The European Union's draft directive regarding network and information security ("the Directive") took one step closer to becoming law on 23 January 2014, when the Parliamentary Committee overseeing the development of the legislation voted to adopt a set of Compromise Amendments which will now move forward to a full vote by the European Parliament in a plenary session on 10 March 2014. If the Parliament votes in favour, this draft of the Directive will be negotiated with the European Commission and the Council.
The story so far
Just over a year ago the European Commission published its cybersecurity strategy by which it aims to ensure a common level of network and information security across the European Union. Published alongside the strategy and forming its main action, was the draft Directive, which set out a number of proposals designed to enhance the European Union’s resilience to cybersecurity threats.
See our analysis of the draft Directive at the time it was published here.
The Directive aims to facilitate information sharing about cybersecurity threats between the public and private sectors and between Member States. It also sets out in broad terms the obligations that Member States will be expected to impose at industry level on those private undertakings providing certain critical infrastructure within the EU. Chapter IV of the Directive details these obligations, which include a requirement that critical infrastructure providers have an adequate strategy and take appropriate steps to deal with cybersecurity threats and report breaches of their information system to a national authority.
The Commission's proposals for the Directive were the subject of fierce debate during the course of 2013, with some questioning whether the draft legislation would achieve anything other than imposing an additional regulatory burden on those caught under its unexpectedly wide definition of 'critical infrastructure operators'. The extent of the debate was reflected as the Directive passed through its Committee stage with over 230 amendments being made to the original text.
Which operators are now covered by the Directive?
The Directive now contains an additional test to be applied when assessing whether an undertaking falls within the definition of 'market operator' to which the Chapter IV obligations apply. An undertaking will only be defined as a 'market operator' if it is an operator of infrastructure, 'the disruption or destruction of which would have a significant impact in a Member State'. This appears to limit the scope of the Directive's applicability more than the 'microenterprise' exception in the previous draft of the Directive, although further guidance will be needed for businesses to understand the basis on which this assessment will be made by national authorities.
One of the most hotly debated aspects of the Directive was whether certain technology service providers should be placed under the same Chapter IV obligations as providers of services more traditionally considered to be critical infrastructure. The original draft placed providers of e-commerce platforms, online payment gateways, social networks, search engines, cloud services and app stores under Chapter IV obligations, the justification being that they provide the infrastructure which underpins a wide range of other online services. The Compromise Amendments exclude these service providers from the Chapter IV obligations, likely as a result of pressure from industry. However, the option remains for them to report security incidents to national authorities on a voluntary basis.
Member States now also have a choice in whether they will impose the Chapter IV obligations on 'public administrations' when implementing the Directive into national law. The original text required Chapter IV obligations to be imposed on this type of organisation as standard, leading to concerns about how widely the definition of 'public administration' would be interpreted.
However, whilst technology service providers and public administrations have potentially escaped the reach of Chapter IV, two new industry sectors may now find themselves in line for inclusion.
The first are providers of internet exchange points. Whilst this is closer to the traditional idea of critical infrastructure, it is questionable what the Directive can add in this sector over and above the security obligations already imposed on providers of public electronic communications networks under the Electronic Communications Framework Directive.
The second sector now covered by Chapter IV is the food supply chain, which appears for the first time in the Compromise Amendments. It is not clear exactly how far this definition applies or the extent to which the definition extends beyond the transportation sector which is already covered by the Directive.
Guidance on 'significant impact'
One criticism of the Directive was the lack of clarity surrounding the circumstances in which a market operator was required to notify the relevant national authority of a security incidents relating to their systems. The original text only referred to an obligation to report incidents having a 'significant impact on the security of the core services', which led to the obvious question of what constitutes a 'significant impact'.
The Compromise Amendments provide some welcome guidance on this term, indicating that whether an incident has a significant impact will depend on, inter alia, the number of users of the core services who are affected, the duration of the incident and the geographical spread of the area affected by the incident. Sector specific criteria will also be developed to give further guidance and ensure consistent reporting across Member States. Where the core service affected is located in more than one Member State the amendments indicate that an authority notified in one Member State will pass the notification to authorities in the other Members States where the service is affected. This suggests that a market operator will only need to give a single notification, which would address the concern raised by the original text that operators would be required to notify the authorities in each Member State concerned.
Finally, the Directive now specifies that the Chapter IV obligations only apply in so far as the incident involves a system related to the core services provided by the market operator. This suggests that incidents relating other peripheral systems may not need to be reported. For example the payroll system of an electricity supplier may be considered unrelated to its core services meaning a breach to this system need not be notified. However the interrelated nature of business networks and difficulty in quickly establishing the extent of a security breach may make this a difficult distinction to make in practice. Companies may also be required to notify authorities of breaches to non-core systems as a result of other legislation, e.g. data protection legislation.
Publication of breach reports by national authorities
The Compromise Amendments have also tried to deal with concerns raised by industry that national authorities would be given the power to make incident reports public where they deemed it to be in the public interest. Concerns were raised that making such information public could lead to serious reputational damage to the market operator involved. Under the Compromise Amendments, national authorities are now required to consult with market operators when considering publishing information notified to them about a breach and give that market operator a right to be heard before making its decision. National authorities are also required to ensure that any information published about individual incidents is made 'as anonymous as possible'.
The text also indicates that notification of an incident shall not expose the notifying party to increased liability.
Enhanced information sharing
The Compromise Amendments contain a number of positive developments surrounding the principal of information sharing, one of the Commission's key aims for the Directive. The Directive aims to establish a cross-border cooperation network between authorities in Member States which would circulate early warnings of cyber risks and incidents, facilitate a coordinated response to cyber threats and assist the exchange information and best practices. However the information sharing between industry and national authorities envisaged by the original text was very much a one way street with industry being required to report incidents but very little provision for information to flow in the other direction.
This asymmetry has now been addressed. Firstly, market operators and suppliers of cybersecurity solutions may be allowed to participate in certain the activities of the cooperation network including the exchange of information and best practice. Public sector participants in the cooperation network will also be required to provide market operators with information relating to specific risks and incidents affecting their networks or systems. This information sharing is also carried through to situations where a market operator has made a security breach notification as the national authority notified will be required, where possible, to provide that market operator with information to assist them handle the notified incident.
Enforcement and Financial Reporting
A number of positive changes have also been implemented regarding the powers of national authorities to monitor compliance with the Chapter IV obligations and punish non-compliance:
- National authorities may now accept an independent security audit carried out by a third party as evidence of compliance with the security requirements under Chapter IV.
- National authorities may tailor the level of scrutiny a market operator is placed under based on how critical its systems are judged to be rather than applying a 'one size fits all' approach.
- Market operators will only be subject to penalties for non-compliance with Chapter IV obligations where it arises as a result of intent or gross negligence.
- One additional point of interest is the inclusion of a requirement under Chapter IV for Member states to 'encourage market operators to make public incidents involving their corporation in their financial reports on a voluntary basis'. It is not currently clear what form this 'encouragement' would take but the general concept of raising information security as a board level issue should be seen as a positive step.
To repeat our analysis of the original draft of the Directive; if implemented successfully, it could represent an opportunity for Europe to set a benchmark on cybersecurity for the rest of the world to follow. The major concerns regarding which operators the Directive will apply to and the circumstances in which security breaches must be notified have been addressed to some extent and there are other positive developments surrounding information sharing.
However the debate is still open as to whether this is an area in which overarching regulation will actually enhance cybersecurity within the EU or just add an additional regulatory burden to sectors which are already highly regulated. Some instead advocate the approach currently being taken in the United States where a voluntary, industry-led set of standards to reduce cyber risks to critical infrastructure has been drawn up by the National Institute of Standards and Technology following an Executive Order issued by President Obama in February 2012.
The Directive is unlikely to complete the legislative process before the end of the current European Parliament term, meaning there is the possibility that the process will not be continued in the new Parliament starting in May 2014. Whether the EU will continue with its regulatory approach to cybersecurity or adopt something more akin to the voluntary approach being followed in the US should become clearer over the next few months.