The Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament has published the latest draft of the proposed Network and Information Security (NIS) Directive (the ‘Directive’) following a series of amendments by MEPs. The proposal for the Directive was first published by the European Commission 7 February 2013 as part of the EU Cyber Security Strategy (see our previous client alert). Recital 30(a) of the latest draft estimates that cybercrime causes estimated losses of €290 billion each year, while Recital 31(b) states 1.8% of EU citizens have been victims of identity theft, and 12% have been victims of online fraud. These facts and figures only reinforce the argument that the need for a coordinated EU security strategy is more prevalent than ever.
However, the UK’s Information Commissioner’s Office previously criticised the proposed draft Directive (see our previous blog), specifically the provisions governing data breach notifications. The ICO was particularly reluctant to take on the responsibility of becoming the UK’s national competent authority (NCA) to handle a potential abundance of notifications concerning network information security incidents, unrelated to personal data, in which it has no expertise or experience. The UK Government Department for Business, Innovation & Skills was similarly critical following an impact assessment, which revealed the extortionate costs that will be disproportionately imposed on organisations to comply with the proposed Directive (see our previous blog).
The latest draft from the European Parliament includes a series of new amendments, in particular the following:
- The obligation for each Member State to nominate an NCA responsible for coordinating NIS issues remains, with the additional obligation to establish a cooperation network to share information and ensure a harmonious implementation of the Directive
- Each Member State must set up at least one Computer Emergency Response Team (CERT) to be responsible for handling incidents
- Organisations must consider protection of their information systems as part of their ‘duty of care’
- Organisations must implement appropriate levels of protection against reasonably identifiable threats and areas of vulnerability, the standard for which will differ depending on the nature of risk for each organisation
- Member States will not be prevented from adopting provisions to ensure a higher level of security than that offered under the Directive, though maintaining measures that conflict or diverge from the minimum expectations enshrined in the Directive will not be permissible
- Each Member State will be required to draft a national NIS strategy within 12 months of the adoption of the Directive
- The threshold which triggers notification is to be defined in accordance with ENISA technical guidelines on reporting incidents for Directive 2009/140/EC
- Each Member State will be obliged to notify the relevant competent authority about both the incident and the threat information having an impact of the security of the core services they provide. Notification must be complete and must be within a timeframe without measureable delay.
- Organisations will be obliged to report and announce any incidents involving their corporation in their annual business report
- The penalties under Article 17 will only be imposed in circumstances of gross negligence or an organisation’s intentional failure to fulfil any obligations under the Directive
However, perhaps the most significant amendment to note is that which states implementation of the Directive will be postponed until after the anticipated reform of the EU data protection framework, upon adoption of the General Data Protection Regulation. Judging from recent comments from the European Commission, this could be a long time coming.