EU’s Cyber Security Bill

News & Technical Blog

EU Flag

In December of last year, EU lawmakers agreed on new cyber security laws that are set to be in their final forms by Spring this year. The NIS (Network and Information Security) Directive will “impose new network and information security guidelines on operators of essential services and digital service providers.” The organisations that have to abide by these new guidelines will be required to report certain security incidents to competent authorities or to a Computer Security Incident Response Team (CSIRT).

One thing to note is that not all providers of essential services will be affected by the directive. The final version of the directive acknowledges that some sector-specific companies already deal with information and network security issues. The directive says “Certain sectors of the economy are already regulated or may in the future be regulated by sector-specific Union legal acts.” So in some cases, the NIS directive will not have to be applied even when the company is considered an operator of essential services or a DSP (Digital Services Provider).

Now the question is, what actually is an operator of essential services? The NIS Directive states that “an operator of essential services is considered to be an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities, so long as the provision of that service depends on network and information systems and if an incident to the network or information systems of that service would have significant disruptive effects on the provision of those services.” Only businesses operating within a specified listed annex will be able to qualify as an operator of essential services.

All the sectors that are affected, are those that deliver main services to people:

The Energy Sector:

  • Suppliers of electricity and gas, as well as distribution or transmission system operators
  • Gas storage system operators, liquefied gas system operators
  • Companies responsible for the production, transmission, distribution, supply, purchase or storage of natural gas
  • Operators of natural gas refining and treatment facilities are also deemed to be operators of essential services too.
  • This also applies to operators of oil transmission pipelines and operators of oil production, refining and treatment facilities, storage and transmission

The Transport Sector:

  • Air transport sector, airlines, airport managing bodies, as well as companies that perform installations within airports and air traffic control service providers.
  • The same applies to the respective roles within the rail industry
  • As well as this, operators of ferries and freight water transport companies are also affected.

Financial Services:

  • The directive also states that it apply to banks and other credit institutions
  • The directive will also apply to trading venues such as regulated markets like the London Stock Exchange.

Health Services:

  • Health care providers such as Hospitals and GP surgeries and potentially private sector health care businesses are considered to be operators of essential services

Digital Infrastructure:

  • Operators of essential services in the digital sector include internet exchange points, domain system service providers and top level domain name registries.

Digital service providers face less strict obligations than operators of essential services but they still need to report security incidents they experience where the incident has “a substantial impact of a service… they offer within the Union.” Digital service providers are described by the NIS Directive as being providers of an online marketplace, online search engine or cloud computing service while “hardware manufacturers and software developers” are not digital service providers. The NIS Directive also effects digital service providers outside of the EU as well, requiring companies to have an EU representative based in the EU to act on the company’s behalf.

This new legislation will require some smaller companies to implement better security. Which in the short term can be very costly, implementing reporting software, staff and cyber security strategy. Over time though these costs will lead to long term goals saving time and money.

After the final version of the legislation is agreed in Spring, member states are expecting to have the directive in national legislation within 21 months and a further 6 months to identify the operators of their essential services, with the directive coming into full force in mid-2018.

By on February 2nd, 2016