Cybersecurity high on the EU’s agenda

Dóra Petrányi, CEE Managing Director, CMS Budapest
Márton Domonkos, Senior Counsel, Data Privacy, CMS Budapest

New cybersecurity requirements

EU member states are likely to adopt specific system security regulations for operators of essential services and digital service providers. To avoid imposing a disproportionate financial and administrative burden, the requirements should be proportionate to the risk presented by the system. In the case of digital service providers, the requirements should not apply to micro- and small-sized enterprises. It is also possible that entities provide both essential and non-essential services. For example, airports provide the management of runways, but also the provision of shopping areas. Operators of essential services should be subject to the specific security requirements only with respect to those services which are deemed to be essential.

For the purposes of the above, each country should determine – by November 9, 2018, on the basis of the consistent approach under the NIS Directive – which entities meet the criteria of the new definition of “operator of essential services”. Where an entity provides an essential service in two or more countries, the countries should engage in mutual discussions with each other.

Governmental strategies and procedures

EU member states shall be adequately equipped to prevent, detect, respond to and mitigate cybersecurity incidents and risks through well-functioning computer security incident response teams (CSIRTs). Each country shall adopt a national cybersecurity strategy, and also designate a single point of contact that is responsible for coordination and cross-border cooperation under the NIS Directive. A Cooperation Group, composed of representatives of EU member states, the EU Commission, and the EU Agency for Network and Information Security (ENISA), will support and facilitate the strategic cooperation at an EU level. The commission also supervises all cross-border tasks closely, and may adopt appropriate technical guidelines to facilitate compliance with the NIS Directive.

Notification obligations

Operators of essential services and digital service providers (their scope is defined in the NIS Directive) shall notify, without undue delay, the competent authority or the CSIRT of security incidents having a certain impact on the services they provide. The competent authority or the CSIRT may inform the other affected EU countries, and also the public, if needed – for example, where public awareness is necessary to deal with an ongoing incident. Further, sector-specific factors should also be considered to determine the impact which an incident may cause. With regard to energy suppliers, such factors could include the volume or proportion of national power generated, or for oil suppliers, the volume per day. In case of banking or financial market infrastructures, their systemic importance may be based on total assets or the ratio of those total assets to GDP. In the health sector, the number of patients under the provider’s care per year may be relevant.

Effects on cloud computing services

The NIS Directive allows the adoption of national measures requiring public-sector bodies to ensure specific security requirements when they contract cloud services. However, such measures should apply to the public-sector body concerned, and not to the cloud service provider.

Next tasks

EU member states must pass the national regulations implementing the NIS Directive by May 9, 2018. Companies should continuously monitor the upcoming laws, and review their cybersecurity practices accordingly, together with their incident notification procedures. As most network and information systems are privately operated, cooperation between the public and private sectors will also be essential.