The draft version of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016, concerning measures for a high common level of security of network and information systems across the Union (NIS Directive)Footnote 30 was presented in 2013 as a major element in the Cybersecurity Strategy, its underlying objective being to ensure a high level of security of network and information systems (hence the Directive is commonly abbreviated as the NIS Directive) at the EU level, i.e. to increase the security of tele-information systems forming the basis for the functioning of the modern societies and economies of EU Member States, which is to improve the functioning of the EU internal market. To this end, Article 2(1) of the NIS Directive provides for
-
1.
laying down obligations for all Member States to adopt a national strategy on the security of network and information systems
-
2.
creating a cooperation group in order to support and facilitate strategic cooperation and the exchange of information among Member States, and to develop trust and confidence amongst them creating a computer security incident response team (CSIRT) network in order to contribute to the development of trust and confidence between Member States, and to promote swift and effective operational cooperation
-
3.
establishing security and notification requirements for operators of essential services and for digital service providers
-
4.
laying down obligations for Member States to designate the responsible national authorities, single points of contact, and CSIRTs, with tasks related to the security of network and information systems.
The requirements concerning security and incident reporting, as stipulated in the NIS Directive, are not applicable to undertakings which are subject to the requirements arising from Articles 13a and 13b of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002, on a common regulatory framework for electronic communications networks and services (A Framework Directive) (i.e. to undertakings providing public-communications networks or publicly available electronic-communications services), or to trust-service providers which are subject to the requirements arising from Article 19 of Regulation (EU) No 910/2014 of the European Parliament and of the Council of the 23rd of July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
The NIS Directive is without prejudice to the actions taken by Member States to safeguard their essential state functions, in particular to safeguard national security, including actions protecting information whose disclosure Member States consider contrary to the essential interests of their security, and to maintain law and order, in particular to facilitate the investigation, detection, and prosecution of criminal offences (Article 2(6)). It should be stressed that it provides for minimum harmonisation, as, under Article 4, Member States may adopt or maintain provisions with a view to achieving a higher level of security of network and information systems.
For the purpose of the NIS Directive (Article 4(1)), “network and information systems” are defined as
-
(a)
electronic-communications networks within the meaning of point (a) of Article 2 of Directive 2002/21/EC
-
(b)
any devices or groups of interconnected or related devices, one or more of which, pursuant to a programme, perform automatic processing of digital data; or
-
(c)
digital data stored, processed, retrieve or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection, and maintenance.
The security of network and information systems is understood as the ability of network and information systems to resist, at a given level of confidence, any action which compromises the availability, authenticity, integrity, or confidentiality of stored or transmitted or processed data, or the related services offered by, or accessible via, those network and information systems (Article 4(2)). The operator of essential services means a public or private entity of a type referred to in Annex II (energy, transport, banking, financial-markets infrastructure, healthcare, water-supply and digital infrastructure). Digital services were specified in Annex III (online marketplace, online search engine, cloud-computing services).
In compliance with the NIS Directive, Member States are obliged to identify the operators which are subject to the Directive within each of the sectors listed in Annex II. It is not required to identify all services, but only those of major significance to social and economic interests, and which could be subjected to significant disruptive effects. The significance of a disruptive effect is determined by taking into account the factors listed in Article 6 of the NIS Directive. These refer to the number of users relying on the service provided by the entity concerned, the dependency of other sectors (referred to in Annex II) on the service provided by that entity, the impact which incidents could have on economic and societal activities or public safety, the relative impact of social and economic interests, market share, geographical spread, etc. Chapter II governs the national frameworks on the security of network and information systems. Article 7 obliges each Member State to adopt a national-security strategy, while at the same time defining the issues to be considered therein. Article 8 obliges each Member State to designate competent authorities on the security of network and information systems (supervising their compliance with the provisions implementing the NIS Directive) and single points of contact. The Directive provides for establishing computer security incident response teams (CSIRTs) (Article 9) charged with the management of risks and incidents in the sectors defined in Annex II, and in the services listed in Annex III. Furthermore, the NIS Directive provides for cooperation at the national level between competent authorities, single points of contact, and CSIRTs (Article 10). Cooperation between Member States was regulated in Chapter III, which envisages establishing a Cooperation Group (Article 11) composed of representatives of Member States, the Commission, and ENISA, and entrusted with providing strategic guidance for the activities of the CSIRT network, exchanging information and best practices, etc. Article 12 obliges Member States to establish a national CSIRT network, the principal duty of which will be to ensure coordinated response to incidents. The NIS Director provides for certain security and incident-reporting obligations to be imposed both on operators of essential services (Article 14) and on digital service providers (Article 16).Footnote 31
There are numerous documents related to the NIS Directive, including legal Acts of a binding and non-binding character:
-
1.
Commission Implementing Regulation (EU) 2018/151 of the 30th of January 2018 laying down the rules for the application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems, and of the parameters for determining whether an incident has a substantial impact.Footnote 32
-
2.
Commission Implementing Decision (EU) 2017/179 of the 1st of February 2017 laying down the procedural arrangements necessary for the functioning of the Cooperation Group, pursuant to Article 11(5) of Directive (EU) 2016/1148 of the European Parliament and of the Council, concerning measures for a high common level of security of network and information systems across the Union.Footnote 33
-
3.
Communication from the Commission to the European Parliament and the Council: Making the most of NIS—towards the effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union.Footnote 34
-
4.
Commission Recommendation (EU) 2017/1584 of the 13th of September 2017 on coordinated responses to large-scale cybersecurity-incidents and crises.Footnote 35
-
5.
Joint Communication to the European Parliament and the Council—Resilience, Deterrence, and Defence: Building strong cybersecurity for the EU.Footnote 36