Update on the network and information security directive

Overview

• The European Parliament and the European Council are one step closer to agreeing the provisions of the Security Directive. Information society service providers will no longer be required to comply in full with the Security Directive.
• Information society service providers may still need to comply in part with the Security Directive, although further details regarding this have not yet been disclosed.
• Market operators in the financial market infrastructures, internet exchange points and food chains may now need to comply with the Security Directive.
• Companies should consider reviewing network infrastructure and ICT policies in light of the Government’s ten steps to cyber security guide for businesses, regardless of whether they are a “market operator” for the purposes of the Security Directive.
• It is also recommended that organisations apply for a Cyber Essentials certification to show compliance with the five essential requirements of cyber security.

Introduction

In response to the growing risk of cyber security attacks to public bodies and private companies across the European Union, on 13 March 2014 the European Parliament approved a first draft of the Network and Information Security Directive. This Directive is commonly known as the “Security Directive”.

The proposed Security Directive is the first legislation of its kind proposed in the EU and it aims to implement the European Union’s strategy for cyber security across Europe, which was published alongside the Security Directive^[1].

By adopting the Security Directive the European Union intends to set minimum cyber security standards across all member states by ensuring market operators that operate critical infrastructure, such as energy, health, transport, financial services etc., take measures to manage cyber security risks to their network infrastructure and also report cyber security incidents which have a “significant impact” on the services they provide.

Changes to national strategy

It is also expected that under the Security Directive, individual member states will be required to establish their own Network Information Security (NIS) strategy, along with a National Competent Authority (NCA) to monitor the member state’s application of the Security Directive. Each member state must also establish a Computer Emergency Response Team (CERT) which will be responsible for handling and mitigating the risk of cyber security incidents.

Although the Security Directive is not yet in force, the UK has already begun developing its NIS strategy by publishing its “ten steps to cyber security” [2]. The ten steps provides guidance to companies on implementing and maintaining an effective cyber security regime which will protect them against the majority of cyber threats (companies are expected to self-asses the adequacy of its cyber security regime and determine the extent that it needs to implement the recommendations set out in the ten steps). Although the ten steps were predominantly written with large companies in mind, SMEs are advised to maintain a cyber-security regime in line with the ten steps, to the extent that it is cost effective for them to do so.

Organisations in the UK can also apply for certification under the Cyber Essentials scheme[3]. The Cyber Essentials certification has become mandatory for certain government contracts and is a condition for a growing a number of tenders. Organisations which have been awarded the certification can demonstrate that they meet the following five essential requirements of cyber security:

1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management

The Cyber Essentials certification has been developed so that it is affordable for SMEs, although organisations of all sizes (including public bodies) can still apply. It is important to note that the Cyber Essentials certification is seen as a minimum standard for cyber security and despite being certified, large companies in particular must still use the ten steps to assess the adequacy of its cyber security regime.

In March 2014, the UK government also established CERT-UK to manage cyber security incidents and support companies with cyber security issues. CERT-UK has already improved the sharing of cyber threat and vulnerability information by implementing the cyber security information sharing partnership (CiSP). CiSP allows members from across sectors and organisations to exchange cyber threat information in real time, on a secure and dynamic environment, whilst operating within a framework that protects the confidentiality of shared information.

Timeline of developments

In October 2014, the European Council was given a mandate to commence informal meetings (known as trilogues) with the European Parliament and the European Commission to discuss the proposed Security Directive, and the last of three trilogue meetings took place on April 2015. Despite these meetings, important differences in position remained between the Council and the Parliament[4]. Most notably, there was disagreement regarding which market operators should be required to comply with the Security Directive.

In the first draft of the Security Directive published on 7 February 2013[5], the Commission included providers of information society services within the definition of market operators. Consequently, all cloud computing providers, search engine operators, digital retailers etc. would be required to comply with the Security Directive. The rationale was that information society services may underpin some critical infrastructure, and without which market operators may not be able to operate. However, the UK, along with approximately half of the other member states believed that imposing top-down regulation on all information society service providers would hinder business growth and competition.

Following a significant internal review of the first draft of the Security Directive, the European Parliament published its position on the proposed Security Directive. In so doing it had removed information society services from the scope of the Security Directive[6] and engendered the need for considerable dialogue on this issue.

The Parliament also intentionally reduced the scope of the definition of market operators so that the Security Directive will only apply to market operators that operator infrastructure which has a “significant impact” in the relevant member state and whose network and information systems concerned are related to its “core services” (text in bold was inserted by the Parliament):

“operator of infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, financial market infrastructures, internet exchange points, food supply chain and heath, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions, a non-exhaustive list of which is set out in Annex II, insofar as the network and information systems concerned are related to its core services.” (Amendment 52)

Whilst information society service providers may no longer need to comply with the Security Directive, it should be noted that operators of financial market infrastructures, internet exchange points and food chains are now included. One other notable change is that member states will now have discretion whether to impose this regulation on public bodies when it implements the Security Directive into national law.

Where are we now?

Following a fourth trilogue meeting on 29 June 2015, the Council announced that it has reached an understanding with the Parliament and the Commission on the main principles to be included in the Security Directive.[7]

It has been provisionally agreed that information society services will be treated “in a different manner” from essential services. Although information society services will not be considered essential services, this suggests that information society service providers will still be captured by the Security Directive in some respect, rather than fall outside of the scope completely. At the time of writing, there is little information in the public domain about the details of the position agreed in the meeting. However, one possible interpretation is that the Parliament and Council have agreed that information society service providers that provide core services to critical market operators will be required to comply with the Security Directive. We will only be able to confirm this when more details are released.

What we do know is that it will be for each member state to determine which designated operators are providing essential services by applying the test criteria set out in the Security Directive. It has also been confirmed that each member state will be required to establish an NIS strategy and establish a National Competent Authority. In addition, an EU body known as a network of national Computer Security Incident Response Team (“CSIRT”) will be set up to help cooperation between the member states.

What next?

Notwithstanding the considerable delay to the adoption of the Security Directive to date (June 2015 was the initial target adoption date), the new president of the European Council has given fresh impetus to implementing the Security Directive and the update on 29 June 2015 suggests that it is one step closer to being adopted. It is also interesting to note that the member states also called for a “rapid adoption” of the Security Directive at the European Council meeting last week.

Therefore, it is still safe to assume that the Security Directive will be adopted in time. This should deal a blow to the many who would still like the European Union to impose a more voluntary, industry led set of standards, as employed in the USA. If and when the Security Directive is adopted, member states are likely to be given a period of 2 years to transpose it into national law

Impact on companies

Although the Security Directive is unlikely to come into force in the UK in the near future, the on-going focus on cyber security should serve as a timely reminder to companies that cyber security is a real risk. It should also be remembered that the UK has started implementing its own NIS strategy and companies are advised to be proactive and review existing cyber-security and ICT policies in light of the ten steps.

Organisations are also encouraged to apply for the Cyber Essentials certification in anticipation of it becoming a widely recognised industry accreditation which is taken into account by customers, insurers, investors, auditors etc. when determining an organisation’s risk profile. Companies may also wish to review processes to ensure they are monitoring and reporting cyber security breaches effectively, and where possible register and report these with CiSP.

For further information regarding the impact of the Security Directive or assistance with reviewing ICT policies, please contact Luke Russell or Justin Harrington, contact details below.