Cybersecurity: EU policymakers agree Network and Information Security Directive
European Union (EU) policymakers have made significant progress toward finalisation of the first EU-wide legislation on cybersecurity. The new rules, along with the EU data protection package, set the scene for a nudge towards an enhanced cyber security harmonised framework across the EU.
Background
On 7 December 2015, after over a year of negotiations, the European Parliament and the EU Council of Ministers reached informal agreement on the Network and Information Security Directive (“NIS Directive”).
This landmark Directive – the first time the EU has legislated on cybersecurity – aims to establish a harmonised set of requirements for certain businesses (ie essential services operators and digital services providers), to make them cyber-attack proof.
Key points
- Application - The NIS Directive imposes obligations on operators of essential services and providers of key digital services and lists the essential services to which it applies. This list includes, among other sectors, transport, banking, financial market infrastructures, healthcare and energy. It does not mention insurers explicitly.
- Minimum harmonisation - The Directive sets out minimum harmonisation measures and Member States are not prevented from adopting more restrictive provisions to achieve higher levels of NIS security. In the implementation phase, it is for Member States to identify specific entities, under each sector listed, to which the rules will apply.
- Increased national cybersecurity capabilities - Each EU Member State must adopt a national strategy and appropriate cybersecurity measures. They must establish a National Competent Authority (NCA) to monitor implementation of the rules, as well as Computer Security Incident Response Teams responsible for handling incidents.
- Security and notification requirements - The businesses to which the Directive is applied will have to take appropriate security measures to manage the risks posed to the network and information systems they control and use in their operations. They will be required to notify to the relevant NCA, without undue delay, incidents having a significant impact on the continuity of the core services they provide.
- Cooperation network - The EU Commission and the NCAs will form a cooperation network tasked with supporting and facilitating strategic cooperation and exchange of information.
- Sanctions - Breach of the obligations imposed by the Directive may attract onerous administrative sanctions. It is the responsibility of Member States to determine penalties which, according to the Directive, must be "effective, proportionate and dissuasive".
Interplay between NIS Directive and EU General Data Protection Regulation (“GDPR”)
Although both the NIS Directive and the GDPR laws impose requirements on operators to adopt risk-based security measures as well as mandatory incident notification in case of breaches, they protect different interests and may apply to distinct types of incidents.
Whilst the GDPR aims to safeguard personal data, the Directive’s focus is on network security. The targets are also distinct: where the GDPR will apply to any person or entity involved in the processing of personal data of individuals in the EU, the NIS Directive is addressed to operators of essential services and digital service providers.
Finally, the NIS Directive does specify that, in cases where personal data are compromised as a result of serious incidents, NCAs and data protection authorities must cooperate and exchange all relevant information to address personal data breaches resulting from incidents.
Impact on the Lloyd’s market
- Risk management implications - Although insurers are out of the scope of the Directive, the final decision on whether certain entities meet the Directive’s criteria will be remitted to Member States.
- Financial market infrastructures and banks will be subject to breach reporting obligations and minimum security requirements. In the implementation phase, if the UK extends the obligation to meet cyber security requirements to all financial services firms, Lloyd’s managing agents and intermediaries will need to comply with the rules.
- Impact on underwriting - Lloyd’s remains a market leader in cyber insurance. Once implemented, the NIS Directive may drive demand for cyber insurance in Europe.
- The new EU rules support the creation of a risk management culture and will improve information sharing practices between the private and public sectors. This will help underwriters to analyse rapidly-evolving cyber threats and risk managers to reduce uncertainty and address better solutions.
Next steps
The political agreement reached in December 2015 needs to be formally adopted by the European Parliament and the EU Council (expected in spring 2016). Once published in the EU Official Journal, Member States will have 21 months to implement the NIS Directive into national law and a further six months to identify operators of essential services.