Under the new rules of the NIS Directive and the national implementing legislations, the essential and digital service providers will have to (i) interact with new key actors; (ii) implement security measures; and (iii) notify security incidents.
With regard to the security measures, the NIS Directive includes generic obligations by requiring operators of essential services and digital service providers to take appropriate and proportionate technical and organisational measures to manage the risks posed to the networks and information systems which they use for the provision of their services, and to prevent and minimise the impact of incidents affecting the security of such network and information systems.[19] These security measures must take into account the state of the art to ensure a level of security of network and information systems adequate to the risk.
More particularly, when examining the security aspects of Operators of Essential Services (OES) and Digital Service Providers (DSPs), it is worth considering the following:
Security of Operators of Essential Services
|
Security of Digital Service Providers
|
- “Mapping of OES Security Requirements to Specific Sectors” published by ENISA in January 2018[20]: such report provides a substantial and comprehensive mapping of the security requirements for OES, as they have been agreed in the “NIS Cooperation Group”, to sector-specific information security standards. It therefore associates the security requirements for OES with information security standards applicable to the sectors referred to in Annex II of the NIS Directive.
- “Reference document on security measures for Operators of Essential Services” published by the NIS Cooperation Group in February 2018[21]: this document does not aim to establish a new standard nor to duplicate existing ones (e.g. ISO) but to provide Member States with a clear and structured picture of Member States’ current and often common approaches to the security measures of OES.[22]
|
- The NIS Directive stipulates that DSPs must consider the following specific elements when determining appropriate security measures[23]:
- the security of systems and facilities;
- incident handling;
- business continuity management;
- monitoring, auditing and testing; and
- compliance with international standards.[24]
- “Technical Guidelines for the implementation of
- minimum security measures for Digital Service Providers”[25] published by ENISA to assist Member States and DSPs and to provide a common approach regarding the security measures for DSPs.
- Commission Implementing Regulation (EU) 2018/151, which specifies the elements to be taken into account by DSPs for managing the risks posed to the security of network and information systems and the parameters for determining whether an incident has a substantial impact.[26]
|
Although the NIS Directive is a fundamental legal instrument laying down the core cyber-security obligations, clarification will be required at EU and national level in order to truly enhance cyber-security and resilience in the various concerned sectors. More particularly, as concluded in the context of the transport sector, but also applicable to others, "non-regulatory actions are and should be pursued to address cyber threats already today: information exchange, capabilities building, awareness raising and development of cyber skills. The transport sector should work together to lay down the foundations for a “cybersecurity culture"[27]. Furthermore, (better) cooperation between technical and operational levels will be needed, as well as between international partners and relevant international organisations.[28]
Security requirements under other legislations
- It is important to note that other legal instruments may impose security requirements as well. This is particularly true in the electronic communications sector where several EU Directives, transposed in the national laws of the (currently) 28 Member States, provide for security obligations – such as for instance:
- The ePrivacy Directive[29]: this Directive requires providers of electronic communications services to take appropriate technical and organisational measures to safeguard the security of their services, where necessary in conjunction with the provider of the public communications network.
- The Framework Directive[30]: this complements the ePrivacy Directive by requiring providers of publicly available electronic communication networks and services to take appropriate measures to manage the risks posed to the security of the networks and services. The Directive also requires the providers to guarantee the integrity of their networks and continuity of supply.
The Radio Equipment Directive[31]: pursuant to this Directive, radio equipment within certain categories or classes shall incorporate safeguards to ensure that the personal data and privacy of users and subscribers are protected.
Security standards
In addition to legal requirements on security, security standards indisputably have an important role to play in big data analytics, and are therefore also relevant to actors of the data value chain. Also, relying on standards and certification schemes facilitates demonstrating compliance with legal requirements, including security requirements.
By relying on existing schemes, such as for instance the ISO/IEC 27000 series issued by the International Standards Organisation ("ISO") and the International Electrotechnical Commission ("IEC"), big data services providers can demonstrate to the regulator and to their customers that their systems are adequate, or at least that security-related measures and processes have been implemented.
Furthermore, several standards development organisations have created and are currently developing big data-specific standards. It is essential for any big data service provider to follow up closely on the evolutions in this respect.
Security in practice: a complex reality
Despite the existence of guidance on the various security obligations and how to consider them practically, the implementation of security aspects remains difficult in reality and requires further and continuous research.
A good way to illustrate the complexities of applying appropriate security measures is through so-called “adversarial images”. The concept of adversarial images consists in making minor changes to manipulate machine learning algorithms. To illustrate such specific security issue, OpenAI relies on the work performed by Cornell University[32]. More concretely, "starting with an image of a panda, the attacker adds a small perturbation that has been calculated to make the image be recognized as a gibbon with high confidence".[33]
Illustration in the transport sector: The concept of adversarial images can be particularly relevant in the transport sector. For instance, making changes to a street sign can make the algorithm think that the signs say something completely different than they actually do. The Institute of Electrical and Electronics Engineers published an article to illustrate how “Slight Street Sign Modifications Can Completely Fool Machine Learning Algorithms”[34]. Adversarial images can cause “signs that look like one thing to us to look like something completely different to the vision system of an autonomous car, which could be very dangerous for obvious reasons.”[35] For instance, in the image below, “the top row shows legitimate sample images, while the bottom row shows adversarial sample images, along with the output of a deep neural network classifier below each image.”[36]

|
Conclusion
The requirement to put in place security measures is imposed in various legislations at EU and national level, including key instruments like the GDPR and the NIS Directive. Such legislations however remain rather general and vague as to which specific measures are deemed appropriate. It follows that organisations in the data value chain are required to:
- make a risk assessment (evaluate, manage and document the risks);
- carefully assess the available security measures on the market;
- adequately reflect the security aspects in the various contracts between stakeholders; and
- continuously assess the adequacy of the implemented measures in light of the evolving risks and the available measures.
In order to do so, organisations generally need to rely on security experts and take into account the evolving guidance documents published by authorities such as ENISA. Also, relying on certification mechanisms, seals, marks and codes of conduct will enable companies to comply with their legal obligations in terms of security and demonstrate their compliance.
Despite the enormity of the task still to be undertaken in order to improve cyber-security across the EU, the various stakeholders are aware of the need to move forward, notably through non-regulatory actions and improved cooperation. The EU institutions have also recently devised the appropriate means to tackle the cyber-security challenges, notably through the political agreement on 11 December 2018 by the European Parliament, the Council and the European Commission on the so-called "Cybersecurity Act" which aims to reinforce the mandate of ENISA and establish an EU framework for cybersecurity certification.[37]
Our next article will address breach-related obligations in the context of big data, with illustrations drawn from the transport sector.
This series of articles has been made possible by the LeMO Project (www.lemo-h2020.eu), of which Bird & Bird LLP is a partner. The LeMO project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement no. 770038.
This article on (cyber-)security has also been made possible by the THREAT-ARREST Project (www.threat-arrest.eu), of which Bird & Bird LLP is a partner. The THREAT-ARREST Project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement no. 786890.
The information given in this document concerning technical, legal or professional subject matter is for guidance only and does not constitute legal or professional advice.
The content of this article reflects only the authors’ views. The European Commission and Innovation and Networks Executive Agency (INEA) are not responsible for any use that may be made of the information it contains.
[1] Joint statement of the European Commission, ENISA, EMSA, EASA and ERA of 23 January 2019, "Transport cybersecurity: Raising the bar by working together" in the context of the 1st Transport Cybersecurity Conference held in Lisbon.
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1
[3] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union [2016] OJ L 194/1
[4] GDPR, art 24
[5] Such measures shall take into account the following elements: (i) the state of the art; (ii) the costs of implementation; (iii) the nature, scope, context, and purposes of the processing; and (iv) the risk of varying likelihood and severity for the rights and freedoms of natural persons.
[6] Commission de la protection de la vie privée, 'Big Data Rapport' (CPVP 2017) 58 <https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/Rapport_Big_Data_2017.pdf> accessed 10 January 2019.
[7] Pursuant to Article 32(1) GDPR, these are (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
[8] GDPR, arts 24(3) and 28(5)
[9] GDPR, art 32(3)
[10] GDPR, art 28(1)
[11] Cybercrime is indeed predicted to cost the world over $ 6 trillion per year by 2021, see Mark Hue Williams and Jamie Monck-Mason, 'Guide to the NIS Directive for Transportation Companies' (Willis Towers Watson, 8 August 2017) <https://www.willistowerswatson.com/en/insights/2017/08/guide-to-the-nis-directive-for-transportation-companies> accessed 10 January 2019.
[12] NIS Directive, art 25. EU Member States had 21 months to transpose the Directive into their national laws and 6 additional months to identify the providers of essential services subject to the Directive's requirements.
[13] NIS Directive, Annex II
[14] NIS Directive, Annex II
[15] NIS Directive, art 4(4)
[16] NIS Directive, art 4(5)
[17] Transforming Transport, 'Integrated Urban Mobility: Tampere Pilot' (TT, 2018) <https://transformingtransport.eu/transport-domains/integrated-urban-mobility-tampere-pilot> accessed 10 January 2019
[18] Online market places’ are defined broadly as any digital service that allows consumers and/or traders to conclude online sales or service contracts with traders either on the online marketplace's website or on a trader's website that uses computing services provided by the online market place
[19] NIS Directive, arts 14 and 16
[20] European Union Agency for Network and Information Security, 'Mapping of OES Security Requirements to Specific Sectors' (ENISA 2018) <https://www.enisa.europa.eu/publications/mapping-of-oes-security-requirements-to-specific-sectors> accessed 10 January 2019
[21] NIS Cooperation Group, 'Reference Document on Security Measures for Operators of Essential Services' (European Commission 2018) <https://circabc.europa.eu/sd/a/c5748d89-82a9-4a40-bd51-44292329ed99/reference_document_security_measures_OES(0).pdf> accessed 10 January 2019
[22] Ibid 5
[25] European Union Agency for Network and Information Security, 'Technical Guidelines for the Implementation of Minimum Security Measures for Digital Service Providers' (ENISA 2016) <https://www.enisa.europa.eu/publications/minimum-security-measures-for-digital-service-providers/at_download/fullReport> accessed 10 January 2019
[26] Commission Implementing Regulation (EU) 2018/151 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact [2018] OJ L 26/48
[27] Joint statement of the European Commission, ENISA, EMSA, EASA and ERA of 23 January 2019, "Transport cybersecurity: Raising the bar by working together" in the context of the 1st Transport Cybersecurity Conference held in Lisbon.
[28] Ibid.
[29] Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector [2005] OJ L 201/37 (ePrivacy Directive). Please note that the e-Privacy legislation is currently being reviewed and that the European Commission has issued a Proposal for an ePrivacy Regulation.
[30] Directive 2002/21/EC of the European Parliament and of the Council on a common regulatory framework for electronic communications networks and services [2002] OJ L 108/33 (Framework Directive). Please note that this Directive will be repealed as from 21 December 2020, in accordance with the newly adopted Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code.
[31] Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC [2014] OJ L 153/62 (Radio Equipment Directive).
[32] Ian J. Goodfellow, Jonathon Shlens and Christian Szegedy, 'Explaining and Harnessing Adversarial Examples' (2015) <https://arxiv.org/abs/1412.6572> accessed 10 January 2019
[33] Ian Goodfellow and others, 'Attacking Machine Learning with Adversarial Examples' (OpenAI, 24 February 2017) <https://blog.openai.com/adversarial-example-research/> accessed 10 January 2019
[34] Evan Ackerman, 'Slight Street Sign Modifications Can Completely Fool Machine Learning Algorithms' (IEEE Spectrum, 4 August 2017) <https://spectrum.ieee.org/cars-that-think/transportation/sensors/slight-street-sign-modifications-can-fool-machine-learning-algorithms> accessed 10 January 2019
[35] Ibid
[36] Ibid
[37] European Commission press release of 11 December 2018 available at <https://ec.europa.eu/commission/news/cybersecurity-act-2018-dec-11_en>, accessed 25 January 2019 .