DIGITALEUROPE Views on Transposition of the EU Network and Information Security (NIS) Directive

EXECUTIVE SUMMARY

The Council of the European Union published the final version of the Network and Information Security (NIS) Directive on 21 April 2016. While this needs to be formally signed off by the European Parliament this summer, the text itself has been agreed by the three EU institutions and is not expected to change. Member States are required to transpose it into national law within 21 months of its adoption. In order to assist this process, please find attached in the appendix best practice guidance on how to implement the aspects relevant to the technology industry and effectively enshrine the intentions of the drafters.

The EU NIS Directive is the first pan-European cybersecurity legislation and it focuses on strengthening cyber authorities at the national level, increasing coordination among them and introduces security requirements for key industry sectors.

Any national implementing legislation should not lose sight of the two main objectives of the Directive: (1) ensuring a high level cybersecurity of the country’s critical infrastructures; (2) establishing an effective cooperation mechanism among EU Member States to further this objective. Resources should be first and foremost dedicated to achieving these two important objectives.

For the technology industry, the provisions relating to the so-called digital service providers (DSPs) are of particular interest. The Directive clearly states that there are fundamental differences between operators of essential services (OESs) and DSPs. Indeed, the latter are not to be considered critical infrastructure as such. As the legislation recognises, an incident impacting these digital services would account for a significantly lower level of risk to a country’s economic security and public safety. Maintaining this distinction is essential in order to also effectively and efficiently deploy scarce resources of authorities that will have to supervise and enforce the rules.

As a result, we advocate close attention to the intended scope of the services in question and call on policy makers not to subject sectors other than those identified as DSPs and OESs to security requirements in national legislation.

With regard to jurisdiction, DSPs should be able to rely on the applicable law in the country of their main establishment, even in cases where competent authorities from more than one country are involved. On oversight, competent authorities should follow an ex-post approach as opposed to imposing a general obligation to supervise DSPs. Furthermore, they should focus on outcomes and maintain the distinction between OESs and DSPs by not subjecting the latter to requirements not foreseen by the Directive, such as auditing and binding instructions.

Security measures on DSPs should be different than for OESs, given the Directive’s statement that these represent a significantly lower security risk. Decision makers should realise the goal of harmonisation for these services, recognise existing industry-led international standards, avoid technology mandates and respect the right of DSPs enshrined in the Directive to define security measures most appropriate for their systems. Incident reporting should also be as harmonised as possible at the European level, should focus on incidents impacting the continuity of the service, respect the flexibility in timing of notification and created a trusted environment that encourages information sharing without exposing the notifying party to increased liability.

The measures imposed on OESs will also impact other industries as security measures and incident reporting will flow-down in contract provisions. This is particularly true for cloud services. As a result, DSPs may indirectly be subject to the national laws of their customers and hence we have a keen interest in seeing internationally recognised security measures apply to these services. We also propose coordination and synergies as much as possible between the reporting requirements on both OESs and DSPs, given the latter are likely to be subject to double notification.

The Directive sets out the ambition to achieving a high common level of security of networks and information systems to improve the functioning of the internal market. To achieve this lofty goal, national transpositions should focus on a risk-based, harmonised and international approach that gives private sector actors the flexibility to adapt to an ever-changing threat landscape, allows cyber authorities to focus limited resources on the most significant challenges and recognises that the solution to a borderless problem needs to be global. We hope this guidance is a useful tool towards that end and would be delighted to answer any further questions you may have.