New cyber security laws agreed on by EU law makers in early December are set to impact on a large number of businesses.
Political agreement on the draft Network and Information Security (NIS) Directive, which could still be amended, was reached by MEPs and representatives of EU governments in early December. It means the path has been cleared for the new rules to be formally adopted in spring 2016. National laws implementing the Directive will need to be in effect two years after it comes into force.
The NIS Directive will impose new network and information security requirements on operators of essential services and digital service providers (DSPs). In addition, those organisations will be required to report certain security incidents to competent authorities or Computer Security Incident Response Teams (CSIRTs). Each EU country must establish these teams, the Directive says. Different security and incident reporting rules will apply to operators of essential services than to DSPs, with a lighter touch framework applicable to DSPs.
A recently published draft of the Directive helps to clarify which businesses can expect to be classed as 'operators of essential services' or as DSPs for the purposes of the new regime.
When will the NIS Directive apply?
Before considering which types of organisations will be deemed operators of essential services or DSPs under the Directive, a key point to note is that the Directive will not apply to all operators of essential services or DSPs.
Following negotiations between the EU's legislative bodies the final version of the Directive acknowledges that some sector-specific EU regulatory regimes already deal with information and network security issues. The Directive says: "certain sectors of the economy are already regulated or may in the future be regulated by sector-specific Union legal acts" relating to information and network security.
Where this is the case, the NIS Directive will have no application, even if an organisation would otherwise be considered an operator of an essential service or a DSP. Only regulatory regimes which provide equivalent protection to that set out in the NIS Directive will qualify as a 'sector-specific Union legal act' that could apply instead of the provisions of the NIS Directive.
What is an operator of essential services?
Under the NIS Directive an operator of essential services is considered to be an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities, so long as the provision of that service depends on network and information systems and if an incident to the network and information systems of that service would have significant disruptive effects on the provision of those services.
Only organisations operating within specified sectors listed in an annex to the Directive will qualify as an operator of essential services.
It will be up to each EU country to either draw up a list of all the companies within those sectors that fall subject to the new security and incident reporting rules or to devise "objective quantifiable criteria (e.g. output of the operator or number of users) which would allow to determine which entities are subject to NIS obligations and which are not", according to the Directive.
Operators of essential services in the energy sector
According to the draft, suppliers of electricity and gas, as well as electricity or gas distribution or transmission system operators are listed as types of operators of essential services.
Gas storage system operators, liquefied natural gas system operators, companies responsible for the production, transmission, distribution, supply, purchase or storage of natural gas and operators of natural gas refining and treatment facilities are also deemed to be operators of essential services too.
Similarly, operators of oil transmission pipelines and operators of oil production, refining and treatment facilities, storage and transmission are specifically referenced as being types of operators of essential services.
Operators of essential services in the transport sector
Within the air transport sector, airlines, airport managing bodies, including organisations that operate ancillary installations within airports, and air traffic control service providers are considered to be operators of essential services.
Likewise managers of rail infrastructure and licensed rail transport operators, as well as road authorities and operators of intelligent transport systems in the field of road transport.
In addition, ferry operators and other inland, sea and coastal passenger and freight water transport companies are in scope, together with bodies that manage ports, port facilities and entities that operate works and equipment contained within ports. Operators of vessel traffic services are also listed as being a type of operator of essential services.
Operators of essential services in the financial services sector
The NIS Directive's rules on operators of essential services will also apply to banks and other credit institutions. A credit institution is defined under existing EU legislation as being "an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account".
The rules will also apply to operators of trading venues, which includes regulated markets like the London Stock Exchange. Trading venues is a term that includes other multilateral or organised trading facilities, with the Alternative Investment Market (AIM) in London being an example of a multilateral trading facility.
Operators of essential services in the health and drinking water supply sectors
Heath care providers are considered operators of essential services under the NIS Directive. 'Health care provider' is a term broadly defined in existing EU legislation and will include hospitals and GP surgeries as well as, potentially, private sector health care businesses.
Suppliers and distributors of water intended for human consumption are also within the scope of the NIS Directive, although distributors for whom distribution of water for human consumption is only part of their general activity of distribution of commodities and goods will be exempt.
Operators of essential services – digital infrastructure
Operators of essential services have also been identified within the digital infrastructure sub-sector and mean the NIS rules will apply to internet exchange points, domain name system service providers and top level domain name registries.
An internet exchange point (IXP) is defined under the Directive as being "a network facility that enables the interconnection of more than two independent autonomous systems, primarily for the purpose of facilitating the exchange of internet traffic".
According to the Directive, an IXP "provides interconnection only for autonomous systems" and "does not require the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomous system, nor does it alter or otherwise interfere with such traffic".
What companies will be considered to be digital service providers?
Digital service providers are treated differently under the NIS Directive than operators of essential services.
They face less stringent security obligations than operators of essential services and need to report security incidents they experience where those incidents have "a substantial impact on the provision of a service … they offer within the Union". In contrast, operators of essential services must report "incidents having a significant impact on the continuity of the essential services they provide".
Digital service providers are considered by the NIS Directive as being providers of an online marketplace, online search engine or cloud computing service, while a recital says that "hardware manufacturers and software developers" are not digital service providers.
For the purposes of the Directive, an online marketplace is defined as "a digital service that allows consumers and/or traders … to conclude online sales and service contracts with traders either on the online marketplace’s website or on a trader's website that uses computing services provided by the online marketplace".
A recital to the Directive confirms that price comparison sites are not to be considered as being online marketplaces but that app stores are.
Whilst each EU country is responsible for designating operators of essential services to be within the scope of the NIS Directive based on set criteria, the Directive does not offer discretion to countries to determine which digital service providers fall subject to the new framework. Instead, as a recital confirms, the Directive will "apply to all digital service providers within its scope".
Digital service providers that operate across more than one EU country will only be subject to the national NIS rules implementing the Directive in the country in which it has "its main establishment in the Union".
A recital clarifies that where a company's head office is legally based in a particular EU country that location may not necessarily represent its 'main establishment' for the purposes of the NIS regime.
A recital says: "Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in this respect. This criterion should not depend on whether the network and information systems are physically located in that place; the presence and use of such systems do not, in themselves, constitute such main establishment and are therefore not criteria for determining the main establishment." This largely follows the trend of Court of Justice of the European Union case law decisions and the approach taken under the General Data Protection Regulation.
The Directive also clarifies that digital service providers that are "micro enterprises and small enterprises" are not subject to the rules and incorporates a European Commission recommendation from 2003 as the basis for identifying whether or not an organisation can be considered a micro or small enterprise.
Digital service providers – NIS Directive applies to those based outside of the EU too
The new Directive could impact on digital service providers based outside of the EU. DSPs not established in the EU but which offer services within the EU are considered to be within the scope of the Directive and are obliged to "designate a representative" based within the EU to act on its behalf under "written mandate".
Recitals to the Directive explain in more detail the circumstances in which non-EU established DSPs would be considered to be 'offering services within the Union'.
"In order to determine whether such a digital service provider is offering services within the Union, it should be ascertained whether it is apparent that the digital service provider is envisaging the offering of services to persons in one or more member states in the Union," according to the Directive.
"Whereas the mere accessibility of the digital service provider’s or an intermediary’s website in the Union or of an email address and of other contact details or the use of a language generally used in the third country where the digital service provider is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more member states with the possibility of ordering services in that other language, and/or the mentioning of customers or users who are in the Union, may make it apparent that the digital service provider envisages offering services within the Union," it said.