Although still only in the early stage of implementation, the Network and Information Security (NIS) Directive which was adopted on July 6, 2016 and entered into force in August 2016 constitutes a crucial piece of EU legislation that moves Europe towards the creation of a pan-European Digital Single Market. The aim of this Directive is not only to provide legal measures to boost the overall level of cybersecurity, but also to ensure that Europe will be able to maximise the benefits of the process of digitising European industry.
The NIS Directive requires EU Member States to adopt national strategies and to set up a cooperation group in order to facilitate the exchange of information regarding possible cyber incidents and risks. It is particularly interesting to analyse that whereas the text of the Directive establishes different security and notification requirements for operators of essential services (OESs) and digital services providers (DSPs) respectively, ENISA is currently suggesting the harmonisation of these requirements across the board.
As the NIS Directive clearly recognises, incident reporting obligations on OESs (e.g., nuclear power plants) are expected to be substantially higher than those for an incident involving a DSP (e.g., a cloud provider) – reflecting the relatively larger impact that an incident involving an OES might have on its users. This in turn reflects the magnitude of potential economic and societal risks which are without question higher for an OES than for a DSP, given the essential nature of the former’s services and operations. If an OES is obliged to report any incident which may have an important impact on the continuity of the service it provides, it would be more appropriate that a DSP should not be under the same reporting obligation when the continuity of its service is not impacted.
It would be more appropriate to support an approach which relies on DSPs’ knowledge of the impact and allows them to take the suitable measures given the risk posed to their systems.
The thresholds suggested by ENISA which would trigger the obligation for a DSP to notify an incident can prove very challenging for them. Given their cross-border nature, quantifying a threshold by using a mathematical formula based on the number of users affected by the incident and on the duration of the incident, might not be ideal for cloud digital services implemented across several Member States. If the NIS Directive aims for a more harmonised and effective framework at Union level, it would be more appropriate to support an approach which relies on DSPs’ knowledge of the impact and allows them to take the suitable measures given the risk posed to their systems.
Besides the fact that broadening the scope of DSPs’ obligations to align with OES’ obligations would not be consistent with the agreed text of the NIS Directive as adopted, Europe would benefit from greater flexibility in business-to-business cooperation and private / public partnerships. In order to keep financial and reputational losses to a minimum, the ‘light-touch approach’ is the way to avoid possible operational disruptions which, in the end, could well hinder European industry from making the most of the new possibilities offered by open technologies.
Image credit by IBM Cloud Computing.