The Directive on security of network and information systems (NIS Directive) is the first EU-level effort to enhance cybersecurity measures. What are these requirements? Are they enough for ensuring the availability and security of systems critical to the ways we live today?
Online and ready when you are – that is a promise realised by most of the Internet-driven world, where our offices, our homes, and even our bodies are just one mouse click or one finger swipe away from the latest financial news and the temperature of the oven roast. Energy, sanitation and water supply, food, transport, financial networks, governments – Internet access has become crucial to the functioning of our most important systems.
So what would happen to this world if all access disappeared? We have at least one approximate real-life example. At approximately 4:37 p.m. PST on August 16, 2013, Google went dark – Gmail, YouTube, Google Drive, and the rest. It was just a four-minute failure but, unsurprisingly, Google’s system-wide outage did not affect its users alone. According to analytics firm GoSquared, in fact, Google’s downtime reduced web traffic worldwide by a whopping 40 percent.
Increasingly, the question is raised as to whether the Internet is a critical infrastructure – one of high importance for society’s ability to function in general and one to be protected in particular. While this question cannot be discussed for the Internet as a whole, of course – with all of its connected networks, systems, and services – the European Union is now rightly asserting that there are a core set of components whose reliability and security is vital to the functioning of our societies and economies. Moreover, in recognition of this fact, the EU moved in 2016 to require that certain enterprise operators of critical IT infrastructure and providers of digital services meet standards that secure these services against threats – whether an innocent service disruption or a malicious cyberattack.
To whom are these requirements directed? What are these requirements? And are these requirements enough for ensuring the availability and security of systems critical to the ways we live today?
On July, 6, 2016, the European Union adopted its directive on security of network and information systems, Directive (EU) 2016/1148. The NIS Directive sets common cybersecurity requirements for operators of critical infrastructures and, for the first time, providers of certain digital services – effectively regulating certain enterprises specifically to increase IT security outcomes generally. EU member states must transpose the Directive’s laws, regulations, and administrative provisions into their national laws by May 2018.
The reason for the creation of the Directive is simple enough to understand: certain private IT infrastructures and services have become so critical to the functioning of the public welfare that their security means security for us all.
The EU avoided a sweeping claim that all Internet infrastructures could be labeled critical. Instead, a political compromise was reached to put a small group of services under the scope of the directive.
The development of the NIS Directive was not without its challenges. While there was a longstanding agreement of EU member states on which traditional infrastructures, such as energy supply or the healthcare system, could be deemed critical, there were different views on the criticality of Internet services. The EU avoided a sweeping claim that all Internet infrastructures could be labeled critical. Instead, a political compromise was reached to put a small group of services under the scope of the directive. Moreover, the inclusion of security requirements for digital services was also especially controversial – rejected by the Commission at first reading, proclaimed vital by Member States in its next round, and ultimately included in a scaled-back form.
The resulting complex regulatory system of the NIS Directive encompasses both:
Essential infrastructure services: Internet exchange points (IXP), the nodes to which independent networks are connected; DNS service providers, who are responsible for converting domain names (e.g., http://www.europeanbusinessreview.com) into the IP addresses necessary for the technical management of Internet traffic; and top-level domain (TLD) registries, which manage the domain names at the top level (e.g., .com, .de, .eu).
Digital services, as defined by the Directive: online marketplaces that specifically enable third parties to close contracts for services or products on their platforms (e.g., eBay, Amazon, Apple App Store); online search engines (internal site search excluded); and cloud computing services in its broadest sense (e.g., Amazon Web Services but also Flickr and Slack). Moreover, the definition of “cloud computing” is so comprehensive and blurred that increasingly more services could fall within this category as IT virtualisation continues.
However, the NIS Directive does not cover all digital infrastructures and services. Somewhat troubling, the Directive does not include:
Telecommunications: While radio and television services are already subject to the Audiovisual Media Services Directive (AVMD), the AVMD does not contain IT security requirements. Of course, where media services are provided via the cloud, they may then be subject to EU IT security regulation. This may soon change under both the EU’s forthcoming revision of the AVMD and the World Intellectual Property Organization’s latest deliberations on the development of the Broadcasters’ Treaty.
Trust services: While named by the Commission as “key enablers for secure cross-border electronic transactions”, trust services were excluded from the NIS Directive in deference to the eIDAS Regulation adopted July 2014, which already defines independent security requirements for providers of such services.
Like the Telecom Framework Directive on which it is based, the NIS Directive’s security requirements demand that providers of essential digital infrastructures and certain digital services must
or face sanctions and penalties for compliance violations.
The aforementioned service providers are expected to take risk-averse IT security measures that ensure the service’s availability, confidentiality, integrity, and authenticity. Moreover, these protection measures must be appropriate and proportionate to their need, in addition to taking into account state-of-the-art methods. Because “state of the art” leaves considerable room for interpretation, Commission is anticipated to clarify it within the implementing act expected by August of this year. The European Union Agency for Network and Information Security (ENISA) also has published guidelines based on the Directive.
Under the NIS Directive, service providers must immediately report security incidents with a significant impact on the provision of their services. Factors such as duration, number of affected persons, and geographical spread are part of the assessment, where incidents such as a service breakdown, theft of user data, or transaction manipulation have occurred. In the case of essential infrastructure services, the explicit obligation to cooperate with IT security authorities and data protection supervision is regulated by the Directive; reporting requirements for digital services are left to national laws. In both cases and under certain circumstances, the appropriate national authorities may even inform the public of reported incidents. Notably, reporting attacks on the confidentiality of certain essential infrastructure services is limited to significant impairment of service availability. For example, the detection of spying of traffic on an Internet node would not have to be reported.
Providers of digital services do not have to present their online marketplaces, online search engines, or cloud services for identification and supervision; rather, supervision is carried out only as post-incident monitoring. If the competent authority submits evidence that a provider fails to comply with regulatory requirements, it may act, request information, or make arrangements for remedies. In this respect, the NIS Directive places the responsibility of monitoring for deficiencies on service users, an authority (e.g., data protection authority) or – somewhat naively – on the service providers themselves. Only then does the investigative body question whether the service is in compliance with the security measures of the Directive. How end users would obtain evidence to support their security-failure claims without the backing or intervention of a competent authority is hard to imagine.
Providers of essential infrastructure services, on the other hand, are placed under greater scrutiny from the start. The Directive provides for significantly stronger monitoring measures, empowering competent authorities to constantly evaluate whether these service providers are in compliance. Providers must provide both information and proof – by safety audits, for example.
Cooperation and consistency in cybersecurity – can this become the reality of the European Union under the NIS Directive? Is it enough to secure our digital world?
The Directive is likely to increase the IT security level of many digital services that have become vital to our societies. On the other hand, its implementation presents major challenges for Member States and the digital economy.
On the one hand, the Directive is the first EU-level effort to enhance cybersecurity measures, building on previous political initiatives that sought to merely define cybercrime or to call for legislative action. The Directive is therefore likely to increase the IT security level of many digital services that have become vital to our societies. On the other hand, its implementation presents major challenges for Member States and the digital economy.
One, the Directive lacks a convincing understanding of the “architecture” of the digital world. The terms, definitions, and demarcations of essential infrastructure services and digital services, as well as the relationship to telecommunications and trust services, are not well understood.
Two, the Directive’s security requirements are not harmonized across the provider types or even across previously enacted regulations. With increasing virtualization and convergence of these types, as well as the provision of mixed services, providers will find it difficult to meet the similar but not identical requirements. Moreover, adhering to the requirements of the NIS Directive is complicated by the similar requirements of the General Data Protection Regulation. Also passed in 2016, it focuses on the storage, processing, and movement of personal data, requires a set of technical data security measures, and is also applicable to providers of essential infrastructure services and digital services.
Lastly, the NIS Directive does not address one of the main problems of IT security: the lack of quality of hardware and software. While the rejection of a provision to address this was rationalized by claims that hardware and software suppliers are already subject to product liability, this is not a convincing argument. Between small to medium enterprises and global players, the security maturity of companies differs too widely.
Overall, the complex nature of cyber threats, the low-level technical knowledge of regulatory bodies, and the high speed of digitalization makes efforts to secure essential IT infrastructures and digital services of vital importance to the security of all other systems. While market innovation must be given room, it must be nevertheless balanced by public regulation and business initiatives that recognize that the functioning of the internal market and the potential for Europe’s digital growth will rise and fall on cybersecurity. In the longer term, work will be needed at national and EU levels to translate the ideal of strong cybersecurity into well-integrated and harmonized requirements for hardware, software, telecommunication, trust services, and important digital services.
Excerpted and adapted for The European Business Review from “Die EU-Richtlinie über Netz- und Informationssicherheit: Anforderungen an digitale Dienste”. For the full German paper, which includes an analysis of the related cybersecurity initiatives undertaken by Germany prior to and after the adoption of the Directive, visit Computer und Recht at https://doi.org/10.9785/cr-2016-1011.