Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Already have an account? Log in

Back

Jan 2023

EU: An overview of the NIS Directive

Standards and Frameworks

blackdovfx / Signature collection / istockphoto.com

January 2023

1. INTRODUCTION

1.1. Issuing body

This Guidance Note provides an overview of Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive'), which was adopted by the European Parliament and the Council of the European Union ('the Council') on 6 July 2016 before entering into force in August 2016.

However, please note that the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive'), which was published in the Official Gazette of the European Union on 27 December 2022, will repeal the NIS Directive as of 18 October 2024 (Article 44 of the NIS 2 Directive).

1.2. Foundations and purpose

The NIS Directive is the first cybersecurity legislative piece which aims to ensure a high level of network and information systems security.

The NIS Directive imposed an obligation on EU Member States to transpose the NIS Directive into national law by 9 May 2018 and identify the operators of essential services ('OES') with an establishment on their territory by 9 November 2018 (Article 25 of the NIS Directive). In addition, the NIS Directive entered into force on the twentieth day following that of its publication in the Official Journal of the European Union (Article 26 of the NIS Directive).

Before the adoption of the NIS Directive, each Member State within the EU had very different levels of cybersecurity preparedness which meant that, overall, the existing capabilities were not sufficient to ensure a high level of security of network and information systems in the EU. As a result of the lack of common requirements on OESs and digital service providers ('DSPs'), consumers, and businesses were unequally protected which made it impossible for a harmonised global and effective mechanism for cooperation at EU level to be established.

Thus, the NIS Directive has three main objectives:

improving national cybersecurity capabilities through implementing a national strategy (see section 5 below);
building cooperation at EU level (see section 1.3 below); and
promoting a culture of risk management and incident reporting for OESs and DSPs (see sections 5, 6, and 11 below).

NIS 2 Directive

The European Commission ('Commission') announced, on 16 December 2020, that it had adopted a proposal for a revised NIS Directive. In particular, the Commission noted the limitations of NIS Directive and, thus, accelerated the review process at the end of 2020 alongside proposing new legislation. More specifically, the proposal adds new sectors based on their critical nature thereby expanding the scope of the current NIS Directive as well as eliminating the distinction between digital service providers and operators of essential services. In addition, the proposal addresses a stronger supply chain for cybersecurity and more precise provisions on risk management and incident reporting.

The European Parliament's briefing on the NIS 2 Directive outlines that, on 28 October 2021, the European Parliament's Committee on Industry, Research, and Energy ('ITRE') adopted its report on the NIS 2 Directive, as well as a mandate to enter into interinstitutional negotiations. The report includes tighter cybersecurity obligations in terms of risk management, reporting obligations, and information sharing, seeks to lower the administrative burden and to improve cybersecurity incident reporting. In addition, the report calls for stricter supervisory and enforcement measures across Member States and aims to further broaden the NIS2 Directive's scope to include academic, knowledge, and research institutions.

The Council of the EU announced, on 3 December 2021, that it had adopted its general approach on the NIS 2 Directive.

The NIS 2 Directive was published in the Official Gazette of the European Union on 27 December 2022 and will become effective on 16 January 2023. Pursuant to Article 41 of the NIS 2 Directive, by 17 October 2024, Member States must transpose the NIS 2 Directive into their national legislation, and the transposition laws shall apply from 18 October 2024. On the same date, the NIS Directive will be repealed.

1.3. Compliance benefits

As mentioned above, compliance of Member States, and organisations operating therein, with the NIS Directive would provide a harmonised global and effective cooperation mechanism for OESs and DSPs, and ensure that Member States have the capabilities of responding effectively to the challenges of the security of network and information systems (Recitals 5 and 6 of the NIS Directive).

Relevant authorities

In particular, the NIS Directive lays down obligations for all Member States to:

designate one or more computer security incident response teams ('CSIRTs') (Article 9(1)-(5) of the NIS Directive):
- CSIRTs' tasks include (Annex I, section 2):
  - monitoring incidents at a national level;
  - providing early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents;
  - responding to incidents;
  - providing dynamic risk and incident analysis and situational awareness; and
  - participating in the CSIRTs network.
- CSIRTs form part of the computer security incident response teams network ('CSIRTs network') created under the NIS Directive, aiming to contribute to the development of trust and confidence between Member States and to promote swift and effective operational cooperation (Article 1(c) of the NIS Directive).
- Member States must ensure that CSIRTs have adequate resources to effectively carry out their tasks as stated above.
- Member States must ensure the effective, efficient, and secure cooperation of their CSIRTs in the CSIRTs network referred to in Article 12(3) of the NIS Directive.
- Member States must ensure that their CSIRTs have access to an appropriate, secure, and resilient communication and information infrastructure at national level.
- Member States must inform the Commission about the remit, as well as the main elements of the incident-handling process, of their CSIRTs.
- Member States may request the assistance of the European Union Agency for Cybersecurity ('ENISA') in developing national CSIRTs.
cooperate through the Cooperation Group established by the NIS Directive in order to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence amongst them. The Cooperation Group must be composed of representatives of the Member States, the Commission and ENISA. For the Cooperation Group to be effective and inclusive, it is essential that all Member States have minimum capabilities and a strategy ensuring a high level of security of network and information systems in their territory. (Articles 2(b), 5(6), and 11, and Recital 4 of the NIS Directive). The main tasks of the Cooperation Group are (Article 11(3) of the NIS Directive):
- providing strategic guidance for the activities of the CSIRTs network;
- exchanging information and best practices on awareness raising and training.
designate one or more national competent authorities on the security of network and information systems ('competent authority') to monitor the application of the NIS Directive at a national level, and a single point of contact ('SPOC') to exercise a liaison function to ensure cross-border cooperation between Member State authorities and the relevant authorities in other Member States, as well as with the Cooperation Group and the CSIRTs network referred to above. Both the competent authority and the SPOC must have adequate resources to carry out, in an effective and efficient manner, the tasks assigned to them in order to fulfil the objectives of the NIS Directive (Article 8 of the NIS Directive).

Penalties for non-compliance

In the case of non-compliance with the above, the NIS Directive provides that it is the responsibility of the Member States to lay down the rules on penalties applicable to infringements of national provisions adopted pursuant to the NIS Directive and to take all measures necessary to ensure that they are implemented. However, these penalties must be effective, proportionate, and dissuasive (Article 21 of the NIS Directive).

In particular, the NIS Directive provides that competent authorities must follow the below enforcement procedures.

Regarding OESs, Article 15 of the NIS Directive stipulates that:

Member States must ensure that the competent authorities have the necessary powers and means to assess the compliance of OESs with their obligations under Article 14 of the NIS Directive (see section 6 below) and the effects of the same on the security of network and information systems;
Member States must ensure that the competent authorities have the powers and means to require OESs to provide:
- the information necessary to assess the security of their network and information systems, including documented security policies; and
- evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor and, in the latter case, to make the results thereof, including the underlying evidence, available to the competent authority; and
after assessing the information on the security audits, the competent authority may issue binding instructions to the OES to remedy the deficiencies identified.

In addition, Member States are responsible for determining which entities meet the criteria of the definition of OESs (Recital 19 of the NIS Directive).

Regarding DSPs, Article 17 of the NIS Directive stipulates that:

Member States must ensure that the competent authorities take action, if necessary, through ex post supervisory measures, when provided with evidence that a DSP does not meet the requirements laid down in Article 16 of the NIS Directive; and
competent authorities have the necessary powers and means to require DSPs to provide the information necessary to assess the security of their network and information systems, including documented security policies, and remedy any failure to meet the requirements laid down in Article 16 of the NIS Directive.

1.4. Related legislation, frameworks, standards, and supplemental resources

ENISA has published, among others, the following guidelines:

Guidelines on Assessing DSP Security and OES Compliance with NIS Directives Security Requirements

The Commission has published, among others, the following guidance:

Questions and Answers on the NIS Directive

2. SCOPE OF APPLICATION

The NIS Directive consists of 75 Recitals, 27 Articles, and three Annexes. The requirements included in the NIS Directive are intended to apply to Member States' OESs and DSPs (Recital 7 of the NIS Directive).

Exemptions

Public administrations which do not fall under the definition of OESs are excluded from the application of the NIS Directive and it is the responsibility of the Member State in which they operate to ensure the security of their network and information systems (Recital 45 of the NIS Directive).

The NIS Directive does not apply to (Recital 7 of the NIS Directive):

undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive on Privacy and Electronic Communications (Directive 2002/58/EC), which are subject to the specific security and integrity requirements laid down in that Directive; or
trust service providers within the meaning of Regulation (EU) No 910/2014 of 23 July 2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC ('the eIDAS Regulation'), which are subject to the security requirements laid down in that Regulation (Recital 7 of the NIS Directive).

National sector-specific legislation which includes rules relating to the security network and information systems, will be applicable as long as they are equivalent to the effect of the obligations outlined in the NIS Directive (Recital 9 of the NIS Directive).

DSP jurisdiction and territoriality

A DSP will be deemed to be under the jurisdiction of the Member State in which it has its main establishment. Its main establishment will be the place of the head office in that Member State (Article 18 of the NIS Directive).

A DSP that is not established in the EU, but offers services referred to in Annex III within the EU, must designate a representative in the EU. The representative must be established in one of those Member States where the services are offered. The DSP will be deemed to be under the jurisdiction of the Member State where the representative is established (Article 18 of the NIS Directive).

The designation of a representative by the DSP must be without prejudice to legal actions which could be initiated against the DSP itself (Article 18 of the NIS Directive).

In addition, the NIS Directive provides that because of the differences between OESs and DSPs, particularly with relation to the former's link to physical infrastructure and the latter's cross-border nature, the NIS Directive should apply to all DSPs within its scope (Recital 58 of the NIS Directive).

Sectors

The NIS Directive covers OES in the following sectors, considered essential services (Annex II):

energy: electricity, oil, and gas;
transport: air, rail, water, and road;
banking: credit institutions;
financial market infrastructures: trading venues, central counterparties;
health: healthcare settings;
water: drinking water supply and distribution; and
digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries.

3. KEY DEFINITIONS | BASIC CONCEPTS

See Article 4 of the NIS Directive for a full list of definitions and key terminologies incorporated.

OES: A public or private entity of a type referred to in Annex II, which meets the criteria laid down in Article 5(2) namely:

an entity provides a service which is essential for the maintenance of critical societal and/or economic activities;
the provision of that service depends on network and information systems; and
an incident would have significant disruptive effects on the provision of that service.

DSP: Any legal person that provides a digital service.

The types of DSPs for the purpose of Article 4(5) are (Annex III of the NIS Directive):

online marketplace;
online search engine; and
cloud computing service.

Network and information system:

an electronic communications network within the meaning of Article 2 of Directive 2002/21/EC on a Common Regulatory Framework for Electronic Communications Networks and Services ('the Framework Directive');
any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or
digital data stored, processed, retrieved, or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection, and maintenance.

Security of network and information systems: the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.

National strategy on the security of network and information systems: a framework providing strategic objectives and priorities on the security of network and information systems at national level.

Representative: means any natural or legal person established in the EU explicitly designated to act on behalf of a DSP not established in the EU, which may be addressed by a national competent authority or a CSIRT instead of the DSP with regard to the obligations of that DSP under the NIS Directive.

4. DATA PROCESSING

The NIS Directive provides that as personal data are in many cases compromised as a result of incidents, competent authorities and data protection authorities should cooperate and exchange information on all relevant matters to tackle any personal data breaches resulting from incidents (Recital 63 of the NIS Directive).

Moreover, the sharing of information on risks and incidents within the Cooperation Group and the CSIRTs network and the compliance with the requirements to notify incidents to the national competent authorities or the CSIRTs might require processing of personal data. As such, this processing should comply with the relevant data protection legislation (Recital 72 of the NIS Directive).

5. MANAGEMENT SYSTEM

National strategy

To achieve and maintain a high level of security of network and information systems, each Member State should have a national strategy on the security of network and information systems defining the strategic objectives and concrete policy actions to be implemented (Recital 29 of the NIS Directive).

Article 7 of the NIS Directive provides information on what a national strategy should address in respect of the security of network and information systems, which includes:

the objectives and priorities of the national strategy on the security of network and information systems;
a governance framework to achieve the objectives and priorities of the national strategy on the security of network and information systems, including roles and responsibilities of the government bodies and the other relevant actors;
the identification of measures relating to preparedness, response and recovery, including cooperation between the public and private sectors;
an indication of the education, awareness-raising and training programmes relating to the national strategy on the security of network and information systems;
an indication of the research and development plans relating to the national strategy on the security of network and information systems;
a risk assessment plan to identify risks; and
an indication of the research and development plans relating to the national strategy on the security of network and information systems.

Risk management

Responsibilities in ensuring the security of network and information systems lie, to a great extent, with OESs and DSPs. A culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks faced, should be promoted and developed through appropriate regulatory requirements and voluntary industry practices. Establishing a trustworthy level playing field is also essential to the effective functioning of the Cooperation Group and the CSIRTs network, to ensure effective cooperation from all Member States (Recital 44 of the NIS Directive).

In addition, the NIS Directive further emphasises the importance of incorporating risk-management measures including measures to identify any risks of incidents, to prevent, detect and handle incidents, and to mitigate their impact. The security of network and information systems comprises the security of stored, transmitted, and processed data (Recital 45 of the NIS Directive).

Auditing

OESs

In regard to Member States assessment of OES compliance with their obligations under Article 14 of the NIS Directive, Member States must ensure that competent authorities have the powers and means to require the OESs to provide evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor and based on the assessment of such audits, the competent authority may issue binding instructions on the OESs (Article 15(2)(b) and 15(3) of the NIS Directive).

See section 1.3 above for further information.

DSPs

When adopting implementing acts on the security requirements for DSPs, the Commission is encouraged to take into account the following examples in relation monitoring, auditing, and testing (Recital 69 of the NIS Directive):

monitoring and logging policies;
exercise contingency plans;
network and information systems testing, security assessments; and
compliance monitoring.

Business continuity management

When adopting implementing acts on the security requirements for DSPs, the Commission is encouraged to take into account the following examples in relation to business continuity management (Recital 69 of the NIS Directive):

service continuity strategy and contingency plans, and
disaster recovery capabilities.

Awareness and training

As mentioned above, among the main functions of the Cooperation Group is exchanging information and best practices on awareness raising and training Article 11(3) of the NIS Directive).

6. DATA SECURITY

The NIS Directive does not explicitly refer to data security. However, in general, it aims at securing network and information systems, which as defined above, concern digital data that is stored, processed, retrieved, or transmitted.

Please note that the following are security requirements as provided under the NIS Directive which must be read in conjunction with the requirements provided under sections 5 and 11 of this Note.

For both OESs and DSPs, the security requirements should be proportionate to the risk presented by the network and information system concerned, taking into account the state of the art of such measures, in order to avoid imposing a disproportionate financial and administrative burden on the same. In the case of DSPs, such requirements should not apply to micro- and small enterprises (Recital 53 of the NIS Directive).

Technical and organisational measures

OESs

The NIS Directive provides that Member States should be adequately equipped, in terms of both technical and organisational capabilities, in order to prevent, detect, respond to, and mitigate network and information system incidents and risks. To that end, Member States should ensure that they have well-functioning CSIRTs, complying with essential requirements to guarantee effective and compatible capabilities to deal with incidents and risks and ensure efficient cooperation at EU level (Recital 27, 34, and Article 14 of the NIS Directive) (see section 1.3 for more information).

In addition, the NIS Directive highlights that technical and organisational measures imposed on OESs and DSPs should not require a particular commercial information and communications technology product to be designed, developed, or manufactured in a particular manner (Recital 51 of the NIS Directive).

DSPs

Member States must ensure that DSPs identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services referred to in Annex III within the EU. Those measures must be taken having regard to the state of the art, must ensure a level of security of network and information systems appropriate to the risk posed, and must take into account the following elements (Article 16 of the NIS Directive):

the security of systems and facilities;
incident handling;
business continuity management;
monitoring, auditing and testing; and
compliance with international standards.

7. ACCOUNTABILITY AND RECORDKEEPING

The NIS Directive does not explicitly refer to accountability and recordkeeping requirements. However, in a general sense, OES and DSPs must ensure that they are able to provide the necessary evidence of effective implementation of security policies and information for the competent authorities to assess the security of their network and information systems, such as documented security policies (Article 15 and Article 17 of the NIS Directive).

8. DATA SUBJECT RIGHTS

The NIS Directive does not explicitly refer to data subject rights.

9. CROSS-BORDER DATA TRANSFERS AND LOCALISATION

The NIS Directive does not explicitly refer to cross-border data transfers and localisation.

10. VENDOR MANAGEMENT

The NIS Directive does not explicitly refer to vendor management. However, regarding security requirements and incident notification, where an OES engages with a third-party service provider for the provision of a service which is essential for the maintenance of critical societal and economic activities, any significant impact on the continuity of the essential services due to an incident affecting the DSP shall be notified by that operator (Article 16(5) of the NIS Directive).

11. INCIDENT AND BREACH

The notification of security incidents forms a crucial part of requirements within the NIS Directive for both OESs and DSPs.

OESs

Incident notification

Member States must ensure that OESs notify the competent authority or CSIRT, without undue delay, of incidents having a significant impact on the continuity of the essential services they provide. Notifications must include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident, however such notification should not make the notifying party subject to increased liability (Article 14(3) of the NIS Directive).

Determining the impact of an incident

In order to determine the significance of the impact of an incident, the following should be taken into account (Article 14(4) of the NIS Directive):

the number of users affected by the disruption of the essential service;
the duration of the incident; and
the geographical spread with regard to the area affected by the incident.

In addition, the competent authority or CSIRT should inform other affected Member States in case the incident has an impact in the continuity of OESs in those Member States, and may also inform the public of individual incidents where public awareness is important to deal with the incident in question (Article 14(5) and (6) of the NIS Directive).

DSPs

Incident notification

Member States must ensure that DSPs notify the competent authority or the CSIRT without undue delay of any incident having a substantial impact on the provision of a service as referred to in Annex III that they offer within the EU. Notification must include information to enable the competent authority or the CSIRT to determine the significance of any cross-border impact, however such notification must not make the notifying party subject to increased liability (Article 16(3) of the NIS Directive).

Determining the impact of an incident

In order to determine the significance of the impact of an incident, the following should be taken into account (Article 16(4) of the NIS Directive):

the number of users affected by the incident, in particular users relying on the service for the provision of their own services;
the duration of the incident;
the geographical spread with regard to the area affected by the incident;
the extent of the disruption of the functioning of the service; and
the extent of the impact on economic and societal activities.

In addition, where an OES relies on a third-party DSP for the provision of a service which is essential for the maintenance of critical societal and economic activities, any significant impact on the continuity of the essential services due to an incident affecting the DSP must be notified by that operator (Article 16(5) of the NIS Directive).

If the incident concerns two or more Member States the competent authority or the CSIRT and, where appropriate, the authorities or the CSIRTs of other Member States concerned may inform the public about individual incidents or require the DSP to do so (Article 16(6) of the NIS Directive).

12. PRIVACY BY DESIGN

The NIS Directive does not explicitly refer to Privacy by Design, however OESs and DSPs must be adequately equipped, in terms of both technical and organisational capabilities. For further information please refer to section 6 above.

13. ADDITIONAL REQUIREMENTS

Not applicable.

Authored by OneTrust DataGuidance DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.