New EU cyber security and breach reporting rules agreed; in force 2017?

Claire Walker

Late yesterday (7 December) the EU institutions reached a deal on the Network and Information Security Directive. The Directive will introduce new cyber security requirements for providers of key infrastructure, and oblige them to report details of cyber attacks to the authorities.  The deadline for bringing the new rules into force will be in Q3 2017. Businesses which fall within the Directive’s definition of “digital service providers” – including online market places, cloud computing and search engines – will also be subject to security and breach notification requirements. The final text of the Directive is still awaited. Datonomy will provide further analysis once the text becomes available.

What’s new?

On 7 December, after many months of trilogue negotiations, the EU institutions reached a compromise on the text of the NISD. The European Commission issued this press release and the Council of the European Union followed suit swiftly with this announcement.  The draft Directive was proposed by the Commission in February 2013 as reported by Datonomy at the the time here. The European Parliament approved an amended version of the Commission’s text in March 2014, but then in the final leg of its legislative journey, negotiations got bogged down over the extent to which online service providers should be subject to similar security and notification requirements as more traditional essential services. Recent months have seen much negotiation over the finer points of the “digital service provider” definition, and much lobbying by the tech sector to keep regulation light touch. We will have to wait for the final text to be released to see the detailed scope and application.

Which businesses will be caught by the new rules?

In the meantime, the Commission and Council press releases tell us that  – as expected – the following key infrastructure providers will be subject to the new rules: “energy: electricity, oil and gas; transport: air, rail, water and road; banking: credit institutions; financial market infrastructures: trading venues, central counterparties; health: healthcare providers; water: drinking water supply and distribution; digital infrastructure: internet exchange points (which enable interconnection between the internet’s individual networks), domain name system service providers, top level domain name registries.” The Commission’s release also tells us that “Member States will identify these operators on the basis of criteria, such as whether the service is essential for the maintenance of critical societal or economic activities.”

On the more vexed question of online service providers, the Commission tells us that: “Important digital businesses, referred to in the Directive as “digital service providers” (DSPs), will also be required to take appropriate security measures and to notify incidents to the competent authority. The Directive will cover the following providers:

  • Online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online)
  • Cloud computing services
  • Search engines”.

The Council’s release confirms that the regime for DSPs and will be lighter touch than for the critical sectors – although for now it remains to be seen how much lighter.

What should I look out for next?

Datonomy readers should look out for the official text of the Directive, over the days or weeks to come. This needs to be signed by the Presidents of the Parliament and the Council, then published in the Official Journal. From that point, the (slightly unusual) 21 month transposition deadline will start to run, taking us into Q3 of 2017. We can also expect to see further activity at national level, as national governments – many of which already have cyber security strategies well underway and even national legislation in force or in the pipeline – transpose the detail of the new Directive. ENISA, the EU’s agency for Network and Information Security, will also play a key role in the new regime, for example in relation to improving coordination and cooperation between Member States.

Meanwhile, attention is focused on Brussels for news about security and breach notification rules specific to personal data, under the GDPR. The final two trilogue negotiations on the GDPR are scheduled for 10 and 15 December, with the proposal’s Rapporteur Jan Albrecht reporting that he is confident that a deal on the proposal will be concluded on 15 December and a compromise text delivered in time for Christmas, Datonomy will bring you the latest news on both the NISD and GDPR.

One thought on “New EU cyber security and breach reporting rules agreed; in force 2017?”

Leave a Reply

Your email address will not be published. Required fields are marked *