is probably a year before the regulation really bites in Member States. In Germany, things are already more advanced in light of the existing IT Security Act. While raising awareness and influencing the technical improvement of cyber resilience and coordination of incident reports is the declared priority of the BSI, law enforcement is also on the agenda. Generally speaking, the challenge lies less with the large incumbents which have long since prepared and integrated the requirements of the IT Security Act into their compliance organisation and operational processes, and more with the wide field of smaller and mid-size enterprises, some of which may directly qualify as OES, or which may be impacted by the requirements as suppliers of OES.
Leriche: In France, OES will be designated in November 2018 and it is expected that this group will be afforded a significant transition period to reach compliance with the regulatory requirements that have yet to be adopted and published.
Simon Shooter is a partner at Bird & Bird, based in London. He is joint-head of the firm’s international commercial group and also heads its international cyber group, which he established in 2010. He is actively engaged with tracking and advising on the development of cyber-related policy and legislation and its impact on commercial entities and leads Bird & Bird’s cyber security policy forum, a cross-sector client discussion group formed of leading individuals from across industry. He can be contacted on +44 (0)20 7415 6000 or by email: email@example.com.
Shima Abbady specialises in IT and data protection. She is an associate in the commercial practice and is based in The Hague. Ms Abbady specialises in cyber security, IT-related contracts and dispute resolution and privacy law and is a member of Bird & Bird’s tech & comms group. She holds a Bachelor’s (Hons) in Liberal Arts & Sciences (cum laude), a Bachelor’s in Law (cum laude) and a Master’s in Public International Law (cum laude) from Leiden University. She can be contacted on +31 (0)70 353 8800 or by email: firstname.lastname@example.org.
Roberto Camilli is an intellectual property (IP) and information technology lawyer with additional expertise in commercial and M&A areas of law. He is a partner in the IP practice, based in Milan, Italy, where he assists clients by adding value in an efficient and business-oriented way. Mr Camilli leads the Italian cyber team. He can be contacted on +39 (02) 3035 6000 or by email: email@example.com.
Alexander Duisberg is a highly reputed lawyer within the IT, digital transformation and privacy sphere, with a clear international vision to develop his clients’ businesses. He is a partner at Bird & Bird in Munich and specialises in data protection, digital transformation projects, Internet of Things (IoT) and complex technology transactions. He covers a range of matters, including agile development, platforms and the data economy, cloud, cyber security, licensing and technology disputes. He can be contacted on +49 (0)89 3581 6000 or by email: firstname.lastname@example.org.
Stéphane Leriche provides cutting edge, business-oriented advice on all aspects of technology transactions and partnerships. He is a partner in the commercial and IT groups, based in Paris. Mr Leriche’s specific interests include the drafting and negotiation of commercial contracts in the information technology, communications and ecommerce sectors. His current practice is focused on high-profile transactions and strategic partnerships, advising major companies in structuring their strategic alliances, joint ventures, IT and business process outsourcing deals. He can be contacted on +33 (0)1 42 68 6000 or by email: email@example.com.
© Financier Worldwide