Just as businesses have begun to come to terms with the GDPR, another regulatory regime has come into force, its arrival having gone largely unnoticed by many businesses. This incoming regulatory regime is called the Network and Information Systems Directive (“NIS Directive”) and the Irish legislation implementing the NIS Directive (“NIS Regulations”) was signed into law in September of this year.
The GDPR was designed to reshape the way that businesses approach data privacy and to strengthen the privacy rights of individuals. In contrast, the NIS Directive was adopted by the EU legislature as a response to the growing number of cyberattacks on critical infrastructure and online services, and as an attempt to boost the overall level of cybersecurity in the EU.
Importantly, Irish authorities will have responsibility for dealing with the security of services provided by multinational companies across the EU. This is because many of these companies have their European headquarters located in Ireland.
What does the NIS regime do?
The NIS regime seeks to achieve a high common level of security of network and information systems throughout the EU. It will impose wide ranging obligations on both Member States and certain businesses. These include risk management and breach reporting obligations that fall within the scope of the NIS regime.
In practice, this means that, as well as having mandatory breach reporting obligations for personal data breaches under the GDPR, many businesses will also be subject to mandatory breach reporting obligations under the NIS regime.
What businesses will be affected?
The NIS Regulations provide that these obligations will only apply to the following two types of businesses:
- Operators of essential services (OES): These are businesses that are established in Ireland and provide essential services in Ireland within specific sectors and sub-sectors. These sectors are set out in the NIS Regulations and include energy, transport, banking, financial market infrastructure, health, water and digital infrastructure. A list of essential services will be maintained by the competent authority in each Member State. Therefore, there is a level of certainty for businesses operating within these sectors as to whether they will be subject to this regime.
- Relevant digital service providers (RDSP): Providers of online marketplaces, online search engines and cloud computing services that have their head office in Ireland, or that have a “designated representative” in Ireland, will be considered RDSPs. However, small or micro digital service providers, i.e. businesses that employ fewer than 50 people and whose annual turnover is less than €10 million, fall outside the definition. However, unlike for OES, the onus is on businesses to determine whether they are RDSPs.
What are the risk management and breach reporting obligations?
As with the GDPR, the NIS regime requires in-scope service providers to implement appropriate technical and organisational measures, and imposes mandatory breach notification obligations. However, these requirements differ slightly depending on whether the organisation is an OES or RDSP.
- Security: Under the NIS Regulations, OESs are required to take “appropriate and proportionate technical and organisational measures” to manage security risks. They must also take “appropriate measures” to prevent and minimise the impact of security incidents affecting systems used to provide essential services. In determining these measures, OES must have regard to “state of the art” security measures and ensure that the security measures that are applied are appropriate to the risks posed to its systems.
- Breach notification: OESs are required to notify the computer security incident response team (CSIRT) of any incident that has a “significant impact” on the continuity of the provision of the essential service which it provides. The CSIRT is a dedicated unit that sits within the Irish Department of Communications, Climate Action and Environment. The NIS Regulations set out a number of factors to assist OESs in determining whether there is a “significant” impact such as the numbers of users affected, the duration of the incident etc.
- Security: For RDSPs, the security obligations that apply to these providers largely mirror those that apply to OESs. However, RDSPs are required to consider a number of additional factors when implementing appropriate security measures including incident handling, business continuity management, monitoring, auditing and testing.
- Documentation: Unlike OESs, RDSPs are required to have sufficient documentation in place to enable the competent Irish authority, the Minister for Communications, Climate Action and Environment, to verify compliance with these security requirements. In practice, this obligation is akin to an accountability type obligation under the GDPR.
- Breach notification: RDSPs are required to notify the CSIRT of any incident that has a “substantial impact” on the continuity of the provision of the digital service which it provides. The NIS Regulations set out a number of criteria for RDSPs to consider when assessing these incidents. These are more extensive than the criteria set out for OESs. In any event, these thresholds differ to the “risk” and “high risk” thresholds set out in the GDPR.
Like the timelines for breach notifications under the GDPR, both types of service providers are subject to a maximum 72-hour period within which incidents must be reported. However, unlike the GDPR, in-scope service providers are also required to notify the CSIRT once incidents have been resolved, i.e. within a maximum of 72 hours from when the incident has been resolved. In addition, the information that must be notified by both types of providers to the CSIRT is broadly similar.
What steps should you take now?
The following are some key steps for businesses to take:
- Carry out an analysis of whether your business is within the scope of the NIS regime.
- For businesses that are in-scope:
- Carry out an evaluation of technical and organisational measures to ensure the security of networks and information systems meets the requirements under NIS. Ideally, these security measures should be stress tested to identify any potential weaknesses. These may include simulated exercises.
- Meet with relevant teams within the business to ensure that all teams are aware of NIS obligations and are able to respond appropriately.
- Build the NIS breach reporting obligations into breach reporting policies and procedures.
- An RDSP should ensure that its security measures are documented as required by the NIS Regulations. In practice, this documentation can be built in to the organisation’s existing GDPR accountability and compliance framework.