By Natasja Bolton, Senior Acquirer Support QSA
In our recent data breach article, we discussed the need for businesses to consider both their Payment Card Industry Data Security Standard (PCI DSS) and legal obligations when planning for security incidents and data breach reporting. In this article we discuss the recently published EU directive on Network and Information Security (NIS directive). The directive sets out security obligations for certain type of organisations and also includes a security incident reporting requirement.
What is the NIS Directive and when will it come into force?
The NIS Directive is part of the European Commission’s strategy for cyber security and the digital single market. It is the first piece of EU legislation to establish EU-wide rules for cyber security. The aim of the legislation is to achieve a “high common level of security of network and information systems within the EU”.
The 19th July 2016 publication of the NIS Directive in the Official Journal of the European Union set the timelines for carrying out the directive across the EU. It came into force on 8th August 2016 but it is not immediately applicable. Each EU member state now has 21 months to enforce the legislation, the deadline being May 2018. All national laws will be required to meet the new directive. Additionally, each EU Member will need to establish a national competent authority that will oversee implementation and enforcement. As well as Computer Incident Response Teams (CSIRT) if they do not already exist.
The NIS directive will apply to operators of essential services in critical sectors and digital service providers. These organisations will be required to take measures to manage their cyber security risk and to report major security incidents. By August 2017 the European Commission will have determined and adopted the security and notification requirements applicable to digital service providers. EU member states have until November 2018 to determine which organisations within their jurisdiction are operators of essential services.
The table below provides guidance on the definition and types of organisations deemed to be operators of essential services in and digital service providers:
| Operators of Essential Services* |
in the following sectors:
|Digital Service Providers|
*Each member state is required to use the following criteria to identify the organisations considered to be operators of essential services:
- The entity provides a service which is essential for the maintenance of critical societal/economic activities;
- The provision of that service depends on network and information systems
- An incident would have significant disruptive effects on the provision of that service, taking into account a number of pre-agreed cross-sectional factors such as number of users affected, the geographic area that could be affected, etc.
Rules will differ
Different rules will apply to operators of essential services than they do to digital service providers. According to the new directive, operators of essential services must “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations”. Additionally, those operators will also need to “take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services”. Also, they must “notify, without undue delay, the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide”.
Digital service providers face less stringent security obligations and need “notify the competent authority or the CSIRT without undue delay of any incident having a substantial impact on the provision of a service … that they offer within the Union”. This statement also highlights a key point: the NIS Directive will apply to any digital service providers that offer online marketplace, online search engine and/or cloud computing services (as defined in Annex III) to people within the EU, even if the digital service provider’s business is not established in an EU member country.
Digital service providers will be free to take security and operational measures they consider appropriate to manage the risks to the security of the network and information systems they use in the context of offering these services within the Union. However, the Directive does state that the following elements need to be taken into account:
- The security of systems and facilities;
- Incident handling;
- Business continuity management;
- Monitoring, auditing and testing;
- Compliance with international standards.
It can be seen therefore that digital service providers that have already implemented information security management systems (ISMS) or security frameworks will be well placed to comply with the NIS Directive. For example, if they have an ISMS adhering to the ISO/IEC 27001 standard, or have fully implemented the PCI DSS, a baseline of operational and technical security measures that includes risk management, monitoring and testing and incident response, then there may not be much more they need to do. As we discussed in our data breach article, legal obligations continually evolve and a review and update of the incident response plan to include the NIS Directive’s new incident reporting requirements may be all that is required.
Exemption and overlap
Not all organisations that fall within the definition of operators of essential services or digital service providers will be obliged to meet the NIS Directive. Applicability of the NIS Directive depends on the size of the organisation; the digital service providers’ definition excludes micro enterprises and small businesses. That is: organisations with fewer than 250 employees and an annual turnover not exceeding €50 million and/or an annual balance sheet total not exceeding €43 million.
Exemption may also be granted where there is existing sector-specific EU regulation or legislation addressing network and information security. For example, telecoms providers (“providing public communication networks or publicly available electronic communication services”) are subject to the rules on the security and integrity of their networks and services under the Framework Directive of 2002. For that reason, while the NIS Directive does apply to digital infrastructure (internet exchange points, domain name service providers, top level domain registries), it is considered that telecoms providers are exempt.
Organisations otherwise considered to be an operator of essential services or a digital service provider will only be exempt where the EU regulatory regime is considered to offer equivalent protection to that set out in the NIS Directive. It is not yet known whether organisations in scope for the new Payment Services Directive (PSD2) will be exempt from the requirements of the NIS Directive. As both PSD2 and the NIS are Directives implemented through national laws in each member country, it will be critical that the national authorities ensure alignment of the network and security requirements. Payments UK’s analysis of PSD2 provides a useful overview of the between PSD2 and the NIS Directive, as well as other EU guidelines, regulations and directives, including the General Data Protection Regulation (GDPR).
The GDPR is due to come into force in May 2018 and will apply equally across all EU member countries. An Out-Law article discussing the NIS Directive states that “compliance with the General Data Protection Regulation will [not] remove responsibility for compliance with the NIS Directive”. While there will be some overlap between GDPR and the NIS Directive in relation to reporting of security incidents, where the incident also involves a breach of personal data, the NIS Directive makes it clear that organisations within the scope of the NIS Directive must also ensure they process personal data in accordance with the GDPR.
Due to this overlap of regulation and legislation and the fact that the NIS Directive comes into force for digital service providers in August next year, although local legislation need only be in place by May 2018, it is recommended that organisations start considering the NIS Directive’s implications now:
- Is your company likely to be included in the scope of the NIS Directive? The definition of digital service providers is already set in the Directive so you should be able to determine if it applies to you now.
- Has your industry sector been identified as already being effectively exempt due to existing legislative or compliance requirements?
- Consider whether the measures you have in place to secure the network and information systems you use in operation of services are “appropriate to the risk posed”. Given the very specific wording in the directive you may find you have to deploy further “state of the art” technology and processes in order to adequately defend against possible cyber-attacks.
- Examine your incident response plan to confirm you have processes in place enabling you to “notify without undue delay” in the event of an incident.
- As the NIS Directive and the EU’s overall cybersecurity strategy is designed to increase cooperation across borders and between all actors and sectors, seek out and engage with the bodies and resources available. For example, check this list for existing national CSIRT’s – these bodies will be able to help you understand the key cyber risks that you may need to address.
If you are a merchant that requires technical or PCI DSS help, please click here