Reed Smith Client Alert

Authors: Cynthia O'Donoghue

On 7 February, the European Commission (EC) published an EU Cyber Security Strategy encompassing a proposed Directive on Network and Information Security (NIS Directive). The aim of the Strategy and NIS Directive is to establish a secure and trustworthy digital environment while promoting and protecting fundamental rights, including data protection, democracy and the rule of law.

Global societies have become increasingly reliant on network and information systems, in particular the Internet, to facilitate the cross-border transfer of goods, services and people. Given this transnational dimension, and the potential for disruptions occurring in one EU Member State to impact another, it is imperative that these systems remain reliable, trusted and secure from incidents, malicious activities and misuse. The European Network and Information Security Agency’s (ENISA) recent report on the cyber threat landscape highlights the vulnerability of network information system technologies, such as cloud computing and associated big data sets, where the concentration of vast amounts of data in few logical locations makes it an attractive target for cyber threat agents.

Within the EU, significant strides have been taken to achieve resilience and stability on network and information systems. ENISA was established through EU Regulation (EC) No 460/2004 in order to ensure a high level of Network Infrastructure Security (NIS) within the EU, and to assist Member States and the EC in facilitating the exchange of best practise. The EC also established the European Cybercrime Centre (EC3) in January 2013, which is incorporated within the European Police Office (EUROPOL) and at the core of cybercrime law enforcement within the EU. Laws including Directives 2002/58/EC and 2002/21/EC are also in place to ensure that all data controllers in the electronic communications sector are obliged to put in place appropriate technical and organisational measures to protect the integrity of their systems and the security of personal data. The recent 2012 proposal for a General Data Protection Regulation creates further requirements for data controllers to report breaches of personal data to the national supervisory authorities within the EU.

Legislative loopholes in the EU are still prevalent because of the purely voluntary system of cyber threat and risk prevention currently in place, with no overarching obligation to ensure all Member States have the required capabilities to level the playing field. Such obligation would provide effective protection of fundamental rights, and specifically the right to the protection of personal data. Member States therefore have disparate capability and preparedness levels for fighting cybercrime, while the magnitude and frequency of security incidents continues to increase exponentially, often leading to a damaging of the functioning of information networks, and the creation of substantial financial and economic loss, whilst also undermining users' trust and confidence in the system.

The Commission Strategy in the NIS Directive therefore strives to facilitate uniform implementation across the EU whereby each Member State adopts a national network and information security strategy. The NIS Directive still allows a degree of flexibility for Member States to implement it in their national legislation proportionate to the actual risks at a national level, while still achieving the desired adequacy level. Small business entities (SMEs) are not meant to be overly burdened since the security requirements are meant to be proportionate to the risks presented by the network or information system.

The crux of the NIS Directive is its security requirements and incident notification, with the inclusion of a minimum threshold for the harmonisation of security a welcome addition. Similar to the United States framework, the NIS Directive includes a national strategy, a risk-based program that takes account of the threats to or resources of public or private participants in the framework; a sectoral (e.g. telecommunications, energy, financial services) approach that emphasizes protection of critical infrastructure assets; a need for national and public-private information-sharing of threats and events; and a set of common, minimum information security standards. The NIS Directive suggests that existing security obligations imposed on the electronic communications sector should be extended to (i) public administrations, (ii) operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health, and (iii) key providers of information society services as defined in Directive 98/34/EC, including social networks, search engines and cloud computing services. This is of particular importance as societies become increasingly reliant on social networks and cloud computing, which according to a recent study by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), can lead to the loss of control over an individual’s personal data and can subject web users to potential state espionage.

The proposed NIS Directive has many elements of the critical infrastructure/ cybersecurity program that currently exist in the United States, but extending the security obligations as proposed, though, greatly exceeds the reach of U.S. critical infrastructure programs, and essentially leaves no private business outside the reach of the Directive. The Directive asserts, without providing any real evidence for the assertion, that all of these new requirements will impose no additional costs, given the requirement under national data protection legislation to maintain appropriate security measures to protect personal data.

Under the NIS Directive, competent authorities must be provided with all the powers necessary to investigate public administrations or market operators’ cases of non-compliance, requiring them to provide documented security policies and undergo a security audit where necessary to assess the security of their networks. Since NIS incidents are often attributable to criminal activities, the NIS Directive also provides for appropriate co-operation with law enforcement authorities, and reporting suspected serious criminal incidents to such authorities is mandatory. The competent authorities are meant to work in close cooperation with personal data protection authorities when addressing personal data breaches. Member States are obliged to create Computer Emergency Response Teams (CERTs) to handle incidents and risks, and guarantee effective and compatible capabilities to deal with incidents and risks, and ensure efficient cooperation at the European Union level. As noted, cooperation between both public and private entities is an essential component within many provisions of the Directive. Continuing this theme, the Directive creates an obligation to provide a sufficient cooperation network between all actors at the EU level, such as ENISA, EC3, national defence and security authorities. The cooperation network would allow competent authorities to circulate early warnings on risks and incidents to ensure a coordinated response.

While the NIS Directive asserts that the sharing of risk and incident information is legitimate under Article 7 of the EU Data Protection Directive (95/46/EC), there may be some tension between implementation of the NIS Directive by competent authorities and the interests and jurisdiction/prerogatives of Data Protection Authorities. In the section on implementation and enforcement, the NIS Directive requires "market operators and public administrations" to provide information necessary to assess the security of their networks, including copies of security policies. It also requires these entities to undergo audits and provide the results to the competent authority.

Given the global nature of NIS issues, better transnational cooperation with international bodies/authorities is also promoted in the Directive, which is also laudable. This sharing of information could potentially involve the processing of personal data so it is necessary that it is subject to adequate protection measures, and is proportionate and fairly processed in accordance with the Data Protection Directive 95/46/EC.

Addressing the issue of sanctions, the Directive asserts that Member States are given the authority to lay down the rules according to national provisions, which could be considered to give too much flexibility to Member States and could lead to dangerous precedents being set. A solution might be to impose sanctions based on a competent authority's judgment disregarding company commercial issues. Sanctions could also be limited to instances where security failures are the result of reckless disregard of the risk, or negligence, especially as security is never a bright line rule and is scalable.

The breadth and scale of the effort contemplated by the NIS Directive may impede progress. If the principal purpose is to require Member States to create strategies and agencies for implementation and supervision of critical infrastructure and cybersecurity efforts that are consistent across the EU, this would be a laudable goal. This would aid the creation of CERTs, sharing of information, harmonization of law enforcement investigations, and setting of standards. The addition of prescriptive requirements on "market operators" will almost certainly lead to the same contentious debate that has pervaded the effort to pass national cybersecurity legislation in the United States. In addition, the insertion of a sanction regime will only add to the difficulties in passing the legislation and, given that security is scalable and risk dependent, sanctions should only arise not for a breach, but when the risk has either been negligently assessed or there is a reckless disregard.

It is clear that the viability of this proposal rests on a strong partnership being forged between many EU-wide authorities to prevent and contain risks associated with cyber threats. It is a continuously evolving area of technology, and the provisions of the Directive go some way to demonstrating that the EU is moving in the right direction to fill the vulnerability gaps.