Public bodies should be aware of a forthcoming EU Directive in the area of cyber security, which will have profound effects for a broad range of public bodies. The Network and Information Security Directive, commonly known as the Cyber Security Directive, was approved by the European Parliament in March and is winding its way through the legislative process.
The Directive is the European Union’s first comprehensive attempt to establish a set of minimum cyber security standards which would apply across all member states.
While the Directive is the European Union’s attempt to deal with this area, it is being dealt with in varying ways around the world. For example, in the USA, President Obama issued a Presidential Executive Order on the topic in 2013 intended to encourage government to work with operators of critical infrastructure and share information on cyber threats and implement minimum cyber security standards.
Early in 2014, the US National Institute for Standards and Technology issued a framework to achieve these objectives. The framework is non-mandatory and non-legislative, reflecting a view that the area is so fast-moving that to legislate runs the risk of the law being outdated quickly. The European Union has chosen to legislate in the area, by way of a Directive, which will require implementation in all Member States. While still a draft, it does seem that the general scope and thrust of the Directive is clear and public sector bodies should be aware of its import.
The draft Directive was originally published by the European Commission in February 2013, together with an accompanying Strategy. The Strategy aims to reduce cyber crime and improve network resilience by raising awareness of the issues surrounding cyber security, developing an internal market for cyber security products and increasing research and development investment. The Directive is the principal mechanism to achieve the Strategy’s objectives.
The European Commission is of the view that, given the prevalence of cyber crime, online industrial espionage and attacks on critical infrastructure, lack of effective data sharing on threats and incidence, together with the absence of any form of level planning fields across Member States in the information security area, is hindering the EU’s ability to respond adequately to cyber security challenges.
The European Commission believes that the existing, mainly voluntary and ad hoc, nature of information sharing between businesses, governments and Member States, results in “uncoordinated regulatory interventions, incoherent strategies and divergent standards, leading to insufficient protection against NIS across the EU”. The Directive is intended to take certain steps to address these concerns, by creating a cross-sectoral legislative framework within and across Member States, in which information sharing no longer takes place on a purely voluntary basis.
What the Directive does not do is deal with criminal law aspects of information security breaches. This is a criminal matter, which falls within the power of individual Member States where it is dealt with in local legislation. The primary Irish criminal laws date back to 1991 and 2001 and show their age.
Under the Directive, Member States are required to ensure the security of network and information systems in their territory. Member States must:
• Establish national a Network Information Security (“NIS”) Strategy and establish regulatory measures to achieve network security;
• Establish a National Competent Authority (“NCA”) to monitor and ensure the consistent application of the Directive in their territory and across Member States. The latest version of the Directive permits Member States to appoint several NCAs so long as one “national single point of contact” remains responsible and accountable; and
• Establish a Computer Emergency Response Team (“CERT”), responsible for handling incidents and risk.
The intention is to create consistency across Member States in the area of cyber threat management. There is a substantial job of work to be done here, as the European Network Information Security Agency recently revealed that only 17 Member States currently operate national cyber security strategies.
The Directive provides that NCAs and the Commission will form a co-operation network to co-ordinate against risks and incidents effecting network information systems (the “Co-operation Network”). The Co-operation Network will, amongst other tasks:
• Circulate early warnings about cyber threats (Member States must report to the Co-operation Network, cyber threats that grow rapidly in scale, exceed national response capability or effect more than one Member State);
• Publish non-confidential information on an ongoing basis in relation to early threat warnings and co-ordinate responses on a common website; and
• Exchange information on best practice with participants within the Co-operation Network.
The Directive provides for mandatory security breach and incident notification requirements. This important obligation applies to market operators who provide critical infrastructure “the disruption or destruction of which would have a significant impact on a Member State”. The Directive contains a non-exhaustive list of such operators, which include operators in the energy, banking, health, transport and financial services sector. The broad application of the Directive should be noted.
Member States can decide exactly how “critical” an operator of critical infrastructure is and, therefore, whether it should be covered by the Directive. Note that Member States have a choice under the Directive of whether to include reporting obligations on public administration bodies. This amendment to the original Directive text could undermine the effectiveness of the Directive, as the Strategy noted the importance of all relevant stakeholders, whether public authorities or private sector bodies, taking action to strengthen cyber security.
Reporting obligations apply in respect of incidents having “significant impact”. Whether an incident has a significant impact will depend, in part, on the number of users of the services who are affected, the duration of the incident and the geographical area affected by the incident.
The Directive provides that Member States must ensure an NCA has all the necessary powers to scrutinise and investigate any non-compliance with Directive obligations. Market operators would be required to provide all information that is necessary to assess the security of their networks and to undergo security audits. The Directive further provides for the imposition of effective, proportionate and dissuasive sanctions. It is expected that an offending market operator will be fined a certain percentage of revenue. This is obviously an important provision.
The Directive represents an ambitious attempt to legislate for the prevention of cybercrime within the EU. If adopted, its proposals would help ensure that market operators of critical infrastructure, Member States and the EU are all prepared to a certain level to deal with cyber threats, by way of providing a common baseline of shared standards. Note the application of the reporting requirements of the Directive to operators of critical infrastructure. Note also, the potential broad definition of this term, as well as the potential application of the Directive to public bodies.
Nevertheless, a significant degree of uncertainty remains on certain key aspects of the Directive, such as how to co-ordinate an EU wide response and exactly what public and private bodies are to be subject to the Directive. As is the way in conclusion of EU legislation, there is a certain amount of horse trading still to be done before a final form Directive emerges. However, public sector bodies and, in particular, those which operate critical national infrastructure, should be aware of the draft Directive and put in place suitable arrangements to deal with its application.
Pearse Ryan can be contacted as follows:
Arthur Cox, Earlsfort Centre
Earlsfort Terrace, Dublin 2
Tel: +353 (0)1 618 0518