Twork and Information legislation on cybersecurity
Three parameters that should be taken into account regarding the notifications are: • the number of users affected; • the duration of the incident; • the geographic spread.
What are digital service providers and do they have to notify cyber incidents?
The NIS Directive covers: Online marketplaces (that allow businesses to make their products and services available online) Cloud computing services Search engines All entities meeting the definitions will be automatically subject to the security and notification requirements under the NIS Directive. Micro and small enterprises (as defined in Commission Recommendation 2003/361/EC) do not fall under the scope of the Directive. • • •
What are the obligations for digital service providers?
Digital service providers covered by the NIS Directive are required to take appropriate security measures and to notify substantial incidents to the competent authority.
Security measures are similar to those undertaken by the operators of essential services and cover the following: • Preventing risks • Ensuring security of network and
information systems • Handling incidents
The security measures taken by digital service providers should also take into account some specific factors defined in the 2018 Commission implementing regulation: • security of systems and facilities: a set of policies to manage the risk posed to the security of DSPs, • • • • which can be aimed at facilitating technical IT security as well as physical and environmental security or the security of supply and access control; incident handling: measures taken to detect, report and respond to cybersecurity incidents and assess their root causes; business continuity management: the capacity to be adequately prepared with the ability of minimise impacts on services and to quickly recover from cyber incidents. monitoring, auditing and testing: regular checks to assess anomalies, verification that risk management measures are in place and that processes are being followed. compliance with international standards, for example, those adopted by international standardisation bodies (e.g. ISO standards).
What kind of incidents will be notifiable by the digital service providers?
The Directive defines five parameters that should be taken into consideration, as specified by the Commission in its 2018 implementing regulation: • Number of users affected: users with a contract in place (especially for online marketplaces and cloud computing service) or habitually using the service (based on previous traffic data); • Duration of incident: the period of time starting when a digital service is disrupted until when it is recovered; • Geographic spread: the area
affected by the incident; • The extent of the disruption of the service: characteristics of the service impaired by an incident; The impact on economic and societal activities: losses caused to users in relation to health, safety or damage to property. The implementing regulation specifies four situations in which digital service providers are required to notify the relevant national competent authority or CSIRT, notably: If the digital service is unavailable for more than five million userhours in the EU; If more than 100,000 users in the Union are impacted by a disruption; If the incident has created a risk to public safety, public security or of loss of life; If the incident has caused material damage of more than €1m This list may be reviewed on the basis of guidance issued by the cooperation group, which will take into account the experience gained through the implementation of the NIS Directive. • • • • • •
What is the timeline for implementation of the Directive?
Member states have time until 9 November to identify businesses operating in their territory as “operators of essential services” – that is, private businesses or public entities with an important role for the society and economy operating in critical sectors that will have to comply with security requirements and notify to national authorities significant incidents. The Commission will regularly update the overview on the stateof-play of transposition in each member state on its website.