4.5.4 NIS
On the 7th of February 2013 the European Commission published its Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace [34] (the Cybersecurity Strategy) along with a proposal for a Network and Information Security (NIS) Directive. [35] The Directive is a minimum harmonization [33] one, which aims at ensuring a higher level of data security across the whole EU by setting a threshold that national laws must meet, while still having the possibility to exceed the minimum mandatory level.
The proposal represents the EUs first attempt to enact a comprehensive set of cybersecurity related norms that are not restricted to a particular area or regulatory sector. It is a polar shift towards a mandatory framework for cooperation and incident notification, which sharply differentiates itself from the voluntary cooperation, and data breach reporting mechanisms with which the EU is familiar. [34]
Despite the widespread view that cybercrime and the lack of cybersecurity represent a major threat [35] for public safety, economic well-being and national security, the legislative proposals generated a significant amount of concern, both from economic actors and Member States. Some actors indeed worry that this proposed top-down, cross-sectorial, mandatory form of regulation could ultimately hinder European businesses. The imposition of burdensome and static administrative requirements and the increased coefficient of reputational risk all companies bound by mandatory data breach notification requirements would be subject to led the European Parliament guided by the Internal Market and Consumer Protection (IMCO) Committee to significantly amend and water down the original NIS Directive proposal. Ultimately, a final parliamentary version was voted on the 13th of March 2014.
The Strategy enumerated the cyber-security priorities of the EU, [36] amongst which NIS naturally assumes a prominent position. The Commissions proposal for a NIS Directive, published along with the Strategy, addresses this priority pursuing a triple order of objectives: [37]
1. Having the Member States reach a high [38] level of national information security capabilities by establishing competent authorities for NIS, setting up Computer Emergency Response Teams (CERTs), and adopting national NIS strategies and national NIS cooperation plans [39]
2. Stimulating cooperation at a communitarian level within a network enabling secure and effective coordination, including coordinated information exchange as well as detection and response at EU level [...] to counter NIS threats and incidents on the basis of the European NIS cooperation plan. [35]
3. Mandating operators in critical sectors [40] and public operators to adhere to stringent risk assessment and management practices, adopting appropriate and proportionate security measures and reporting the NIS incidents that are deemed sufficiently serious.
Those objectives reflect on the proposed Directives structure. The proposal is divided in five sections, respectively titled General Provisions, National Frameworks on Network and Information Security, Cooperation Between Competent Authorities, Security of the Networks And Information Systems of Public Administrations and Market Operators and final provisions. The Directive contains also two annexes, containing respectively a list of tasks and requirements for CERTs and a (non-exhaustive) list of market operators covered under the scope of the Directive.
As to the first area, which regards future Member States frameworks for NIS, Article 5 would mandate Member States to adopt a "national NIS strategy", [41] comprising a "NIS cooperation plan"[42] , to be communicated to the Commission within one month from its adoption. Member States, according to the following Article 6, would also have to designate a competent national NIS authority tasked to monitor the Directives application and contribute to its coherent implementation across the EU. Moreover, Article 7 sanctions Member States to setup a CERT responsible for handling incidents and risks according to a well-defined process under the supervision of the Authority ex Art. 6; the CERT would need to have enough technical, financial and human resources to be effective in responding to incidents as set out in its tasks, and Member States would need to allow it to rely on a secure information-sharing system as set out in Article 9 of the NIS proposed Directive.
Its third section tackles the second objective of the NIS Directive the development of a solid cooperation system between the competent authorities mentioned above. Setting up a cooperation network would logically be the first step, and indeed Article 8 states the competent authorities and the Commission shall form a network ("cooperation network") to cooperate against risks and incidents affecting network and information systems.
The networks members shall:
(a) Circulate early warnings on risks and incidents;
(b) Ensure a coordinated response in accordance with Article 11;
(c) Publish on a regular basis non-confidential information on on-going early warnings and coordinated response on a common website;
(d) Jointly discuss and assess, at the request of one Member State or of the Commission, one or more national NIS strategies and national NIS cooperation plans referred to in Article 5, within the scope of this Directive.
(e) Jointly discuss and assess, at the request of a Member State or the Commission, the effectiveness of the CERTs, in particular when NIS exercises are performed at Union level;
(f) Cooperate and exchange information on all relevant matters with the European Cybercrime Center within Europol, and with other relevant European bodies in particular in the fields of data protection, energy, transport, banking, stock exchanges and health;
(g) Exchange information and best practices between themselves and the Commission, and assist each other in building capacity on NIS;
(h) Organise regular peer reviews on capabilities and preparedness;
(i) Organise NIS exercises at Union level and participate, as appropriate, in international NIS exercises.
A secure information-sharing infrastructure, like the one national CERTs have to be provided by Member States, is foreseen in Article 9, in order to allow the members of the cooperation network to communicate through a secure system.
The Directive highlights also the importance of early warnings (Art. 10) and coordinated responses (Art. 11), clearly signalling the weight coordination mechanisms have during the whole lifecycle of the incident from its detection to the response phase.
The setup of such a network would imply a high level of cooperation and information sharing throughout the EU and possibly on a global level as well, due to the transnational, borderless nature of NIS threats and incidents. In order to achieve such a cooperation level, Article 12 empowers the Commission to adopt a Union NIS cooperation plan, no later than one year after the Directives adoption, which aims to coordinate Member States NIS action; Article 13, on its hand, affirms that the EU may conclude international agreements with third countries or with international organisations partly or fully integrating them in the Unions cooperation plan.
The Directive's fourth section deals with public administrations' and market operators' NIS requirements and incident notification. Both are to undertake appropriate technical and organisational security measures [43] in order to manage the NIS risks relating to their operations. Those measures are to be appropriate in relation to the state of the art, and guarantee a level of security tuned to the risks foreseen: In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems [44] . Both, moreover, shall notify to the competent authority incidents having a significant impact on the security of the core services they provide [45] . Neither the NIS mandatory measures nor the notification requirement foreseen in Article 14s first two paragraphs apply, though, according to its last paragraph, to micro-enterprises, as defined in Commission Recommendation 2003/361/EC of 6 May 2003. Moreover, Article 1, paragraph 3, clarifies that (t)he security requirements provided for in Article 14 shall apply neither to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC, which shall comply with the specific security and integrity requirements laid down in Articles 13a and 13b of that Directive, nor to trust service providers.
The Parliament, mainly steered by its IMCO Committee, in its first reading [36] significantly amended the Commissions proposal for a NIS Directive, arguably watering down its scope and effectiveness.
As mentioned, the security and reporting requirements of the Directive would have applied, according to the Commissions version, to public administrations and market operators, defined as either (a) providers of information society services which enable the provision of other information society services or (b) operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health. Annex II concretely specifies, albeit in a non-exhaustive way, which categories of undertakings qualify as market operators for the purposes of the Directive.
The Parliaments version removes public administrations from the scope of the Directive, and amends the list of market operators excluding providers of information society services (as defined by the e-Commerce Directive) such as e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services and application stores, focusing instead on energy, transports, financial markets infrastructures, water and food production and supply, and internet exchange points [46] . A new Article 13a, moreover, allows Member States to determine the level of criticality of market operators, taking into account an array of considerations, such as the specificities of sectors, the importance of the particular market operator for maintaining a sufficient level of service, the number of parties supplied by the operator, the time period until the discontinuity of the core services of the market operator has a negative impact on the maintenance of vital economic and societal activities, and so on.
The Parliament also clarifies the incident reporting obligation set in Article 14. The notification, it specifies, shall be done without undue delay when incidents dent the continuity of the core services in a significant manner [47] ; the significance of the incident shall be determined taking into consideration the number of users affected, its duration and its geographic spread. A newly introduced paragraph 2a specifies moreover that the authority to be notified is the one of the country of the affected core service. Finally, Article 1as fifth paragraph states that the incident notification foreseen in Article 14 shall be without prejudice to the provisions regarding personal data breach notifications set out in Article 4 of Directive 2002/58/EC and in Regulation (EU) No 611/2013.
Despite narrowing the scope of the original Commissions proposal, the Parliaments text highlights the connection between NIS measures, notification to the competent authority and individuals rights to privacy and data protection introducing Article 1a, titled Protection and processing of personal data, that binds the processing of personal data in the NIS context to the respect of Directive 95/46/EC, Directive 2002/58/EC, Regulation (EC) No 45/2001, and Decision 2009/371/JHA. The same article specifies that (t)he processing of personal data shall be fair and lawful and strictly limited to the minimum data needed for the purposes for which they are processed and that the data shall be kept in a form which permits the identification of data subjects for no longer than necessary for the purpose for which the personal data are processed.
The text supported by the Parliament would need approval by the Council before it could be converted into law, since they both must back proposed EU legislation before it can be introduced through the ordinary procedure. Discussions on how to balance the Commissions proposal with the Parliaments amendments are currently being held by Member States representatives[48]. The European Parliament, Council and Commission agreed on the NIS Directive on December 8th 2015, but the final text will not be available before it enters into force States representatives[49].
At the time of writing, therefore, the exact content is unclear, but some information has been made available. In particular, the press release45 specifically lists the following sectors:
- Energy: electricity, oil and gas
- Transport: air, rail, water and road
- Banking: credit institutions
- Financial market infrastructures: trading venues, central counterparties
- Health: healthcare providers
- Water: drinking water supply and distribution
- Digital infrastructure: internet exchange points (which enable interconnection between the Internet's individual networks), domain name system service providers, top level domain name registries
Member states will identify these operators on the basis of criteria, such as whether the service is essential for the maintenance of critical societal or economic activities. The directive will also cover:
- Online marketplaces
- Cloud computing services
- Search engines
ENISA will be the secretariat of a new CSIRT network tying together all national CSIRTs.
The NIS Directive, overall, is expected to create a positive impact for EU cybersecurity in general and for the A4Cloud project in particular. The shift from a generalized voluntary approach to a mandatory framework is timely and opportune; the main issue, rather than the opportunity of the Directives enactment, seems to be balancing the Directives scope and obligations in order not to unreasonably hinder economic operators ordinary activities, burdening them with too many obligations. As for the Projects scope, the adoption of a mandatory data breach notification mechanism and the imposition of a stricter minimum level of security measures could boost the usefulness and therefore, potentially, the demand of the A4Cloud toolset. The concordance between the NIS Directives ratio legis and the A4Clouds tools results clearly from the Projects definition of accountability, defining governance to comply in a responsible manner with internal and external criteria, ensuring implementation of appropriate actions, explaining and justifying those actions and remedying any failure to act properly [1].
In the first place, the scope of the NIS Directive would be significantly restricted if the final version will turn out to adhere to the Parliaments amendments: as for the Projects interest, maintaining information society services cloud services included in the list of operators bound by NIS obligations would increase the relevance of the projects tools, making them go along with hard-coded legal obligations. In particular, having CSPs mandatorily subject, on one hand, to the security requirements set out by the Directive, and on the other to the notification obligation would significantly boost the tools usefulness. In any case, the adoption of the A4Cloud toolset by the economic operators to whom the Directive will eventually apply is likely to be a meaningful help in compliance practices, and even if public administrations and some economic operators will be eventually excluded from the scope of the Directive, the Projects tools could still be adopted on a voluntary basis.
On the other hand, the Parliaments amendments show a closer connection and integration with both the existing data protection framework and the upcoming General Data Protection Regulation (GDPR) a welcome approach, considering how the obligations set out in the NIS Directive could turn out to have a stark privacy-invasive side.
[34] The current situation in the EU, reflecting the purely voluntary approach followed so far, does not provide sufficient protection against NIS incidents and risks across the EU. Existing NIS capabilities and mechanisms are simply insufficient to keep pace with the fast-changing landscape of threats and to ensure a common high level of protection in all the Member States: [35], p. 3.
[35] A research study conducted on U.S. companies by the Ponemon Institute in 2012, for instance, framed the cost for a single lost or stolen record in the order of $194, the average size of breached records being 28,349 in the sample considered: [54]. Another research study conducted by PwC U.K. quantified the mean cost of the single most expensive breach in a single years span: between 15.000 and 30.000 pounds for a small business and between 110.000 and 250.000 pounds for a large organization, totalling billions in damages for the whole U.K.'s PLCs: [55].
[36] Achieving cyber resilience, reducing cybercrime, developing cyber defense policy and capabilities and industrial and technological resources for cyber-security, establishing a coherent international cyberspace policy for the European Union and promoting core EU values [56].
[40]As defined and enumerated by the proposed Directive and its annexes.
[41] The NIS national strategy shall address, as a minimum:
The definition of the objectives and priorities of the strategy based on an up-to-date risk and incident analysis;
A governance framework to achieve the strategy objectives and priorities, including a clear definition of the roles and responsibilities of the government bodies and the other relevant actors;
The identification of the general measures on preparedness, response and recovery, including cooperation mechanisms between the public and private sectors;
An indication of the education, awareness raising and training programmes;
Research and development plans and a description of how these plans reflect the identified priorities.
[42] The NIS cooperation plan shall address, as a minimum:
A risk assessment plan to identify risks and assess the impacts of potential incidents;
The definition of the roles and responsibilities of the various actors involved in the implementation of the plan;
The definition of cooperation and communication processes ensuring prevention, detection, response, repair and recovery, and modulated according to the alert level;
A roadmap for NIS exercises and training to reinforce, validate, and test the plan. Lessons learned to be documented and incorporated into updates to the plan.
[43] Security means the ability of a network and information system to resist, at a given level of confidence, accident or malicious action that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data or the related services offered by or accessible via that network and information system: Art. 3 point 2, [35]
[46]Ibid., Annex II.
Download the preliminary release of the Cloud Accountability Reference Architecture and the relevant A4Cloud Toolkit.