On 7 February 2013, the European Commission published an EU cybersecurity strategy, a key element of which was the draft Network and Information Security (NIS) Directive, which set out proposals to enhance the EU’s resilience to cybersecurity threats and ensure a common level of network and information security across the EU.
The NIS Directive proposed by the European Commission required member states to:
- implement a national NIS strategy and establish a NIS competent authority and computer emergency response team to prevent, handle and respond to NIS threats and incidents;
- create a cooperation network within which to share security information across the EU in order to counter NIS threats and incidents; and
- place an obligation on operators of critical infrastructures (including energy, transport, banking, financial markets, healthcare services and public administrations) and providers of information society services (such as internet payment services, social networks, search engines, e-commerce platforms, cloud services, app stores and video sharing platforms) to assess security risks, adopt appropriate measures and report incidents that have a significant impact on the security of their core services to the national competent authority.
On 13 March 2014, the European Parliament successfully voted through the proposed NIS Directive with a number of amendments to the proposed text, which will now be examined by the Council of the EU. The European Commission is hopeful that the NIS Directive will be adopted by the end of 2014.
The European Parliament’s proposals for amendment include removing public administrations, software developers and hardware manufacturers from the scope of the NIS Directive.
Whilst acknowledging that public administrations, as a result of their public duty, should exercise due diligence in the management and the protection of their own network and information systems, the European Parliament suggests that it is important for the NIS Directive to focus on critical infrastructure essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, financial markets and healthcare.
Instead, the European Parliament proposes to extend the list of sectors which are considered critical infrastructures under the NIS Directive, to include internet exchange points and food supply chain services. The European Parliament has also added a proviso that the disruption or destruction of the functions performed by the critical infrastructures must have a significant impact in a member state as a result of the failure to maintain those functions.
In relation to the reporting obligations under the NIS Directive, the European Parliament has proposed a number of factors that should be taken into account to determine the significance of the impact of an incident and whether it is reportable to the national competent authority. The factors proposed by the European Parliament include the number of users whose core service is affected, the duration of the incident and the geographic area affected by the incident.
Since the NIS Directive was first proposed it has been subject to scrutiny by various committees and stakeholders and some of the above proposed amendments reflect the feedback received from the various committees and stakeholders.
The European Parliament has tried to limit the scope of some of the provisions of the NIS Directive. However, there are still some concerns about the onerous reporting obligations and the fact that whilst the NIS Directive will increase the costs of doing business it is uncertain whether it will actually deliver on its aim of increasing security.
A survey commissioned by the Department for Business, Innovation and Skills last year confirmed that 93 per cent of large organisations and 87 per cent of small businesses had a security breach in the past year, with affected companies experiencing roughly 50 per cent more breaches on average than the previous year.
According to these statistics, the reporting obligation under the NIS Directive could be potentially significant amongst business in the UK and would add a further regulatory and financial burden on them. In addition, businesses will also be concerned about the publicity that may arise as a result of the reporting of incidents and security breaches which could potentially damage their reputation.
The UK government has allocated £860m to the UK’s cybersecurity efforts. The UK’s Computer Emergency Response Team (CERT-UK), was formally launched on 31 March 2014 and will be responsible for co-ordinating the UK’s cybersecurity defence. Its primary role is to co-ordinate international responses to cybersecurity incidents, share information across the EU to counter threats and incidents, and provide support to critical national infrastructure companies.
Whilst the launch of CERT-UK may address the first hurdle of reporting and detection of cyber crime, the organisation has no law enforcement role or powers. This means that the issue of how cybercrime is or should be policed is yet to be determined.
Furthermore, how local enforcement agencies will link individuals to cybercrimes, which are often committed on other people’s computers will be a significant legal challenge in itself. The issue of policing cyberattacks and providing a credible deterrence is an issue that the government has not yet addressed.
It is expected that cybersecurity threats will become more innovative and sophisticated over time, particularly with the increased use of cloud computing and bring your own device schemes. Whilst the government claims that the UK has targeted cybersecurity early on, a survey conducted by BT suggests that companies in the UK are some way behind companies in a number of other countries in addressing cybersecurity risks.
The survey revealed that 17 percent of UK business leaders considered cybersecurity as a major priority, compared to 41 per cent in the US. Importantly, 58 per cent of IT executives globally felt that their boards underestimated the importance of cybersecurity.
Whilst companies may be improving their response to cybersecurity threats, the survey indicates that cybersecurity may still be viewed as more of a compliance exercise rather than an opportunity. We are beginning to see companies developing policies specifically relating to cyberattack and pre-preparing PR statements for if an attack hits.
It will be interesting to see what the adopted directive contains when it gets passed and how this will help tackle an ever growing issue.
Please note that the information provided above is for general information purposes only and should not be relied upon as a detailed legal source.