The NIS Directive and the potential for European Member State cooperation
Imagine a massive cyber attack shutting down your fridge-freezer, immobilising your car and switching off your central heating.
As the deadline looms for EU Member States to compile a list of ‘essential services’ that will require a national strategy to provide a particular standard of cyber security under the Network and Information Systems Directive (‘the NIS Directive’), Mark Surguy, Partner at Weightmans, dissects the applicability of the NIS Directive and the potential success of Member States working cooperatively to protect such services.
Imagine a massive cyber attack shutting down your fridge-freezer, immobilising your car and switching off your central heating. Worse still, what if the attack took out all the traffic lights in major cities, disabled railway signals and infiltrated air traffic control? Such a scenario might seem fanciful, but its likelihood seems greater today than ever.
Mindful of the impact of deliberate and malicious attacks but also taking cognisance of simple system failure, the aim of the NIS Directive is to drive improved collaboration across the European Union and to require each Member State to create a national strategy for the protection of its key network and information systems with a view to an overall improvement in resilience. Its scope is not all systems operators, but those providing essential services and a limited number of operators of digital services and who are either based in a Member State or who are doing business in one or more Member States. By insisting on minimum levels of security and by introducing a national and cross border system of notification of major incidents, it is hoped that a ‘doomsday’ scenario such as that outlined above can by avoided or at least contained.
But who is a provider of an essential service? Furthermore, surely digital service providers are already commercially motivated to take their own steps to combat cyber attacks. Do they really need regulatory supervision?
Digital service providers were at one stage going to be excluded from the ambit of the Directive. In the result, however, providers of online search engines, cloud computing services and online marketplace providers have been brought within its scope. The application of the NIS Directive to these particular providers was driven by a realisation that digital services are of significant use to some businesses. If these services were to be taken out of action, there might not be suitable alternatives and the impact on business could be severe. There is also a recognition that providers of essential services themselves also may rely on these digital services. Equally, however, the NIS Directive recognises that the degree of risk for digital service providers might be less than for those of the providers of essential services. For this reason the security requirements of the NIS Directive are less onerous for digital service providers than for the providers of essential services.
The fact remains that the standard of security of information systems varies considerably across the European Union with some countries more vulnerable than others. Consumers and businesses are therefore better protected in some Member States than in others. The NIS Directive requires the exchange of information on the kind of incidents that are occurring across the EU, who is being targeted and how best to respond to them. If best practice is shared, it is believed that standards overall will be improved. The NIS Directive also requires national governments to encourage the adoption of international standards (this could be ISO 27001 on information security management, for example) or other relevant European standards. The UK Government has published a set of high-level security principles which it will expect affected operators to observe…. READ MORE