February 2017 - Security | IT Law | Critical Infrastructure | Cyber Security

Cyber Security in the EU

First EU-wide cyber security rules established - What's new for European companies? Interview with Thorsten Ihler from Fieldfisher

Source: Adobe Stock | merydolla

Thorsten Ihler, Associate, Fieldfisher

Thorsten Ihler, Associate, Fieldfisher

In July 2016, the European Parliament adopted the "Network and Information Security Directive", also known as the NIS Directive. dotmagazine talked to technology lawyer Thorsten Ihler from the European law firm Fieldfisher about the impact of the Directive. Read on to learn about the most important legal changes and operational challenges that companies across the EU are facing now.
DOT MAGAZINE: What is the goal of the NIS Directive and when will it come into force?
THORSTEN IHLER: The rationale behind the Directive has to be seen in the strategy of the European Commission for a true Digital Single Market. Only a high common level of cyber security can ensure both companies' and consumers' trust in a Digital Single Market across the EU. Therefore, the European legislator wanted to enhance the level of harmonization of cybersecurity practices in Europe. The Directive has to be implemented in member states' national laws by May 2018. They will have until November 2018 to identify operators of essential services on a national level.
DOT: What are the main ideas to achieve this goal?

IHLER: Each member state will adopt a national strategy on the security of network and information systems defining the strategic objectives and appropriate policy and regulatory measures with a view to achieving and maintaining a high level of security of network and information systems. There are two main instruments in the Directive to achieve this. First, improving the cooperation between member states and the public and private sector by establishing a cooperation group and by creating a computer security incident response teams network (or CSIRTs network). Second, the Directive requires systematic risk management practices and notification of significant incidents to national authorities.
DOT: What is the scope of the Directive, in particular regarding companies from the Internet industry?

IHLER: It is important to know that, as a general rule, the Directive does not apply if there is already special legislation in place that is imposing similar notification obligations on companies from a certain sector, e.g. the energy industry or the financial market. Also, telecommunication operators are excluded from the NIS because they are already subject to specific security and integrity requirements. Apart from such exemptions, the NIS Directive covers "operators of essential services" (OESs) on the one hand and "digital service providers" (DSPs) on the other hand.
DOT: What do these categories mean in detail?
IHLER: OESs are companies from the private or public sector, whose failure can cause a significant disruptive effect. Member states need to identify OESs in their jurisdictions, including indicators like the number of users, direct dependency on other sectors, or the economic or societal safety impact that incidents could have. From the perspective of the Internet industry, the impact for DSPs is much more interesting. For instance, a Directive annex on OESs lists a "Digital Infrastructure" sector, expressly mentioning Internet exchanges, domain name system service providers and top level domain name registries. The Directive annex on DSPs mentions online market places, online search engines and cloud computing services as types of services to be regulated. In other words, the definitions more or less mirror the most important types of eco member companies.
DOT: Are there any exemptions regarding digital service providers?
IHLER: Yes, there are exemptions for micro- and small enterprises. These are enterprises with a staff headcount below 50 and a turnover of up to EUR 10 million per year.
DOT: What do DSPs need to do (unless they are subject to an exemption)?
IHLER: There are a number of obligations. The general rule says that you have to take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of networks and information systems used in your operation. Details will depend on the individual company, their business model and the IT and network infrastructure they have in place. For instance, you may be obliged to have the latest software versions in place and implement your updates and security patches as soon as they are available. With regard to the appropriate technical measures, national or international standards like DIN and ISO may provide some guidance here. Also, national security authorities may have published guidance on their own, like the Federal Office of Information Security (BSI) does for Germany.
DOT: Once a company has these measures in place, are there any additional obligations?

IHLER: Yes. The most important obligation is to notify the CSIRTs immediately if there is a security incident with a substantial impact. To determine this, the NIS Directive sets up a number of parameters that must be taken into account. The ones specifically listed are the number of users affected, the duration of the incident, and the geographical spread of the incident. National laws may set out more details in the future.
DOT: What do you recommend to do as long as member states' national laws have not been updated – how can companies be best prepared?
IHLER: Monitoring the national implementation process is of course crucial. As a European law firm, we are currently supporting a lot of clients in monitoring the implementation process in the relevant jurisdictions. It is also important to know that there will be differences on the national levels, as some states will probably go further than what is required by the Directive. Companies should try to find out as early as possible whether they are caught by their national law or whether they can make use of an exemption.
DOT: Is there anything else one can do today?

IHLER: If there is not already a system in place, I would recommend starting to document and implement an internal policy for technical measures and breach reportings as soon as possible. Hopefully, these can build in part on existing certifications and privacy compliance documentation. Have you defined the right team to handle incidents in your company? Is there a process to follow in the flurry of activity after an incident has been spotted? IT and cyber security requires a holistic approach so that people from different parts of the company need to be included. The earlier you start developing a customized security policy and defining processes in order to comply with the new requirements, the less you will be caught in an inefficient rush towards mid-2018. You may benefit from a greater synergy by combining the NIS efforts with privacy compliance in the face of the EU General Data Protection Regulation, which will be applicable throughout the EU from 25 May 2018.

Please note: The opinions expressed in Industry Insights published by dotmagazine are the author's own and do not reflect the view of the publisher, eco – Association of the Internet Industry.