Under EU Directive 2016/1148 on Security of Network and Information Systems (the “NIS Directive”), identified operators of essential services will have to take appropriate security measures and to notify serious cyber incidents to the relevant national authority. The report published on 28 October 2019 provides an overview of how Member States have identified operators of essential services who have to put in place cyber-security measures and report major cyber-incidents due to their importance for the economy and society.
Advertisement
1. What is the NIS Directive?
Directive (EU) 2016/1148 on Security of Network and Information Systems (“NIS Directive”) is the first piece of EU-wide cyber-security legislation. It requires Member States to ensure that key public and private entities (so called ‘operators of essential services’) in seven sectors (energy, transport, banking, financial infrastructures, health, drinking water and digital infrastructures) take appropriate security measures and notify significant incidents to national authorities. The Directive places particular emphasis on European cooperation: It establishes a Cooperation Group serving as platform for Member States to exchange best practices and align rules. The new CSIRTs network gathers all national Computer Security Incident Response Teams handling computer security incidents in EU countries.
The NIS Directive has been adopted in July 2016 and is part of a set of legislative measures aiming to increase cyber-security throughout the Union. It includes the recently agreed Cybersecurity Act, which reinforces the mandate of the European Union Agency for Cybersecurity ENISA and establishes an EU framework for cyber-security certification, and the regulation on a European Cybersecurity Competence Network and Centre, which is currently under negotiation.
2. What are operators of essential services, and what will they be required to do?
Operators of essential services are private businesses or public entities with an important role to provide security in healthcare, transport, energy, banking and financial market infrastructure, digital infrastructure and water supply.
Under the NIS Directive, identified operators of essential services will have to take appropriate security measures and to notify serious cyber incidents to the relevant national authority.
3. What is the report about?
The report published on 28 October 2019 provides an overview of how Member States have identified operators of essential services who have to put in place cyber-security measures and report major cyber-incidents due to their importance for the economy and society. It assesses if the methodologies for identifying such operators are consistent across Member States or if the different national approaches lead to a situation in which public and private entities of comparable importance are only identified in some of the Member States.
The publication of the report by the Commission is a legal requirement based on Article 23(1) of the NIS Directive and is the first step in the Commission’s review of the Directive due no later than 9 May 2021.
4. Why is it important that Member States identify operators of essential services in a consistent manner?
Cyber-threats can propagate easily across borders and organisations without adequate security measures in place make for easy targets. A consistent identification helps ensure that all critical entities in a sector and across the Union exhibit a similar level of cyber-resilience. It also helps to prevent cyber-threats from propagating throughout the internal market.
In addition, the NIS Directive requires Member States to establish security requirements and incident notification procedures for operators of essential services. In order to guarantee a level playing field for operators in the internal market, it is important that operators providing similar services of similar relevance are subject to similar regulatory treatment.
5. What does the identification process in the Member States look like?
The Directive requires Member States to draw up a list of services that they consider essential for the functioning of the economy and society. Public and private entities that provide such services and that depend on network and information systems (ICT) must be identified as operators of essential services if an incident would have a significant disruptive effect on the provision of the service in question. Member States usually apply thresholds to determine the significance of an incident.
For example, a Member State determines that drinking water distribution is an essential service. It would then identify all entities providing this service if they also depend on network and information systems and surpass a previously determined threshold of 5 000 000 m³ per year.
6. What are the main findings of the report?
The report finds that the NIS Directive has played a key role in preparing operators of essential services for cyber-incidents throughout the Union. In addition, the fact that some countries have identified essential services in additional sectors beyond those listed in the Directive highlights that there are other sectors potentially vulnerable to cyber-incidents.
National authorities have developed a wide variety of identification practices leading to gaps in consistency when it comes to the identification of operators of essential services across the internal market. The numbers and types of essential services vary greatly between Member States. When it comes to thresholds, Member States have not only chosen different types of thresholds (for example market share vs. output) but also different levels. As a result, the numbers of identified operators of essential services differ significantly across the EU (see Figure 1).
The report concludes that some identification practices used by Member States can have a negative impact on the level playing field in the internal market and potentially render entities more vulnerable to cross-border cyber-threats.
7. What are the Commission’s recommendations to make identification more consistent?
The Commission proposes that Member States work together in the Cooperation Group established by the NIS Directive to further align the lists of essential services and the thresholds used to identify operators of essential services. It also urges national authorities to complete the identification process in those cases where it is still ongoing. In addition, it recommends Member States to consult each other in order to ensure that cross-border operators face similar security and incident reporting requirements in the internal market.
Source: European Commission
