With the text of the draft Network and Information Security Directive (“NISD”) still being negotiated between EU institutions, and the national transposition deadline for the Directive likely to be 18 – 24 months from the date of EU adoption, some Member States are pre-empting the new regime with national legislation of their own. France has already implemented the principles enshrined in the draft Directive via its Military Programming Act, which was published at the end of 2013.
France has already implemented many of the principles enshrined in the Draft NISD into national law. The French Government published its strategy on Information systems and defence in February 2011. This included reviewing and where necessary strengthening cyber laws. As a result, the government passed Article 22 of Act n°2013-1168 dated 18 December 2013 (the “Military Programming Act”) which sets out several obligations applicable to vitally important operators (“VIOs”) which are comparable to those imposed by the Draft NISD on operators of critical infrastructures.
It should be noted that Article 22 of the Military Programming Act has not yet come into force; various decrees and Ministerial orders which will spell out the detail of the regime have not yet been published – for example, those specifying security standards applicable to VIOs, the notification procedure, criteria defining an “incident” triggering the notification obligation and conditions and limits of “inspection” powers of the Prime Minister.
The French National Agency for the Security of Information Systems (“ANSSI”), i.e. the regulatory authority which has been empowered to define implementing and enforcement measures of Article 22, is currently working with the French government as well as with public and private entities to define the application conditions of this framework. The implementing decree had been announced by the ANSSI to be due by Autumn 2014. As of the date of publication of this article, however, no such decree has been published.
When published, the decree will set out general principles, and following such publication, ministerial orders will be published to define sector-specific rules (if any) and implementation deadlines. At a cyber security conference in September, the ANSSI director indicated that France was “the first to go down this road. Other countries have tried, without succeeding” and that implementation conditions remain “unclear”, even at the NATO level (therefore not providing a reference framework for the ANSSI).
NISD vs Military Programming Act – how do they compare?
Below we highlight the key similarities and differences between the French legislation and the proposed NISD. Note that there are significant differences between the Commission’s original draft of the NISD published in February 2013 and the amended text approved by the European Parliament in March 2014. It remains to be seen what the final compromise text of the NISD agreed by all three EU institutions will look like. As things stand, here’s how the new French regime compares to the proposed EU-wide regime.
- Breach notification deadlines: the Draft NISD (as amended by the European Parliament) requires breach notification “without undue delay” (Article 14 (2)) and the Military Programming Act requires notification “without delay”.
- Audits: the broad obligation for VIOs to subject themselves to security Audits under the NISD (as originally proposed by the European Commission, Article 15(2)) is similar to the “inspection” obligation under the Military Programming Act. However, the EP’s text has significantly watered down the audit requirement.
- Scope: the notions of VIOs in the Military Programming Act and of “vitally important sectors” under the relevant French legislation are slightly broader than the scope of “critical infrastructure” (in the sense of the Council directive 2008/114/EC) and of “market operators” in the Draft NISD (see the table for more detail).
- Inspection and audit: the extent of inspection/auditing powers of VIOs by the French Prime Minister is deeper than the equivalent proposals under the EP’s version of the Draft NISD.
- Sanctions: the French law includes specific sanctions for a VIO’s failure to comply with any of the obligations specified in Article 22, following a formal notice (up to EUR 750.000 for corporate entities). However, such formal notice is not required prior to imposing a fine in case of failure by a VIO to notify the Prime Minister “without delay” of a cyber-breach.
- Notification triggers: no materiality threshold for cyber security incidents triggering the notification requirement is yet provided by the Military Programming Act, compared to the “significant impact” threshold and criteria included in the European Parliament’s proposed version of Article 14(2) of the Draft NISD.
- Notification to the public: whereas the Draft NISD (European Parliament’s version, Article 14 (4)) provides for precise criteria and conditions for notification to the public of cyber security incidents, the Military Programming Act remains silent on this possibility.
For further details on the similarities and differences between the Draft NISD and the Military Programming Act, please refer to the comparative table available here.