In February, the Commission published the communication “a Cybersecurity Strategy of the European Union”, together with a proposal for a Directive on Network and Information Security (NIS). The proposal has two objectives: (1) to create conditions for cooperation amongst the Member States and (2) to provide regulatory requirements for risk management. The directive would require Member States to develop a national cybersecurity strategy and establish a Computer Emergency Response Team (CERT). It mandates information sharing between Member States, as well the creation of a pan-EU cooperation plan and coordinated early warnings for cyber incidents. The proposed Directive also includes compulsory reporting of security breaches for IT incidents in relation to critical infrastructures. Micro enterprises are excluded from the Directive.
This NIS Directive is a product of the increased profile of the public debate on cybersecurity, which greatly increased with the release of revelations about PRISM. It is a sign of the concern the EU currently has about the threat posed to the privacy of EU citizens as well as the increase in fears about security. Personally, I believe the proposal is a good initiative of the Commission since cyber incidents are increasing, making it necessary for the EU to take action. Last year, the World Economic Forum reported that in the next 10 years there is a 10% likelihood of a major Critical Information Infrastructure breakdown with possible economic damages of over $250 billion. The Washington Post reported that cyber espionage is increasing and the National Intelligence Estimate identifies China as the country most aggressively seeking to penetrate computer systems. Due to the knowledge available and predications made in connection to this topic, during the negotiations on the proposal a few challenges need to be met.
One of the key issues is the scope of the NIS Directive. Cybersecurity does not only concern ICT companies. Companies that are not in the ICT sector should also protect themselves from cyber-attacks and should therefore be included. However, the Directive has been criticised for being too broad. It requires ‘critical infrastructures’ to adopt risk management measures and report serious security incidents on their national authorities. It includes companies in sectors such as energy, transport, and key providers of information to society services (e-commerce platforms, social networks) as well as public administrations. But it is not clear what can be classified as being critical. What exactly is a critical infrastructure where there is a need for public policy intervention? It must also be kept in mind that the sectors named above differ from each other in terms of their security requirements and as a function of a business model. Therefore, a differentiated approach and risk analysis is needed to decide on appropriate security measures. The Commission argues that the scope is not too broad. In a conference to discuss the proposal, Mr. Abbamonte (head of the trust and security unit in DG CONNECT) argued that during the drafting the Commission was confronted with the demand that if all systems are connected, everybody has to take responsibility when being online; and that even micro businesses or businesses that do not provide a critical service and individual users should be included. The Commission decided not to do this and therefore believes the outlined scope to be satisfactory.
Another challenge lies in some ambiguous definitions of the proposal, which are also viewed as being too broad and may thus create legal uncertainty due to different interpretations by Member States. For example, the term ‘risk’ is defined as “any circumstance or event having a potential adverse effect on security” (Article 3 sub 3). This definition could include a wide range of situations wherein an incident needs to be notified to the national competent authority, without taking into account the significance and impact of the incident. According to MEP Andreas Schwab, “we should not try to define what a risk means, because this will change every day. We have to keep it flexible so that the market development can be met quickly.” Furthermore, the term “incident” is defined as “any circumstance or event having an actual adverse effect on security”. This can also be interpreted differently. However, the Commission states that this definition should not create any uncertainty or administrative burdens arguing that only incidents that have a serious impact need to be reported and an invisible incident with a small impact on operators will not need to be notified.
Finally, there is the link between notifications under the Data Protection Regulation and notifications under the Cybersecurity Directive. We are dealing with security but also with confidential information that has been leaked or hacked. Incidents without personal data will have to be notified to the NIS authority, while incidents which contain personal data will have to be notified to the NIS authority and the DPA as well. So, when a cross-border incident occurs, cyber security centers should notify other centers about the incident and take coordinated action if possible. However, not all companies want to share private data so what should be given priority to in such a situation? A middle way between protection of personal data and security needs to be found.