EU – The implementation of the “Cyber Security” Directive
In July 2016, the EU adopted the so-called “Cyber Security” Directive. Digital service providers and companies that operate essential services must protect their information technology systems and notify security incidents to the appropriate regulator.
We review the implementation of this Directive in Belgium, France, Germany, Spain and the UK.
The EU framework
The “Cyber Security” Directive is properly known as the Directive on security of network and information systems (2016/1148) (“NIS Directive”). It was introduced to provide a co-ordinated EU-wide response to the increasing threat of cyber-attacks. Such attacks can generate substantial financial losses, undermine user confidence and cause major damage to the economy of the EU. For example, the NotPetya attack in 2017 is estimated to have caused around $10 billion in damage.
Accordingly, the NIS Directive requires Member States to set up a framework to prevent and respond to these attacks. In particular, Member States must:
- Strategy – Adopt a national cyber-security strategy. This strategy should encompass governance, education and awareness raising, research and development, and risk assessment.
- Regulator – Designate one or more competent authorities to monitor and enforce the NIS Directive.
- Single point of contact – Designate a single point of contact for other Member States.
- Response team – Designate one or more computer security incident response teams (“CSIRT”) to monitor and respond to security incidents.
The NIS Directive also imposes obligations on private companies. It applies to:
- Operators of essential services – These are companies providing essential services in the energy, transport, banking, financial markets, health, drinking water and digital infrastructure sectors. (Telecoms companies are not caught as they are already subject to the ePrivacy Directive.) Member States must identify which companies are operators of essential services.
- Digital service providers – These are companies providing online marketplaces, online search engines and cloud computing services. Perhaps reflecting the inherently transnational nature of these services, they are identified on a pan-European basis and not by individual Member States.
The key obligations on operators of essential services and digital service providers are to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems.
In addition, where an operator of essential services and a digital service provider suffers a security incident, they must notify the competent authority or CSIRT without delay.
As an EU Directive, the NIS Directive must be implemented in each Member State. This leads to potential variances in the criteria for determining if a company is to be designated as an operator of essential services, the timing of the notification of a security incident and the sanctions for breaching these rules.
We consider these variances and set out the current state of play in Belgium, France, Germany, Spain and the UK below.
The NIS Directive has not yet been implemented in Belgium. A draft bill was approved in April 2018 by the Federal Government and transmitted for review to the Council of State (body in charge of checking legislation on quality/drafting). However, the government is yet to adopt a final draft and the text will only become public once it is sent to parliament. No information is available in terms of expected timeline.
The national point of contact and CSIRT will presumably be the Centre for Cybersecurity in Belgium (which initially drafted the bill), but this will only be confirmed once the text becomes public.
The NIS Directive has been implemented by the French Act No. 2018-133 of 26 February 2018 on compliance with European Union legislation on security (Loi n°2018-133 du 26 février 2018 portant diverses dispositions d’adaptation au droit de l’Union européenne dans le domaine de la sécurité) (“French Security Act”). This entered into force on 27 February 2018.
However, certain provisions of the NIS Directive were further specified in French Decree No. 2018-384 of 23 May 2018 on the networks and information systems security of essential and digital services providers (Décret n°2018-384 du 23 mai 2018 relatif à la sécurité des réseaux et systèmes d’information des opérateurs de services essentiels et des fournisseurs de service numérique) (“French Security Decree”). This entered into force on 25 May 2018.
- Criteria for designating operators of essential services: Essential services are detailed in the French Security Decree. This Decree refers to many sectors essential to the functioning of French economy and society, including insurance, logistics, social organisations and mass catering. On the basis of the same criteria as the ones set out in the NIS Directive, the Prime Minister will appoint operators of essential services with recommendations of the ministries of the sector concerned and the French Information System Security Agency (Agence nationale de la sécurité des systems d’information or “ANSSI”). The list of operators is updated at regular intervals and at least every two years.
Importantly, under French law, there is a distinction between operators of essential services and ‘operators of critical importance’ (opérateurs d’importance vitale or “OIV”). OIV are private or public entities which operate or use facilities deemed essential for the survival of the nation (the unavailability of which could significantly reduce the war or economic potential, security or survivability of the nation). OIV are governed by a broader inter-ministerial security framework enshrined in the French Defence Code. Hence, the French Security Act does not apply to the information systems of operators of critical importance.
- Who is the competent authority? The competent authority is the ANSSI, which is attached to the French General Defence and Security Secretariat authority (“SGDSN”), assisting the French Prime Minister in carrying out his responsibilities in the field of defence and national security.
- Who is the single point of contact? The ANSSI will fulfil this role.
- Who is the CSIRT? The French government’s CSIRT is the Computer Emergency Response Team-FR (“CERT-FR”) (part of ANSSI).
- What is the time limit for notifying security incidents? Notwithstanding other notification obligations such as personal data breach notification to the French Data Protection Authority (the “CNIL”), incidents must be notified to the CERT-FR “without delay after becoming aware of them” but there is no specific time limit. Specifically, the French Security Act distinguishes notification by operators of essential services from notification by digital services providers. A security incident must be notified by the former where such incident has or is likely to have a significant impact on the continuity of the essential services, taking the number of users and geographical area affected and the duration of the incident into account. The latter must notify incidents where the information available to them shows that such incidents have a significant impact on the provision of these services. Such impact must be assessed in light of the same factors as for the essential service operators as well as the seriousness of the disruption in the functioning of the service and the extent of its impact on the functioning of society or the economy. Importantly, the French Security Act only applies to digital service providers with at least 50 employees and an annual turnover of more than € 0 million.
- What are the sanctions? Breach of the French Security Act can result in tiered fines, ranging from €50,000 to €125,000 depending on the breach and violator. The lowest tier is a €50,000 fine, which applies where a digital service provider fails to notify the incident. The highest tier is a €125,000 fine, which applies where an operator of essential services obstructs ANSSI investigations.
The NIS Directive has been implemented by the NIS Implementation Act dated 23 June 2017 (Gesetz zur Umsetzung der Richtlinie (EU) 2016/1148 des Europäischen Parlaments und des Rates vom 6. Juli 2016 über Maßnahmen zur Gewährleistung eines hohen gemeinsamen Sicherheitsniveaus von Netz- und Informationssystemen in der Union) which entered into force on 30 June 2017. In this respect, the NIS Implementation Act complements the German IT Security Act which was already adopted in July 2015, obliging providers of critical infrastructures to notify certain IT security incidents.
- Criteria for designating operators of essential services: In this respect, the German Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik) refers to operators of so-called critical infrastructures. Critical infrastructures are institutions, facilities or parts thereof which belong to the sectors of energy, information technology and telecommunications, transportation and traffic, health, water, nutrition as well as finance and insurance, and which are of significant importance for the community. The obligations of the NIS Implementation Act do not apply to all business per se (e.g. small business and providers of public telecommunication services are exempt). The German Federal Ministry of the Interior has issued a legislative decree setting out the various thresholds defining when an infrastructure is considered critical.
- Who is the competent authority? The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) will fulfil this role.
- Who is the single point of contact? The Federal Office for Information Security will fulfil this role.
- Who is the CSIRT? The Federal Office for Information Security is setting up various mobile incident response teams (so-called MIRT) to support companies.
- What is the time limit for notifying security incidents? Security incidents must be notified without undue delay (unverzüglich).
- What are the sanctions? Breaches of the above-mentioned obligations can result in fines amounting up to €100,000.
The NIS Directive has been implemented by the Spanish Royal Decree-Law 12/2018 on the security of network and information systems (Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información) (“Law 12/2018”). This entered into force on 9 September 2018.
- Criteria for designating operators of essential services: Operators of essential services will be those defined in Law 8/2011 on the protection of the critical infrastructures (Ley 8/2011, de 28 de abril, por la que se establecen medidas para la protección de las infraestructuras críticas) (“Law 8/2011”). The identification of operators of essential services shall be carried out by the relevant competent authority set out in Law 8/2011, and updated, for each sector, on a biennial basis. Micro and small digital service providers (as defined in accordance with Commission Recommendation 2003/361/EC) are not subject to Law 12/2018.
- Who is the competent authority? The competent authority varies depending on the type of operator/provider.
The competent authority for operators of essential services are: (a) critical operators (designated in accordance with Law 8/2011): Secretary of State for Security of the Ministry of the Interior, through the National Infrastructure Protection and Cyber Security Centre; (b) non-critical operators that are subject to Law 40/2015 on the Legal Regime of the Public Sector (Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público) ( “Law 40/2015”): Ministry of Defence, through the National Cryptology Centre; and (c) other non-critical operators: the sectorial authority in accordance with the regulations.
The competent authority for digital service providers is: (a) when subject to Law 40/2015: Ministry of Defence, through the National Cryptology Centre; and (b) others: Secretary of State for Digital Development of the Ministry of Economy and Business.
- Who is the single point of contact? The National Security Council, through the National Security Department, will fulfil this role.
- Who is the CSIRT? The competent CSIRT varies depending on the type of operator/provider.
The CSIRT of operators of essential services are: (a) when subject to Law 40/2015: CSIRT of the National Cryptology Centre (“CCN-CERT”); (b) when not subject to Law 40/2015: CSIRT of the National Institute of Cyber Security (“INCIBE-CERT”); and (c) when related to the national defence: CSIRT of the Ministry of Defence, which shall cooperate with CCN-CERT and INCIBE-CERT).
The CSIRT for digital service providers are: (a) when subject to Law 40/2015: CCN-CERT; and (b) others: INCIBE-CERT.
- What is the time limit for notifying security incidents? Incidents must be notified to the CSIRT without undue delay, but there is no specific time limit. Importantly, operators of essential services are required to notify the authorities, via the relevant CSIRT, those incidents that may have a significant disruptive effect on the provision of such services (additional specific notification obligations may be set forth by the authorities). On the other hand, the digital service providers shall notify the authorities those incidents that have a significant disruptive effect on the provision of their services. This notification requirement should be met in addition to the breach notification requirements, as set forth under GDPR, should personal data be compromised.
- What are the sanctions? The Law 12/2018 provides for sanctions ranging from reprimands to fines of up to €1,000,000, depending on the seriousness of the infringement.
The NIS Directive has been implemented by the Network and Information Systems Regulations 2018 (“UK Regulations”). These came into force on 10 May 2018.
- Criteria for designating operators of essential services: The UK Regulations contain long and detailed provisions for determining who is an operator of an essential service (for example, a provider of DNS services will be caught if it services an average of 2,000,000 or more requesting UK clients in 24 hours or provides authoritative hosting of domain names servicing 250,000 or more different active domain names). However, importantly it does not include the banking or financial market infrastructure as they are already subject to sufficient regulation under existing financial services regulation.
Operators of essential services caught by these criteria must notify the relevant competent authority by 10 August 2018. Relevant digital service providers must register with the Information Commissioner by 1 November 2018.
- Who is the competent authority? The competent authority for operators of essential services varies according to sector. For example, the competent authority for water transport is the Secretary of State for Transport.
The competent authority of digital service providers is the Information Commissioner. Importantly, the National Cyber Security Centre was not chosen as the competent authority as it would conflict with its role in helping companies respond to cyber-attacks.
- Who is the single point of contact? The National Cyber Security Centre (part of GCHQ) will fulfil this role.
- Who is the CSIRT? The National Cyber Security Centre (part of GCHQ) will fulfil this role.
- What is the time limit for notifying security incidents? Security incidents must be notified to the competent authority without undue delay and within 72 hours. This is intended to match the breach notification time limit in the GDPR.
- What are the sanctions? Breach of the UK Regulations can result in tiered fines. Those fines vary depending on the breach and start at a fine of up to £1 million. The highest tier is a fine of up to £17 million, which applies where the breach could result in an immediate threat to life or have a significant adverse impact on the UK economy.
By Peter Church (London) and Ceyhun N. Pehlivan (Madrid) with assistance from Tanguy Van Overstraeten and Guillaume Couneson (Belgium), Konrad Berger and Florian Schmitt (Munich), Sonia Cissé and Kate Jarrard (Paris)