The NIS Directive : everything explained
The NIS directive imposes heavy cybersecurity obligations for some organizations. What are these obligations and which company are subjected to them?
2017 has particularly been virulent in terms of cyberattacks (don’t worry, I know it’s currently 2019). Compared to the previous year (2016), the number of attacks has been multiplied by 2, for a total of 700 million attacks carried out globally. This impressive score is proof that cybercrime is no longer an isolated act that only happens to other companies.
Against this rising digital criminality, the European political leaders had two solutions:
- Make dubious jokes to celebrate Europe attractiveness;
- Take things in hand and find some solutions.
Fortunately, the second option was chosen. That’s why 2018 was legislatively rich regarding cybersecurity (for better or for worse). Indeed, political leaders chose to crusade against hackers to get rid of cyberattacks. Everyone’s got their own way:
- The Americans decided to fight fire with fire. To that end, the government thought that it would be worth invading the privacy of billion of individuals (hello, CLOUD Act!).
- By contrast, the European Union chose an increased protection of its citizens’ data (GDPR) and of its companies’ infrastructures on its territory (NIS directive).
And now, you should be wondering “What directive? Why didn’t you talk about it on your blog?”. Fear not, dear readers, I’m going to talk about it. After reading this article, you will know everything there is to know about the NIS directive to give some ambiance to your jurist parties.
I’m warning you beforehand, this article should be a long one. If you like stories with a context, you guys are in for a treat. For those of you who want to get straight to the point, you can settle for the recaps.
This article is only about the directive transposition in the United Kingdom and in Ireland. If you want to read about the obligations imposed in France or Belgium, please read the French version of this article.
Some context for amateur historians
The context is really important if you want to understand what the NIS directive is all about. You do realize that European deputies didn’t wake up one day with the urge to talk about cybersecurity, right? It was a long process, which was mostly led by France.
Indeed, the very first enforceable cybersecurity law appeared in France. It was the Godfrain Law about computer fraud, passed on January 5th, 1988. Yes, at the time, cybercrime was already tormenting some parliamentarians, even though the internet democratization was still years away.
Because a fact is always spicier with a personal story, Jacques Godfrain explains what led him to propose this law to other deputies. In 1987, a journalist friend of his dragged him into a real software underground market. Some hackers managed to extract some software from a computer database to sell it to the highest bidder. Back then, the French Court of Cassation recently considered software as an intellectual work in the famous Pachot case (only famous for French law students specialized in intellectual property), but as long as the case wasn’t reviewed by the Amiens Court of Appeal, the solution wasn’t enforceable. Consequently, software wasn’t legally protected by literary and artistic property, and neither was computer data theft!
Outraged about what he found out, Mister Godfrain was determined to remedy to this legal loophole. Therefore, he proposed a law aiming to make illegal any intrusion within an information system to extract data.
For nearly 25 years, the Godfrain Law was flying solo in terms of cybersecurity. But that was until December 18th, 2013, when the French Defense Program Law brought a breath of fresh air in the cybersecurity world. While attacks were becoming more and more frequent, the country masterminds realized that these threats could put the nation at risk, referring to what happened to the city of Tallinn, Estonia.
This French Defense Program Law gave rise to a new acronym: the OVI (“operator of vital importance”). By definition, OVIs are organizations designated by the French Prime Minister, which are essential to the country. In the event of an incident on one of their information systems, the country’s security or ability to survive would strongly be affected. This also applies to any incident that would endanger the population’s health or life.
Consequently, all the operators concerned (whose list remains secret to this day) must implement substantial security measures to prevent cyber-risks. Their information system must be protected all the time by efficient solutions, in order to avoid any cyberattack.
Roughly speaking, that’s what this law is all about. When the European Union leaders got wind of the existence of such a legislation in France, they got so fired up that they decided to create a similar law for the 27 other Member States.
And that’s how, on July 6th, 2016, after three years of debate, the European institutions finally passed the NIS directive (“Network and Information Security”)! The Member States were required to transpose the directive into national law by May 9th, 2018. The UK and Ireland didn’t really respect the deadline, since the UK transposition came into force on May 10th, 2018, (did they do that on purpose?), while Ireland transposed it much later… on September 18th, 2018.
IN SHORT: Very few cybersecurity laws existed a few years ago. The Godfrain Law from 1988 was the only one for nearly 25 years. In 2013, the French Defense Program Law created OVIs, which are operators that must take all necessary measures to protect their information system. These operators are essential to the effective functioning of the nation. The European Union leaders liked the French Defense Program Law so much that they decided to create a similar law enforceable within all the EU: the NIS directive.
That’s great, but what’s the NIS directive about?
The NIS directive includes many new elements, but some of them originate from the French Defense Program Law.
More precisely, the list of the sectors concerned by the directive is much larger than the French law about OVIs. Consequently, more operators must improve their security measures within their organization in order to avoid any cyberattack. To use the exact same words as the directive, the operators’ information system must be protected. OK, so if you read carefully this article (which I’m sure you did), you probably noticed that I used the expression “information system” for the third time, without even defining it. According to Article 4 of the directive, an information system is an interconnected device performing automatic processing of digital data. It contains digital data stored, processed, retrieved or transmitted for the purpose of their operation, use, protection and maintenance. That’s it.
To return to the subject, the NIS directive is aiming at two categories: the OES (“operator of essential services”) and the DSPs (“digital service providers”). For more clarity, I’m going to subdivide these two categories.
IN SHORT: The NIS directive establishes two new categories: the OES and the DSPs. Each one of them will be subjected to obligations in order to protect their information system against any incident.
1st category referred to: the operator of essential services (OES)
For a decent introduction, you first need to define the subject. So, what’s an operator of essential services? According to the definition given by the European legislator, an OES is a public or private operator which provides an essential service for the maintenance of societal and economic activities. If an incident were to affect this operator network or information system, the country’s society and economy would be paralyzed.
Presented that way, this definition sounds like the plot of a Hollywood movie, or a Greek tragedy (assuming that hackers were already raging on during Antiquity).
If an OES were to be attacked or go through a serious technical incident, the economic consequences could have an awful impact on the quality of life of European citizens.
Yes, I see you coming: “so, am I subjected to this directive, or what?” Actually, the official OES list was never made public, for confidentiality reasons and to protect the nation’s interests. Only the list of the sectors concerned by the directive was made available:
- Energy (electricity, oil, gas)
- Transport (air transport, rail transport, water transport, road transport)
- Banking
- Financial market infrastructures
- Health sector
- Drinking water supply and distribution
- Digital infrastructures
Thanks to these sectors, you can guess the operators that made it to the “ultra-confidential” list of the NIS directive.
All the organizations whose activity is listed above must take all appropriate measures to prevent incidents that could affect their information system. Therefore, it falls under their responsibility to anticipate cyberattacks, and particularly ensure a continuity of service if an attack were to happen.
The operators must also report any security incident to the national competent authority (called the NCSC in the UK and Ireland) as soon as they became aware of it.
Moreover, since good things always come in pairs, the operators can be inspected at any time to check their compliance. The inspection will be performed by the competent authority, or by a contractor of its choice.
Of course, any inspection refusal or failure to apply the NIS directive will result in heavy penalties (but I will get to that point later in this article).
In Ireland, the NCSC can carry an assessment at any time, particularly through security audits to make sure that your information system is well protected against any incident. That’s why you should take all appropriate measures to ensure compliance with the NIS directive.
IN SHORT: The OES are essential organizations to society and the economy. Without them, the nation would be paralyzed and wouldn’t function normally. The companies whose sector of activity is subjected to the NIS directive will have to take important measures to anticipate cyberattacks and ensure a continuity of service in the event of an incident. The NCSC will supervise the compliance with the directive, and will even be able to impose penalties to non-compliant operators.
2nd category referred to: The digital service providers (DSPs)
There’s a second category referred to by the NIS directive: the digital service providers.
Just like the OSE, the list of DSPs is large, because of the definition given by the directive. Indeed, a digital service is a service provided against payment, whether it’s provided remotely or by electronic means.
The European institutions, aware that the DSP definition includes most of the internet websites, decided to narrow down the list of the services subjected to the directive.
You probably don’t care about this (fun) fact, but in order to preserve the French language, the parliamentarians decided to “Frenchify” the digital words that we usually use in English. It sure made our computer scientists’ ears bleed, for the enjoyment of our linguist specialists. Anyway, here are the digital services subjected to the NIS directive:
- Online marketplace: it’s a digital service that allows consumers or traders to conclude online sales or service contracts.
- Online search engines (do I really need to define this?)
- Cloud computing services: it’s a digital service that enables access to computer resources.
If you didn’t get the punchline yet, the Big Four tech companies are once again in the European Union’s sights. These three categories of DSPs intended to include Amazon, Apple, Google and Facebook to make them take serious cybersecurity measures.
And to avoid any word-twisting situation from the Big Four saying “I don’t care, I’m not even established in Europe!”, the NIS directive contains an article just for them. Indeed, foreign companies still have to comply with these obligations if their digital service is provided on the EU territory.
To rub it in and avoid that the Big Four say “it doesn’t matter, the authority won’t be able to inspect us from abroad”, the European institutions took care of that. If the companies are not established on the EU territory, they’ll have to designate a representative located in the European Union. That person will act as an intermediary with the competent authority for any question or if the company is being inspected (once again, we’ll talk about the penalties later in this article).
And if the Big Four are still reluctant to apply the directive, the transposition added that the directive applies to companies employing more than 50 workers and whose annual turnover is higher than €10 million.
With all these indirect subtle references, the GAFA knows that they are subjected to the NIS directive. Now their mission is to identify the risks that threaten their information system security. With this aim in mind, they have to take technical and organizational measures to manage the risks, and make sure that no cyber-incident can get to them. Just like the OES, they must implement solutions to ensure their continuity of service in case of a cyberattack.
Obviously, even if taking it out on the Big Four seems like a funny game for the European Union, this directive also applies to other digital service providers providing their service in the EU. Consequently, thousands of online platforms are now subjected to these obligations.
And just like the OES, the inspection can be done by the competent authority at any time to check on the company’s compliance with the directive. Moreover, the DSPs also have to report the incidents to the competent authority, on the condition that it had “a significant impact on the continuity of essential services”.
IN SHORT: The online digital service providers include marketplaces, online search engines and cloud computing services. More specifically, the Big Four are aimed by the directive, and must implement important organizational measures to guarantee their information system security. This also applies to any company providing its service within the European Union, even if its headquarters are located in a third country. These DSPs can also be inspected by the NSCS and subjected to penalties.
So, shall we discuss numbers?
Here’s the moment you’ve all been waiting for: the applicable penalties. Indeed, what’s the risk if I don’t comply with the obligations stated by the NIS directive?
Various amounts are listed, depending on the offense committed, and they’re all different in each EU Member State.
The UK chose to impose heavy penalties for an OES or a DSP:
- Up to £1,000,000 for any contravention that could not cause a NIS incident;
- Up to £3,400,000 for a material contravention that has caused, or could cause, an incident resulting in a reduction of service provision by the OES and DSP for a significant period of time;
- Up to £8,500,000 for a material contravention that has caused, or could cause, an incident resulting in a disruption of service provision for a significant period of time;
- Up to £17,000,000 for a material contravention that has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the UK economy.
If you’re in Ireland, we didn’t forget about you! The good news is that the penalties are lower than in the UK. Indeed, whether you are an OES or a DSP, you may be subjected to one of the two penalties:
• In case of a summary conviction (which is a case deal with by a judge and without a jury), you’re liable to a €5,000 fine.
• In case of conviction or indictment, you’re liable to:
– A €50,000 fine if you’re an individual.
– A €500,000 fine if you’re not an individual (a company or an organization).
IN SHORT: Whether you’re an OES or a DSP, the amount of the penalties is the same for everyone. The fine is imposed in accordance with the offense committed.
Can you spoon-feed the work?
Don’t worry, there’s a solution for everything in life!
If you want to test your information system effectiveness and know if you’re in compliance with the directive, the Ziwit Consultancy Services dedicated team can audit your organizational and physical infrastructure. Our team will be able to identify the security vulnerabilities in your information system, and measure your organization’s physical level of security. After identifying the risks and performing a penetration test, our cybersecurity experts will give you a list of all the fixes to implement to secure your information system.
In Ireland, this audit solution may be a lifesaver! Indeed, the NSCS may carry out an assessment at any time to make sure that you’re compliant with the NIS directive. That means that the authority can perform audits to check your information system security. Therefore, you should take action and audit your network and information system before undergoing this assessment!