Tilburg University
The new EU cybersecurity framework
Markopoulou, Dimitra; Papakonstantinou, Vagelis; de Hert, Paul
Published in:
Computer Law and Security Review
DOI:
10.1016/j.clsr.2019.06.007
Publication date:
2019
Document Version
Version created as part of publication process; publisher's layout; not normally made publicly available
Link to publication in Tilburg University Research Portal
Citation for published version (APA):
Markopoulou, D., Papakonstantinou, V., & de Hert, P. (2019). The new EU cybersecurity framework: The NIS
Directive, ENISA's role and the General Data Protection Regulation. Computer Law and Security Review, 35(6),
1-11. [105336]. https://doi.org/10.1016/j.clsr.2019.06.007
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain
• You may freely distribute the URL identifying the publication in the public portal
Take down policy
If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.
Availableonlineatwww.sciencedirect.com
journalhomepage:www.elsevier.com/locate/CLSR
The
new
EU
cybersecurity
framework:
The
NIS
Directive,
ENISA’s
role
and
the
General
Data
Protection
Regulation
✩
Dimitra
Markopoulou
a,
Vagelis
Papakonstantinou
a,∗,
Paul
de
Hert
a,b,† aVrijeUniversiteitBrussel(LSTS),BelgiumbTilburgUniversity(TILT),theNetherlands
a
r
t
i
c
l
e
i
n
f
o
Articlehistory: Availableonlinexxx Keywords: EUdataprotection Cybersecurity NISDirective ENISAa
b
s
t
r
a
c
t
TheNISDirectiveisthefirsthorizontallegislationundertakenatEUlevelfortheprotection ofnetworkandinformationsystemsacrosstheUnion.Duringthelastdecadese-services, newtechnologies,informationsystemsandnetworkshavebecomeembeddedinourdaily lives.ItisbynowcommonknowledgethatdeliberateincidentscausingdisruptionofIT servicesandcriticalinfrastructuresconstituteaseriousthreattotheiroperationand con-sequentlytothefunctioningoftheInternalMarketandtheUnion.Thispaperfirstdiscusses theDirective’saddresseesparticularlywithregardtotheircomplianceobligationsaswellas MemberStates’obligationsasregardstheirrespectivenationalstrategiesandcooperation atEUlevel.Subsequently,thecriticalroleofENISAinimplementingtheDirective,as rein-forcedbytheproposalforanewRegulationonENISA(theEUCybersecurityAct),isbrought forward,beforeelaboratinguponthe,inevitable,relationshipoftheNISDirectivewithEU’s GeneralDataProtectionRegulation.
© 2019TheAuthors.PublishedbyElsevierLtd. ThisisanopenaccessarticleundertheCCBY-NC-NDlicense. (http://creativecommons.org/licenses/by-nc-nd/4.0/)
1.
Introduction
Directive2016/11481onsecurityofnetworkandinformation
systems(theNISDirective)isthefirsthorizontallegislation undertaken atEuropeanUnion(EU)level forthe protection
ofnetworkandinformationsystemsacrosstheUnion. Dur-ing thelast decadese-services,newtechnologies, informa-tion systemsand networkshave becomeembeddedinour dailylives.Itisbynowcommon knowledgethatdeliberate incidentscausingdisruptionofITservicesandcritical infras-tructuresconstitutea seriousthreattotheir operationand
✩ThisresearchhasbeenfundedundertheEuropeanCommission’sH2020projectFORTIKA– CyberSecurityAcceleratorfortrusted
SMEsITEcosystems,GrantAgreement740690.
∗Correspondingauthor:VagelisPapakonstantinou,VrijeUniversiteitBrussel(LSTS),Belgium.
E-mail addresses: dimitra.markopoulou@vub.be (D. Markopoulou), evangelos.papakonstantinou@vub.be (V. Papakonstantinou),
paul.de.hert@vub.ac.be(P.de Hert).
†TheauthorswishtothankLinaJasmontaiteforusefulcommentsandfeedback.
1Directive2016/1148oftheEuropeanParliamentandtheCouncilconcerningmeasuresforahighcommonlevelofsecurityofnetwork
andinformationsystemsacrosstheUnion(the“NISDirective”).
https://doi.org/10.1016/j.clsr.2019.06.007
0267-3649/© 2019TheAuthors.PublishedbyElsevierLtd.ThisisanopenaccessarticleundertheCCBY-NC-NDlicense. (http://creativecommons.org/licenses/by-nc-nd/4.0/)
frame-consequentlytothefunctioningoftheInternalMarketand the Union.2 Thisrisk,combinedwiththe factthat existing
counter-measuresintermsofsecuritytoolsandprocedures arenotsufficientlydevelopedintheEU,andcertainlynot com-moninallMemberStates,madetheneedforacomprehensive approachatUnionlevel,concerningthesecurityofnetwork andinformationsystems,unquestionable.TheNISDirective aimstoaddress thisneedbyputtingforward“themeasures
with aview toachievingahighcommonlevelofsecurityof
net-workandinformationsystemswithintheUnionsoastoimprove
thefunctioningoftheinternalmarket”.3
TheNISDirectivewaspublishedinJuly2016,howeverthe EUhasbeenaddressingcybersecurityissuesina comprehen-sivemannersince2004,whenENISA(EuropeanUnionAgency forNetworkandInformationSecurity),4anewspecialisedEU
agency,wasfounded.TheNISDirectiveitselfhasitsrootsin theCommission’sCommunicationof2009,whichfocuseson preventionandawarenessand definesaplanofimmediate actiontostrengthenthe securityand trustinthe informa-tionsociety.5Thiswasfollowed,in2013,byajoint
Commu-nicationreleasedbytheCommissionandtheHigh Represen-tativeoftheUnionforForeignAffairsandSecurityPolicyon theCybersecurityStrategyoftheEuropeanUnion.6From2013
to2015theCommission,theCouncilandtheParliament dis-cussedthedraftputforwardbytheCommissionintenselyand thesediscussionsresultedintheNISDirectivethatentered intoforceinAugust2016.Thedeadlinefornational transpo-sitionbytheEUMemberStateswasthe9thofMay,2018.7,8
TheNISDirectiveconsistsof27articles.Articles1–6setits scope andmaindefinitions,including afurtherclarification regardingtheidentificationofoperatorsofessentialservices (article5),aswellasthemeaningofsignificantdisruptive ef-fect(article6).Articles7–10describethenationalframeworks thatneedtobeadoptedbyeachMemberStateonthesecurity ofnetworkandinformationsystems.Theseframeworks in-clude,amongothers,MemberStates’obligationtointroduce anationalstrategyandtodesignatenationalcompetent au-thorities(includingasinglepointofcontractand the com-putersecurityincidentresponseteams(CSIRTs),aswell as,
2Forcyber-crimestatisticsseeCarrapicoH./FarrandB.in
Cyber-crimeasafragmentedpolicyfieldinthecontextoftheareaoffreedom, securityandjustice,inRipollServentA./TraunerF.(Eds.),Routledge HandbookontheAreaofFreedom,SecurityandJustice,Routledge, 2018.
3Seearticle1oftheNISDirective. 4Seehttps://www.ENISA.europa.eu/.
5See Communicationfromthe Commissionto theEuropean
ParliamenttheCounciltheEuropeanEconomicandSocial Com-mittee andtheCommittee ofthe RegionsonCritical Informa-tionInfrastructureProtection“ProtectingEuropefromlarge-scale cyber-attacksanddisruptions:enhancingpreparedness,security andresilience(COM(2009)149).
6JointCommunicationtotheEuropeanParliament,theCouncil
the European Economic and Social Committee and the Com-mittee of the regions, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (available at
http://eeas.europa.eu/archives/docs/policies/eu-cyber-security/ cybsec_comm_en.pdf).
7Seearticle25oftheDirective(transposition).
8At thetime of draftingthis paperthe majorityof Member
StateshaveimplementedtheDirective.
thecreationoftheCooperationGroup.Thecooperation mech-anismisprovidedinChapterIIIandmorespecificallyin ar-ticles11–13.Thearticlesthatfollow(14–18)definethe secu-rity requirementsand incident notificationforoperatorsof essentialservicesanddigitalserviceproviders,respectively. Theadoptionofstandardsandtheprocessofvoluntary no-tificationaredealtwithinarticles19and20.Finallyarticles 21–27includetheDirective’sfinalprovisions.
Intermsofstructure,thisarticleisdividedintoseven chap-ters:the firstthreechaptersdiscusstheDirective’saffected parties and their obligationsunder its provisions,chapters fourand fivesetMember States’obligationsasregards na-tionalstrategy,aswellascooperationatEUlevel,whereasthe criticalroleofENISAinimplementingtheDirective,asthisis reinforcedbytheproposalforanewRegulationonENISA(the EUCybersecurityAct),9ispresentedinchapter6.Finally,the,
inevitable,relationshipoftheDirectivewithEU’sGeneralData ProtectionRegulation10areestablishedinthefinalchapter7.
2.
Operators
of
essential
services
(first
target
of
the
NIS
Directive)
2.1. Definition:anAnnexapproach
TheNISDirectiveaffectstwocategoriesofundertakings, un-deranadmittedlydifferentiatedapproachintermsof obliga-tionsplaceduponeach oneofthem:operatorsofessential servicesanddigitalserviceproviders.11Theirdefinitionsare
includedinarticle4andconsistofacombinationofarticles ofthisDirective12and itsannexes,as well as Directive(EU)
2015/1535.13Withregardtothefirstcategory,thatisoperators
ofessentialservices,theirdefinitionincludesapublicor pri-vateentitythatactivatesinspecificsectors,suchasthesector ofenergy,transport,bankingandhealth,14andwhichatthe
sametimemeetssomeessentialcriteriathatqualifyitasan entityofsuchtype.15Consequently,notalloperatorsof
essen-tialservicesfallwithinthescopeoftheNISDirective.Member
9 See https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/
?uri=CELEX:52017PC0477&from=EN.
10Regulation(EU)2016/679ontheprotectionofnaturalpersons
withregardtotheprocessingofpersonaldataandonthefree movementofsuchdata,andrepealingDirective95/46/EC(General DataProtectionRegulation).
11Onidentifyingtheentitiesundercybersecurityobligationssee
alsoKuleszaJ.inDefiningCybersecurity-CybersecurityandCritical In-frastructure,theActors,inKuleszaJ./BallesteR.(Eds.)Cybersecurity andhumanrightsintheageofcyberveilance,Rowman&Littlefield, 2016.
12Seearticle4(2)onthedefinitionofdigitalserviceandarticle
5(2)onthecriteriaanoperatorofessentialservicesshouldmeet.
13Directive(EU)2015/1535oftheEuropeanParliamentandofthe
Councilof9September2015layingdownaprocedureforthe pro-visionofinformationinthefieldoftechnicalregulationsandof rulesonInformationSocietyservices.
14Forthefulllistofsectorsandsub-sectorsseeAnnexIIofthe
NISDirectiveandSection1(a)ofthispaper.
15Seearticle5(2)oftheNISDirective:(a)anentitythatprovides
frame-Statesaretaskedwiththeprocessoftheircategorisationand identificationassuch,asthisisdescribedindetailbelow.
Inthe event ofsectorspecificUnionlegal acts,Member Statesshouldapplythatlegislation,aslongasitcontains re-quirementsthat are,atleast,equivalenttotheonesofthe NISDirective.Someexamples includeoperatorsinthe wa-tertransportsector,16undertakingsprovidingpublic
commu-nicationnetworksorpubliclyavailablecommunications ser-vices,17 trustservices providers,18 as wellas the sectorsof
bankingandfinancialmarkets.19
Wesawthatoperatorsofessentialservicesincludeany pri-vateorpublicentitythatmeetspecificcriteriaandatthesame timeareofthetypesincludedinAnnexIIoftheNISDirective. Allentitiesthatfallwithinthisdefinition,shouldcomplywith thesecurityandnotificationrequirementsincludedinthe Di-rective.AnnexIIincludesalistofthesectorsandsubsectors, aswellastypesofentitiesthatarecategorisedasoperators ofessentialservices.20Onceanentityiscategorisedasone
ofthetypeslistedintheAnnex,thenextsteplieswiththe MemberStates,whoareresponsibletocarryoutan identifica-tionprocess,inordertodeterminewhichindividual compa-niesmeettheadditionalcriteriaofthedefinitionofoperators ofessentialservices.Tothisend,theNISDirectiverequires MemberStatestoadoptnationalmeasuresasaresultofthe identificationprocess,inordertodeterminetheseentities.21
wouldhavesignificantdisruptiveeffectsontheprovisionofthat service.
16Seerecital11oftheNISDirectivewhereitisclarifiedthat
Mem-berStates,whenidentifyingoperatorsinthewatertransport sec-tor,shouldtakeintoconsiderationinternationalcodesand guide-linesdevelopedbytheMaritimeOrganisations,aswellasarticle1 (7)oftheDirective.
17SeeFrameworkDirective2002/21/EConacommonregulatory
frameworkforelectroniccommunicationsnetworksandservices andthesecurityrequirementsprovidedtherein.
18SeeRegulation910/2014onelectronicidentificationandtrust
servicesforelectronictransactionsintheInternalmarketand re-pealingDirective1999/93/ECandthesecurityrequirements pro-videdtherein.
19Seerecital12oftheNISDirective:“Regulationand
supervi-sioninthesectorsofbankingandfinancialmarketinfrastructures ishighlyharmonisedatUnionlevel,throughtheuseofprimary andsecondaryUnionlawandstandardsdevelopedtogetherwith theEuropeansupervisoryauthorities.Withinthebankingunion, theapplicationandthesupervisionofthoserequirementsare en-suredbythesinglesupervisorymechanism.ForMemberStates thatarenotpartofthebankingunion,thisisensuredbythe rele-vantbankingregulatorsofMemberStates.Inotherareasof finan-cialsectorregulation,theEuropeanSystemofFinancial Supervi-sionalsoensuresahighdegreeofcommonalityandconvergence insupervisorypractices.TheEuropeanSecuritiesMarkets Author-ityalsoplaysadirectsupervisionroleforcertainentities,namely credit-ratingagenciesandtraderepositories”.
20Inparticularthefollowingsectorsandsubsectorsarelisted:
energy(electricity,oilandgas),transport(air,rail,waterandroad), banking(creditinstitutions,financialmarketinfrastructures (trad-ingvenues,centralcounterparties),health(healthcareproviders, includinghospitalsandprivateclinics),water(drinkingwater sup-plyanddistribution),anddigitalinfrastructure(internetexchange points,domainnamesystemserviceproviders,topleveldomain namesregistries).
21Seealsorecital25oftheNISDirectivethatreadsasfollows:
“asaresultoftheidentificationprocess,MemberStatesshould
By9November2018,MemberStatesthereforehadtoidentify theoperatorsofessentialserviceswithanestablishmenton theirterritoryforeachsectorandsubsectorreferredtointhe Annex.22Thislistofidentifiedoperatorsofessentialservices
shallbeupdatedbyMemberStatesatleasteverytwoyears af-terMay9,2018inordertoensurethatpossiblechangesinthe marketareaccuratelyreflected.Takingintoaccountthe mini-mumharmonisationrequirementinarticle3oftheDirective, MemberStatescanadoptlegislationensuringahigherlevel ofsecurity.Inthisregard,MemberStatesmayexpandthe se-curityandnotificationobligationsprovidedforoperatorsof essentialservicestoentitiesbelongingtoothersectorsand sub-sectorsthanthoselistedintheAnnexoftheNIS Direc-tive.Accordingly,severaladditionalsectors,notmentionedin theAnnex,havebeenbroughttothetablebydifferent Mem-berStates,including amongothers,publicadministrations, thepostalsector,the foodsector,thechemicaland nuclear industry,theenvironmentalsectorandcivilprotection.23
2.2. Securityrequirements(art.14par.1and2ofthe NISDirective)
Pursuanttoarticle14(1)oftheNISDirective,MemberStates are required to ensure that operators ofessential services takeappropriate measures,technicaland organisational,to managetherisksposedtothesecurityofthe networkand informationsystemstheyuse.Inaccordancewitharticle14 (2),appropriatemeasuresshallpreventandminimisethe im-pactofincidentsaffectingthesecurityoftheirsystems.Main objectiveshouldbetoensurecontinuityofsuchservices.How couldacommonperspectivebyallMemberStatesbeachieved though,asfarasthesesecurityrequirementsareconcerned? It is well understood that the Directive sets the general obligationforMemberStatestoadoptanationalstrategyon this subject,howeverthe specificapproach tothe national transpositionofarticle14(1)oftheDirectiverestswitheach MemberState.Inorderhoweverforthenationalprovisions onsecurityrequirementstobealignedtothegreatestextent possible, the Commission encourages Member States to followtheguidancedocumentdevelopedbytheCooperation Group.24InthisdocumenttheCooperationGrouplaysdown
adoptnationalmeasurestodeterminewhichentitiesaresubject toobligationsregardingthesecurityofnetworkandinformation systems.Thisresultcouldbeachievedbyadoptingalist enumer-atingalloperatorsofessentialservicesorbyadoptingnational measuresincludingobjectivequantifiablecriteria,suchasthe out-putoftheoperatororthenumberofusers,whichmakeit possi-bletodeterminewhichentitiesaresubjecttoobligations regard-ingthesecurityofnetworkandinformationsystems.Thenational measures,whetheralreadyexistingoradoptedinthecontextof thisDirective,shouldincludealllegalmeasures,administrative measuresandpoliciesallowingfortheidentificationofoperators ofessentialservicesunderthisDirective”.
22Seearticle5par.1oftheNISDirective.
23SeeCommunication fromtheCommission tothe European
ParliamentandtheCouncil-MakingthemostofNIS– towardsthe effectiveimplementationofDirective(EU)2016/1148concerning measuresforahighcommonlevelofsecurityofnetworkand in-formationsystemsacrosstheUnion,COM(2017)476.
24SeeCooperationGroup’sReferencedocumentonsecurity
mea-sures for operators of essential services, https://ec.europa.eu/ digital-single-market/en/nis-cooperation-group.
frame-somegeneralprinciplesthatshouldbetakeninto considera-tionbyallMemberStatesduringadoptingsecuritymeasures. These measures should be effective, tailored, compatible, proportionate,concrete,verifiableandinclusive.
2.3. Notificationrequirements(art.14par.3and4ofthe NISDirective)
Thesecurityrequirementsthatneedtobeadoptedbythe op-eratorsofessentialservicesareaccompaniedbyanother obli-gationthatofnotifyingthecompetentauthoritiesofany in-cidentthathasanimpactonthecontinuityofthe(essential) servicesanoperatorprovides.Pursuanttoarticle14(3), Mem-berStateshavetoensurethatoperatorsofessentialservices notify“anyincidenthavingasignificantimpactonthecontinuity
oftheessentialservices”.Consequently,operatorsofessential
servicesshouldnotnotifyanyminorincidentsbutonly seri-ousincidentsaffectingthecontinuityoftheessentialservice. Article14par.4providesalistofparametersthatshouldbe takenintoaccount,whendeterminingthesignificanceofthe impactofanincident,namelythenumberofusersaffected, thedurationoftheincidentandthegeographicalspreadwith regardtotheareaaffectedbytheincident.Again,consistency inthenationalapproaches,asfarasthenotificationprocess isconcerned,isoftheessence.Asinthecaseofsecurity re-quirements,theCooperationGrouphaspublishedareference documentonthisissue.25
3.
Digital
service
providers
(second
target
of
the
NIS
Directive)
3.1. Definition:acatchallapproach
Digitalserviceprovidersare thesecondcategoryofentities thatfallunderthescopeoftheNISDirective.Digitalservice providersincludeanylegalpersonthatprovidesadigital ser-vice26and morespecificallyanonlinemarketplace,an
on-linesearchengine,oracloudcomputingservice.27Their
reg-ulation,asfarassecurityandnotificationrequirementsare
25SeeReferencedocumentonIncidentNotificationforoperators
ofessential services.https://ec.europa.eu/digital-single-market/ en/nis-cooperation-group.
26Thatisaservicewithinthemeaningofpoint(b)ofarticle1(1)
ofDirective(EU)2015/1535,whichisofatypelistedinAnnexIII oftheNISDirective.Accordingly,ServicemeansanyInformation Societyservice,thatistosay,anyservicenormallyprovidedfor remuneration,atadistance,byelectronicmeansandatthe indi-vidualrequestofarecipientofservices.Forthepurposesofthis definition:(i)“atadistance” meansthattheserviceisprovided without thepartiesbeing simultaneouslypresent;(ii)“by elec-tronicmeans” meansthattheserviceissentinitiallyandreceived atitsdestinationbymeansofelectronicequipmentforthe pro-cessing(includingdigitalcompression)andstorageofdata,and entirelytransmitted,conveyedandreceivedbywire,byradio,by opticalmeansorbyotherelectromagneticmeans;(iii)“atthe indi-vidualrequestofarecipientofservices” meansthattheserviceis providedthroughthetransmissionofdataonindividualrequest.
27Thethreetypesofserviceswerechosentoberegulateddueto
theincreasingnumberofbusinessesthatfundamentallyrelyon themfortheprovisionoftheirownservices.
concerned,isjustifiedduetothefactthatmanybusinesses dependontheseprovidersfortheprovisionoftheirown ser-vices.Consequently,adisruptionofthedigitalservicecould haveanimpactonkeyeconomicandsocietalactivitiesinthe Union.28Itshouldbenotedthat,incomparisontothe
oper-atorsofessentialservices,theNISDirectivedoesnotrequire MemberStatestoidentifydigitalserviceproviders, warrant-ingthusacatch-allapproach.
Three types of digital service providers fall under the scope ofthe NIS Directive: online market place providers, onlinesearchengineprovidersandcloudcomputingservice providers.Anonlinemarketplacedenotesadigitalservice29
thatallowsconsumersand/ortraderstoconcludeonline ser-vices or service contracts with traders.30 Anonline search
engineisdescribedasadigitalservicethatallowsusersto per-formsearchesofwebsitesonthebasisofaqueryonany sub-ject.31Finally,cloudcomputingservicemeans,adigitalservice
thatenablesaccesstoascalableandelasticpoolofshareable computingresources.32
3.2. Securityrequirements(art.16par.1and2ofthe NISDirective)
TheDirectivedescribes,initsarticle16,thesecuritymeasures thatdigitalserviceprovidersshouldtakeinordertomitigate therisksthatthreatenthesecurityofthenetworkand infor-mationsystemstheyusefortheprovisionoftheirservice.The samearticleregulatestheincidentnotificationprocessdigital
28Seerecital48oftheNISDirectivethatreadsasfollows:“the
security,continuityandreliabilityofthetypeofdigitalservices referredtointhisDirectiveareoftheessenceforthesmooth func-tioningofmanybusinesses.Adisruptionofsuchadigitalservice couldpreventtheprovisionofotherserviceswhichrelyonitand couldthushaveanimpactonkeyeconomicandsocietalactivities intheUnion.Suchdigitalservicesmightthereforebeofcrucial importanceforthesmoothfunctioningofbusinessesthatdepend onthemand,moreover,fortheparticipationofsuchbusinesses intheinternalmarketandcross-bordertradeacrosstheUnion. ThosedigitalserviceprovidersthataresubjecttothisDirectiveare thosethatareconsideredtoofferdigitalservicesonwhichmany businessesintheUnionincreasinglyrely”.
29Forthedefinitionofdigitalserviceseefootnote13above. 30Seearticle4(17)andrecital15oftheNISDirective,aswellas
ENISA’sIncidentnotificationforDSPsinthecontextoftheNIS Directive.Asperarticle4(17)“onlinemarketplace” meansa digi-talservicethatallowsconsumersand/ortradersasrespectively definedin point(a) and inpoint (b)ofarticle4(1)ofDirective 2013/11/EUoftheEuropeanParliamentsandoftheCouncilto con-cludeonlinesalesorservicecontractswithtraderseitheronthe onlinemarketplace’swebsiteoronatrader’swebsitethatuses computingservicesprovidedbytheonlinemarketplace.
31Seearticle4(18)oftheDirectiveandrecital16oftheNIS
Direc-tive.Asperarticle4(18)onlinesearchenginemeansadigital ser-vicethatallowsuserstoperformsearchesof,inprinciple,all web-sitesorwebsitesinaparticularlanguageonthebasisofaquery onanysubjectintheformofakeyword,phraseorotherinput, andreturnslinksinwhichinformationrelatedtotherequested contentcanbefound.
32Seearticle4(19)andalsorecital17oftheNISDirective.Asper
article4(19)cloudcomputingservicemeansadigitalservicethat enablesaccesstoascalableandelasticpoolofshareable comput-ingresources.
frame-serviceprovidersshouldfollowinordertocomplywiththe provisionsoftheDirective.
Article16(1)liststheelementsthatneedtobetakeninto account byadigital service provider whenidentifying and adopting securitymeasures forits network,thatis: (a) the securityofthesystemsandfacilities,(b)incident handling, (c)business continuitymanagement, (d)monitoring, audit-ing andtestingand(e)compliancewithinternational stan-dards.TheCommission,byvirtueofarticle16(8)oftheNIS Directive,33issuedanImplementingRegulation34that
speci-fiesfurthertheseelements.35Theneedforanadditional
leg-islativemeasurethatclarifiestheprovisionsoftheNIS Direc-tive,asfarastheobligationsofdigitalserviceprovidersare concerned,wasconsidered essential.Thereason forthatis thatdigitalserviceproviders,contrarytooperatorsof essen-tialservices,arefreetotaketechnicalandorganisational mea-surestheyconsiderappropriateandproportionatetomanage theriskposedtothe securityoftheirsystems.Tothisend, theguidelinesandclarificationsprovidedbythe Implement-ingRegulationcontributesothatdigitalserviceprovidersin theUnionadopt,tothegreatestextentpossible,acommon approachwhenaddressingthisissue.
3.3. Notificationrequirements(art.16par.3and4ofthe NISDirective)
Exceptforthesecurityrequirementsmentionedabove,in or-derforadigitalserviceprovidertosafeguardthesecurityof itsnetworkandinformationsystem,anincidentnotification procedureshouldbefollowed.Theobligationofdigitalservice providerstonotifyanyincidentswithasubstantialimpacton theprovisionoftheirserviceisregulatedunderarticle16par.3 and4.Inthiscontext,MemberStatesshallensurethatdigital serviceprovidersnotifythecompetentauthorityortheCSIRT (seebelow)ofanyincidentwithasubstantialimpactonthe provisionoftheirservice.Article16(4)mentionsthe param-eterstobetakenintoaccountinordertodeterminewhether theimpactofanincidentissubstantial,namely(a)the num-berofusersaffectedbytheincident,inparticularusersrelying ontheservicefortheprovisionoftheirownservices;(b)the durationoftheincident;(c)thegeographicalspreadwith re-gardtotheareaaffectedbytheincident;(d)theextentofthe disruptionofthefunctioningoftheservice;(e)theextentof theimpactoneconomicandsocietalactivities.These param-etersarefurtherspecifiedintheImplementingRegulation.36
33The Commissionshalladoptimplementingacts inorderto
specifyfurthertheelementsreferredtoinparagraph1andthe pa-rameterslistedinparagraph4ofthisarticle.Thoseimplementing actsshallbeadoptedinaccordancewiththeexamination proce-durereferredtoinarticle22(2)by9August2017.
34CommissionImplementingRegulation(EU)2018/151,of30
Jan-uary 2018, laying down rules for application of Directive (EU) 2016/1148oftheEuropeanParliamentandoftheCouncilas re-gardsfurtherspecificationoftheelementstobetakeninto ac-countbydigitalserviceprovidersformanagingtherisksposedto thesecurityofnetworkandinformationsystemsandofthe pa-rametersfordeterminingwhetheranincidenthasasubstantial impact.
35Seearticle2oftheImplementingRegulation. 36Seearticles3and4oftheImplementingRegulation.
Thissofterregulationofdigitalserviceprovidersinterms ofsecurityandnotificationrequirements isalsoevidentin theirobligationtonotifyanincidentonlyinthosecaseswhere theyhaveaccesstotheinformationneededtoassessthe im-pactofsuchincident.37Furthermore,inthecaseofdigital
ser-viceproviders,contrarytooperatorsofessentialservices,the competent authoritiestake action,ifnecessary, throughex postsupervisorymeasureswhenprovidedwithevidenceby thedigitalserviceprovideritselforauseroranother compe-tentauthority.38
4.
Is
the
different
approach
towards
digital
service
providers
and
operators
of
essential
services
well
justified?
The Directive’s lighter approach towards digital service providers,asfarasthesecurityandnotificationrequirements areconcerned,aswellastheirexpostsupervisionbythe com-petentauthorities,isevidentthroughoutitstext.Inaddition totheDirective’smainarticles,manyofitsrecitalsdeal exten-sivelywiththeissue.Otherthanrecital60mentionedabove, recital49pointsoutthatdigitalserviceprovidersshouldbe freetotakemeasurestheyconsiderappropriatetomanage therisksposedtotheirsystems.39Inthesamecontext,recital
57acknowledgesthedifferencesbetweenoperatorsof essen-tialservicesanddigitalservice providersandsuggests that MemberStatesshould notidentifydigitalservice providers andatthesametimeshouldpursueadifferentlevelof har-monisationinrelationtothosetwogroupsofentities.40
Thesofter approachtowards digitalservice providers is mainlybasedon thedifferentnatureoftheinfrastructures theyuseaswellasoftheservicestheyprovide.Itisnot
with-37Seearticle16(4)oftheNISDirective.
38Seerecital60oftheNIS Directive“Digitalserviceproviders
shouldbesubjecttolight-touchandreactiveexpostsupervisory activitiesjustifiedbythenatureoftheirservicesandoperations. Thecompetentauthorityconcernedshouldthereforeonlytake actionwhenprovidedwithevidence,forexamplebythedigital serviceprovideritself,byanothercompetentauthority,including acompetentauthorityofanotherMemberState,orbyauserof theservice,thatadigitalserviceproviderisnotcomplyingwith therequirementsofthisDirective,inparticularfollowingthe oc-currenceofanincident.Thecompetentauthorityshouldtherefore havenogeneralobligationtosupervisedigitalserviceproviders”. Seealsoarticle17oftheDirective.
39See recital 49 of the NIS Directive “…the security
require-mentsfordigitalserviceprovidersshouldbelighter.Digital ser-viceprovidersshouldremainfreetotakemeasurestheyconsider appropriatetomanagetherisksposedtothesecurityoftheir net-workandinformationsystems”.
40Seerecital49:“Giventhefundamentaldifferencesbetween
op-eratorsofessentialservices,inparticulartheirdirectlinkwith physicalinfrastructure,anddigitalserviceproviders,in particu-lartheircross-bordernature,thisDirectiveshouldtakea differ-entiatedapproachwithrespecttothelevelofharmonisationin relationtothosetwogroupsofentities.Foroperatorsof essen-tialservices,MemberStatesshouldbeabletoidentifytherelevant operatorsandimposestricterrequirementsthanthoselaiddown inthisDirective.Member Statesshouldnotidentifydigital ser-viceproviders,asthisDirectiveshouldapplytoalldigitalservice providerswithinitsscope”.
frame-outmeaningthattheterm“essential” distinguishesthe ser-vices providedbythe operatorsofessential services– it is evenincludedintheirdefinition.Moreover,thedistinction“in favour” of digitalservice providers hasanextra benefitfor them,asitleavesthemwithmorefreedomtoconduct busi-ness,whichisconsideredakeyfactortotheirsuccessful op-eration.ThisisalsotheconclusionreachedbyENISA,which, inits2017incidentnotificationsforDSPsinthecontextofthe NISDirectivepaper,observesthat“Inthisrespect,thelight-touch
approachaimsatavoidingoverburdeningtheDSPswhilenot
ham-peringthecapacityoftheEUtoreacttocybersecurityincidentsina swiftandefficientmanner”.41
Shouldhoweverthislightertreatmenteverretreatswhen specialconditionsoccur?Forinstance,therearecaseswhere operatorsofessentialservicesrelyondigitalserviceproviders toprovidetheirservices.Thiswouldbethecaseforexample ofahospital(operatorofessentialservicesactivatedinthe healthsector)hostingits patientrecordsinthe cloud (digi-talserviceproviderthatprovidescloudcomputingservices). Should these cases of digital service providers be treated differently? TheNIS Directive,with the exception of some casesofnationalsecurityandmaintenanceoflawandorder, stronglydiscouragesMemberStatesfromimposingany fur-thersecurityandnotificationrequirementsondigitalservice providers.42However,thereareseveralreferencesinthetext
thatleavespaceforadifferentreadingoftheDirective.Recital 54forinstancementionsthat“wherepublicadministrationsin MemberStatesuseservicesofferedbydigitalserviceproviders,in particularcloudcomputingservices,theymightwishtorequirefrom
theprovidersofsuchservicesadditionalsecuritymeasuresbeyond
whatdigitalserviceproviderswouldnormallyofferincompliance
withtherequirementsofthisDirective.Theyshouldbeabletodoso
bymeansofcontractualobligations”.Relevantreferenceismade
alsoinrecital56,“thisDirectiveshouldnotprecludeMemberStates
fromadoptingnationalmeasuresrequiringpublic-sectorbodiesto
ensurespecificsecurityrequirementswhentheycontractcloud
com-putingservices.Anysuch nationalmeasuresshouldapplyto the
public-sectorbody concernedand nottothecloudcomputing
ser-viceprovider”.Bothrecitalsdepictthesameconcern,thatis,
howsecurityobligationsofdigitalserviceproviderscouldbe strengthenedifspecialconditionsapply.WhattheNIS Direc-tivesuggestsisthat,ifthereisaneedforadditionalsecurity measures,thisshouldbeimplementedcontractuallybetween thepartiesandnotbymeansoftheDirective’sprovisions.At thesametimeanyfurthernationalsecuritymeasuresshould applytotheoperatorsofessentialservicesandnottodigital serviceproviders.Article16(5)leadstothesameconclusionby definingthattheburdenofnotifyinganincidenttothe
com-41See https://www.ENISA.europa.eu/publications/
incident-notification-for-dsps-in-the-context-of-the-nis-directive
42See article16(10)“Withoutprejudice toarticle1(6)member
Statesshallnot imposeanyfurther securityornotification re-quirementsondigitalserviceproviders.” Article1(6)readsas fol-lows:“ThisDirectiveiswithoutprejudicetotheactionstakenby MemberStatestosafeguardtheiressentialstatefunctions,in par-ticulartosafeguardnationalsecurity,includingactionsprotecting informationthedisclosureofwhichMemberStatesconsider con-trarytotheessentialinterestsoftheirsecurityandtomaintain lawandorder,inparticulartoallowfortheinvestigation, detec-tionandprosecutionofcriminaloffences”.
petentauthority,evenincaseswheretheoperatorofessential servicesreliesonathirdpartdigitalserviceproviderforthe provisionoftheservice,stayswiththeoperatorsofessential services.
5.
National
frameworks
on
the
security
of
network
and
information
systems:
national
strategies
and
national
authorities
(articles
7–10
of
the
NIS
Directive)
EachMemberStatemustadoptanationalframeworkin or-dertosucceedcompliancewiththeprovisionsoftheNIS Di-rective.Thenationalframeworkincludesthenational strat-egyonthesecurityofnetworkandinformationsystemsand thedesignationoftheauthoritiesthatshallberesponsiblefor themonitoringtheimplementationoftheNISDirective.As far asthefirst parameterisconcerned,Article7ofthe Di-rectivesetstheobligationofeach MemberStatetoadopta nationalstrategyonthesecurityofnetworkandinformation systemsinordertoachieveahighlevel ofsecurityofsuch networks.Thisnationalstrategymustaddressalistofissues, asdescribedinarticle7(1),including,amongothers,arisk as-sessmentplan,agovernanceframeworktoachievethe objec-tivesofthenationalstrategy,theidentificationofmeasures relatingtopreparedness,responseandrecoveryetc.Member StatesmayturntoENISAforadviceandassistancewhen de-velopingtheirnationalstrategies.Asperarticle7(3)Member Statesoughttocommunicatetheirnationalstrategiestothe Commissionwithinthreemonthsfromtheiradoption.
Articles8,9,11and12oftheNISDirectivespecifythe au-thoritiesandotherbodiesthatshallbetaskedwiththeroleof monitoringitsapplicationatnationalandEUlevel.Each Mem-berStateoughttodesignateoneormorenationalcompetent authoritiesonthesecurityofnetworkandinformation sys-tems.TheseshallmonitortheapplicationoftheNISDirective atnationallevel.EachMemberStateshallalsodesignatea na-tionalSinglePointofContacttoliaiseandensurecross-border cooperationwithotherMemberStates.Designatedcompetent authoritiesandsinglepointofcontact,aswellastheirtasks, shouldbenotifiedtotheCommission(article8).
frame-established,theCompetenceCentreshallalsocontributeto betterunderstandingcybersecurityandreducingskillsgaps ontheUnionrelatedtocybersecurity.43
Member Statesare alsoaskedtointroduceoneor more computersecurityincidentresponseteamsCSIRTs(article9). TheCSIRTsrole,asperAnnex IoftheDirective,isto mon-itorincidentsatnationallevel,provideearlywarning,alerts andinformationtorelevantstakeholdersaboutrisksand in-cidents,respondtoincidents,providedynamicriskand inci-dentanalysisandincreasesituationalawareness,aswellas, toparticipateinanetworkoftheCSIRTsacrossEurope.
The NIS Directive does not impose a structure or hier-archy forthecompetent authority,the singlepointof con-tact orthe CSIRTs.Theymay formasingleorganisationor beseparate.Therefore,aCSIRTmaybeestablishedwithina competentauthority.CSIRTsshallberesponsibleforriskand incidenthandling.Asregardstherelevantmechanism,all in-cidentnotificationsreceivedbythecompetent Authorityor the CSIRTsshall benotified tothe SinglePoint ofContact, which,inturn,shallsubmitannualsummaryreportstothe CooperationGrouponthenotificationsreceivedandthe ac-tionstakeninaccordancetotheDirective.
TheDirective’sstructuregrantsMemberStatesspaceto de-signandadopttheirnationalstrategiesonthesecurityof net-workandinformationsystems.TheDirectivesetsthe frame-workwithinwhichMemberStatesshouldactasfarassecurity andnotificationrequirementsforbothoperatorsofessential servicesand digitalservicesprovidersare concerned.What theseparticularmeasuresandrequirementswillbethough restsentirelywitheachMemberState.Inviewofthe flexibil-ityprovidedtoMemberStatesundertheDirective,thefirst questionthatcomestomindiswhetherharmonised imple-mentationoftheDirective’sprovisionsindifferentMember Statesisfeasible.
GiventhatthisisthefirstregulatoryattemptatEUlevel fortheprotectionofinformationsystemsandinviewofthe factthatthe Directiveaimstoregulateasectorunder con-stantreformand development,itistheauthors’beliefthat thisflexibilityinimplementationcouldprovebeneficialinthe long term.AllowingMember Statestoadaptthe Directive’s provisionstotheneedsandspecialcharacteristicsofthe un-dertakingsoperatingwithintheirterritorycouldcontributeto moreeffectiveassessmentandimplementationofthe mea-suresandrequirementssuggestedintheDirective’stext.
However,potentiallydivergingMemberStates’approaches istakenunderconsiderationintheDirective’stext.Tothisend aseriesofsafeguardsareintroduced.Morespecifically,article 19par.1oftheDirectivesuggeststhatMemberStates encour-agetheuseofEuropeanorinternationallyacceptedstandards andspecificationsinordertopromoteconvergent implemen-tation.AtthesametimeboththeCommission’s Implement-ingRegulation,44aswellastheCooperationGroup’sguidance
notes45 are aimedtowardsthe abovepurpose.ENISA’srole
43SeeProposalforaRegulationoftheEuropeanparliamentand
oftheCouncilestablishingtheEuropeanCybersecurityIndustrial, TechnologyandResearchCompetenceCentreandtheNetworkof NationalCoordinationCentres,COM(2018)630final.
44Seefootnote35. 45Seefootnotes25and26.
whileassistingMemberStatesinimplementingtheDirective isalsoexpectedtocontributetothesameend.46 Itremains
tobeseen,however,whethertheabovesafeguardswillsuffice towardsaharmonisedimplementationoftheDirectivewithin theEU.
6.
Cooperation
at
EU
level:
the
Cooperation
Group
(article
11),
the
CSIRTs
network
(article
12)
and
the
Wannacry
case
AtEUlevel,theCooperationGroup(“CG”)establishedunder the NISDirective(article11), shall bechairedbythe Presi-dencyoftheCounciloftheEuropeanUnion.Itshallgather representativesofMemberStates,theCommission(actingas secretariat)andENISA.Giventheimportanceofinternational cooperationoncybersecurity,theGroup’sroleistofacilitate strategic cooperation and exchange of information among MemberStatesand helpdeveloptrustand confidence.The CooperationGrouphasmetseventimesto-datestartingfrom February 2017.47 TheGroup’s tasks are described in article
11(3).ItsfunctioningisfurtherclarifiedbytheImplementing DecisionissuedbytheCommission,byvirtueofarticle11(5) oftheDirective.48,49
Finally,article12establishesthecreationofanetworkof thenationalCSIRT’s.TheCSIRTsnetworkshallbecomposed ofrepresentativesoftheMemberStates’CSIRTsandCERT-EU (theComputerEmergencyResponseTeamfortheEU institu-tions,agenciesandbodies).Amongthetasksthatfallwithin theCSIRTsnetwork’scompetenciesistheexchangeof infor-mationonCSIRTs’services,operationsandcooperation capa-bilities,theexchangeofinformationrelatedtoincidentsand associatedrisks,identification ofacoordinatedresponseto anincident,andprovisionofsupporttoMemberStatesin ad-dressingcross–borderincidents.TheCommissionparticipates intheCSIRTsNetworkasan observer.ENISA provides sec-retariatservices,activelysupportingthecooperationamong theCSIRTs.TwoyearsafterentryintoforceoftheNIS Direc-tive(by9August2018),andevery18monthsthereafter,the CSIRTsNetworkwillproduceareportassessingthebenefits ofoperationalcooperation,includingconclusionsand recom-mendations.ThereportwillbesenttotheCommissionasa contributiontothereviewofthefunctioningoftheDirective.
46SeeSection6below:theroleofENISAinthenewlandscape. 47https://ec.europa.eu/digital-single-market/en/news/
nis-cooperation-group-meetings-agendas
48CommissionimplementingDecision(EU)2017/179of1
Febru-ary2017layingdownproceduralarrangementsnecessaryforthe functioningoftheCooperationGrouppursuanttoarticle11(5)of theDirective(EU)2016/1148oftheEuropeanParliamentandofthe Councilconcerningmeasuresforahighcommonlevelofsecurity ofnetworkandinformationsystemsacrosstheUnion
49Amongothers, thedecision mentionsthattheCooperation
Groupoperatesbyconsensusandcansetupsub-groupsto ex-aminespecificquestionsrelatedtoitswork.Thegroupworkson thebasisofbiennialworkprogrammes.Itsmaintasksaretosteer theworkoftheMemberStatesintheimplementationofthe Di-rective,byprovidingguidancetotheCSIRTsnetworkandassisting MemberStatesincapacitybuilding,sharinginformationandbest practicesonkeyissues,suchasrisks,incidentsandcyber aware-ness.
frame-ThefirstrecordedcybersecurityincidentatEUleveldates backtoMay2017andreferstotheWannaCryRansomware attack.Thetermransomware50hasbeenaroundfordecades
but the WannaCry attack was the first global ransomware heist that impacted entire statehospital systems, interna-tionalbusinessesandcountriesasawhole.Estimatesofthat timesuggestedthatapproximately190,000computersinover 150countrieswereaffected.51Thiswasayearinwhichthe
operationalcooperationoftheCSIRTsnetworkwastestedand proveditsreadinessandabilitytocooperateduringlargescale securityincidents.Despiteitsnegativeimpactworldwide,this incidentdemonstratedtheseverityoflarge-scalecrossborder cyberattacksandtriggeredtheneedforinternational cooper-ation.52
7.
The
role
of
ENISA
in
the
new
landscape
ENISAistheEuropeanUnionAgencyforNetworkand Infor-mationSecurity.ItislocatedinGreece(HeraclionCrete)and hasanoperationalofficeinAthens.ENISA wasfoundedby Regulation(EC)No460/2004,53whereasitscurrentregulatory
frameworkconsistsofRegulation(EU) No526/2013.54 Since
2004,ENISAhasbeenactivelycontributingtowards warrant-ingahighlevelofnetworkandinformationsecuritywithin theEU.ENISA’smissionistoraise“awarenessofnetworkand
informationsecurityandtodevelopandpromoteacultureof
net-work and information security in society for the benefit of
citi-zens,consumers,enterprisesandpublicsectororganisationsinthe
Union”.55AproposalforanewRegulationonENISA,repealing
Regulation(EU)526/2013andonInformationand Communi-cationTechnologycybersecuritycertification(“Cybersecurity Act”),56 promisestoreformtheAgencyandenhanceits
ca-pabilitiesandcapacitiesaimingatachievingcybersecurity re-silienceandbettersupportingMemberStates.InDecember 2018,theEuropeanCommission,theEuropeanParliamentand theCounciloftheEuropeanUnionreachedapolitical agree-mentontheCybersecurityAct.57InMarch2019theEuropean
ParliamentadoptedtheCybersecurityAct.58TheCouncilof
50Avirusinfiltratesacomputerdevice,locksdownitsdataand
wouldnotreleaseituntilaransomispaid.
51See https://www.ENISA.europa.eu/publications/info-notes/
wannacry-ransomware-outburst
52See also
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/regardingtheNotPetya attack.
53Regulation(EC)No460/2004oftheEuropeanParliamentand
oftheCouncilof10March2004establishingtheEuropean Net-workandInformationSecurityAgency(TextwithEEArelevance), asamendedbyRegulation(EC)No1007/2008andamendedby Reg-ulation(EC)No580/2011.
54Regulation(EU)No526/2013oftheEuropeanParliamentandof
theCouncilof21May2013concerningtheEuropeanUnionAgency forNetworkandInformationSecurity(ENISA)andrepealing Reg-ulation(EC)No460/2004.
55Seearticle1ofENISA’sRegulation(EU)526/2013. 56Seefootnote10.
57See
https://ec.europa.eu/commission/news/cybersecurity-act-2018-dec-11_en
58See https://ec.europa.eu/digital-single-market/en/news/
cybersecurity-act-strengthens-europes-cybersecurity
theEuropeanUnionmustnowapprovetheActresultingin thisnewEURegulationthatwillenterintoforce20daysafter itspublicationintheEUOfficialJournal.
AbroaddescriptionofENISA’scontributiontonetworkand informationsecurityincludes,amongothers,issuing recom-mendations,supportingpolicy-making,aswellas“hands-on” work,whereby ENISAcollaboratesdirectly withoperational teamsthroughouttheEU.AsummaryofENISA’sstrategyfor theyears 2016–2020is beingpublished,59 incorporatingthe
followingpriorities:(a)anticipateandsupportEuropein fac-ingemergingnetworkandinformationsecuritychallenges,(b) promotenetworkandinformationsecurityasanEUpolicy pri-ority,(c)supportEuropeinmaintainingstateoftheartNIS capacities,(d)fostertheemergingEuropeanNISCommunity, and(e)reinforceENISA’simpact.60Atthe sametimeENISA
activelyassists thecompetentauthorities byappointingits representativeintheCooperationGroupandbyprovidingthe secretariatintheCSIRTsnetwork.61
AsregardstheNISDirectiveinparticular,ENISA’srolein implementing its provisionsis practically embedded inits text.Recital36statesthatENISAshouldassistMemberStates and the Commission by providing expertise whereas both MemberStatesandtheCommissionshouldbeableto con-sultENISA.62Also,recital38referstoENISA’sresponsibilityto
assisttheCooperationGroupandbeinvolvedinthe develop-mentofguidelines.63Finally,accordingtorecital69the
Com-missionshouldconsultENISAwhenadoptingimplementing acts.64ENISA’senhancedroleisalsoevidentinseveralofthe
Directive’sarticles.65
In practice, and as far as digital service providers are concerned,ENISAhasissuedareporttoassistMemberStates intheirefforttoprovideacommonapproachregardingthe minimumsecurity measuresfordigitalservice providers.66
Objectives of the report are to define common baseline security objectives fordigital service providers,to describe different levels of sophistication in the implementation of securityobjectives,aswellastomapthesecurityobjectives
59See https://www.ENISA.europa.eu/publications/corporate/
ENISA-strategy
60OntheroleofENISAseealsoRobinsonN.inEuropeanCyber
Se-curitypolicy,inAndreassonK.(Ed.)Cybersecurity,PublicSectorThreat andResponses,Taylor&FrancisGroup,2012.
61Seearticle11par.2and12par.2oftheNISDirective,
respec-tively.
62Seerecital36“ENISAshouldassisttheMemberStatesandthe
Commissionbyprovidingexpertiseandadviceandbyfacilitating theexchangeofbestpractice.Inparticular,intheapplicationof thisDirective,theCommissionshould,andMemberStatesshould beableto,consultENISA.
63Seerecital38“Ingeneral,ENISAshouldassisttheCooperation
Groupintheexecutionofitstasks…ENISAshouldalsobeinvolved inthedevelopmentofguidelinesforsector-specificcriteriafor de-terminingthesignificanceoftheimpactofanincident”.
64Seerecital69“Whenadoptingimplementingactsonthe
se-curityrequirementsfordigitalserviceproviders,theCommission shouldtaketheutmostaccountoftheopinionofENISA”.
65Seeforinstancearticle5par.7,article7par.2,article9par.5,
article12,article19.
66See
https://www.ENISA.europa.eu/publications/minimum-security-measures-for-digital-service-providers
frame-againstwell-knownindustrystandards,nationalframeworks andcertificationschemes.
Inaddition,ENISAhaspublishedanothersetofguidelines tofurtherdescribetheincidentnotificationprocessimposed ondigitalserviceprovidersasperarticle16oftheNIS Direc-tive.67Theirobjective,asstatedintheirpar.1.1,is“todevelop
asetofguidelinesforallconcernedstakeholders(EUlevel authori-ties,public,private),aimedatsupportingtheimplementationofthe NISDirective(hereafterreferredtoas“theDirective” or“NISD”)
re-quirementsregardingmandatoryincidentnotification”.The
guide-linessignificantlycontributetofurtherelaboratingand clar-ifyingnotionsthatare includedintheDirective’stext,such asthe“incidents” thatfallwithinthenotificationobligation, theterm“substantialimpact” aswellasthe“parameters” that mustbetakenintoaccountwhendeterminingtheimpactof anincident,astheseareincludedinarticle16(4)oftheNIS Directive(numberofusers,durationofincident,geographical spread,extentofdisruptionandextentofimpactoneconomic andsocietalactivities).
TheEUhasalreadyundertakenactionsinordertoenhance ENISA’srole inensuringahigh levelofnetworkand infor-mationsecurity,aswellasinassistingMemberStatesto im-plementanefficientnationalsecuritypolicyforthispurpose. Sinceitsestablishmentin2004,ENISAhasbeendesignated asasignificantplayerinthecybersecurityindustry.TheNIS DirectivefurtherspecifiedENISA’spowersandtasksand at-tributedtotheAgencyakeyroleasfarasimplementationof theDirectiveisconcerned.Anissuethatremainsunaddressed untiltodayhowever,andwhichhopefullywillberegulatedby thenewRegulationonENISA,68isthatENISAremainstheonly
EUagencywithafixed-termmandate.Aspointedoutinthe ExplanatoryMemorandumoftheProposalforaRegulationon ENISA,thislimitsitsabilitytodevelopalong-termvisionand supportitsstakeholdersinasustainablemanner.
Thefixed-termmandatealsocontrastswiththeprovisions oftheDirective,whichentrustENISAwithtaskswithnoend date.UndertheProposal,ENISAwouldbegranteda perma-nentmandateandthusbeputonastablefootingforthe fu-ture.69Thisreform,incombinationwiththeEUgeneralICT
cybersecuritycertificationframework,70isconsideredasthe
preferredoptioninorderfortheEUtoreachitsobjectivesas farasitsresponsetocybersecuritychallengesisconcerned.
Inadditiontothemandateamendment,theproposed reg-ulationintroducessomeothernovelties.Inmoredetailit pro-vides,amongothers,foranindependentagency,thatshallbe namedthe“EUCybersecurityAgency” andwhichshall oper-ateasacentreofexpertiseoncybersecurity,shallassistthe Unioninstitutions,agenciesandbodies,shallsupport capac-itybuildingandpreparednessacrosstheUnion,shallpromote cooperationacrosstheUnionandshallpromotetheuseof
cer-67See
https://www.ENISA.europa.eu/publications/incident-notification-for-dsps-in-the-context-of-the-nis-directive
68SeetheProposalforaRegulationascitedinrecital51above. 69SeetheexplanatorymemorandumoftheProposalfora
Regula-tiononENISAathttps://eur-lex.europa.eu/legal-content/EN/TXT/ HTML/?uri=CELEX:52017PC0477&from=EN.
70ThedraftProposalalsooutlinesacybersecuritycertification
scheme and the creation of the EU cybersecurity certification group(Articles43-54oftheProposal).
tificationbycontributingtotheestablishmentofa cybersecu-ritycertificationframeworkatUnionlevel.Inlightofthe con-tinuallyevolving cyberthreatsand large-scalecross-border cybersecurityincidents,newenhancedroleofENISA’sis ur-gentlyneeded.
8.
The
NIS
Directive
and
the
General
Data
Protection
Regulation
TheGeneral DataProtectionRegulation,thatbecame appli-cableon25May2018,isaimedatprotectingindividualswith regardtotheprocessingoftheirpersonaldata,aswellas, war-rantingthefreemovementofsuchdatawithintheEU.71
Re-leaseofthetwolegalinstruments,theNISDirectiveandthe GDPR,largelycoincided,theNISDirectivebeingpublishedon July2016andtheGDPRinAprilofthesameyear.However, thetwolaw-makingprocessestookplaceindependentlyand inparallel,withoutmuchattentionbeingpaidfromonetothe other.TheironlyinteractionwasnotedasearlyasinJune2013, intheformofanopinionissuedbytheEDPSontheNIS Direc-tive.72
NeithertheNISDirectivenortheGDPRacknowledgeseach otherintheirrespectivetexts.73TheNISDirectiveonlytakes
passing,ifnotlimited,interestindataprotection,initsarticle 2or,forexample,whenmentioningthatit“respectsthe funda-mentalrights,andobservestheprinciples,recognisedbytheCharter ofFundamentalRightsoftheEuropeanUnion,inparticulartheright torespectforprivatelifeandcommunications,theprotectionof
per-sonaldata,[…]”,74or,byaskingthatcompetentauthoritiesand
DPAscooperatewheneverpersonaldataarecompromisedin theeventofincidents.75Fromitspart,theGDPRtakesaccount
ofcybersecurity-relatedprocessingonlyforitsownaimsand purposes,forexamplewhenclarifyingthat“processingof per-sonaldatatotheextentstrictlynecessaryandproportionateforthe
purposesofensuringnetworkandinformationsecurityconstitutes
alegitimateinterestofthedatacontrollerconcerned”,alsolisting CERTsandCSIRTsamongrecipientsoftheseclarifications.76
Inthe samecontext,thatofexaminingthe relationship betweenthe NISDirective and theEU dataprotection sys-tem,somerelevancemaybefoundbetweenthe NIS Direc-tiveandtheePrivacylegalframework.77Notwithstandingthe
factthattheePrivacylegalframeworkissometimesbroader thanthatoftheGDPR,becauseprivacyandconfidentialityof
71Seearticle1oftheGDPR.
72SeePreamblepar.73oftheNISDirective.
73Admittedly,theNISDirectivedoesrefertotheDataProtection
Directive(Directive95/46)thattheGDPRreplaced,initsArticle 2,inhoweverapassing,alreadyoutdated(theGDPRwasalready published)andmostlyuninterestedmanner:“processingofpersonal datapursuanttothisDirectiveshallbecarriedoutinaccordancewith Di-rective95/46/EC”.
74SeePreamble,par.75.
75Seearticle15.4andpar.63ofthePreamble. 76SeePreamble49.
77Asset,today,bytheePrivacyDirective(Directive2002/58/ECof
frame-communicationsareexplicitlylistedwithinitsscope,the def-initionof“networkandinformationsystems” intheNIS Direc-tiveexplicitlyincludes“electroniccommunicationsnetworks” in the ePrivacycontext,78 thusinvokingparallelapplicationof
thetwolegalinstrumentsinrelevantoccasions.Thisinturn createslegaldifficulties,notonlybecausetheePrivacyEU le-galframeworkiscurrentlyunderreviewthatwillnotbecome finalinthenearfuture,79butalsobecausetherelationship
be-tweentheePrivacylegalframeworkandtheGDPRitselfisat timesproblematic.80
Nevertheless,lackofexplicitacknowledgementdoesnot mean thatthe NISDirective andthe GDPRare unrelated.81
Onthecontrary,aslongasnetworkandinformationsystems areusedfortheprocessingofpersonaldata,bothlegal instru-mentsfindapplicationatthesametime.Itistherefore impor-tantfirsttoidentifypointsofinteractionandthentodiscuss whathappensintheeventofconflicts.
Asregardstheformer,pointsofinteractionbetweenthe GDPR and the NIS Directive may occur wheneverpersonal data are found in the systems ofdigital service providers and/oroperatorsofessentialservices.Anobviousfirstsuch point refers to the security of (personal) information. The principleofsecurityofthepersonaldataisoneofthebasic principlesoftheGDPR.Whilearelevantanalysisexceedsthe purposesof thispaper, here it isenoughto benotedthat, according to the principle of integrity and confidentiality, “personaldatashould beprocessedinamannerthatensures ap-propriatesecurityofthepersonaldata,includingprotectionagainst
unauthorisedor unlawfulprocessingandagainstaccidental loss,
destruction or damage, using appropriate technical or
organisa-tionalmeasures”.82Thisismadeconcreteforcontrollersand
processorsinvariousprovisionsoftheGDPR,mostnotablyin aspecialisedarticle,article32,butalsowhilekeepingrecords of their processingactivities (Art.30), whilenotifying data breaches(Art.33),whilepreparingtheirimpactassessments (Art.35)orcodesofconduct(Art.40),orevenwhenassessing theadequacyofthelevelofprotectioninathirdcountryin internationaltransfers(Art.45).
Theobviousquestioninthiscaseiswhethersecurity mea-suresundertakeninthecontextoftheNISDirectiveshould be considered sufficient in the context of the GDPR, and vice versa.However,althoughthis maybeanexpectedand reasonablequestiononbehalfofcontrollersandprocessors, ordigitalserviceprovidersandoperatorsofessentialservices respectively, who wouldpresumably wish toorganisetheir
78Seearticle4.1(a)oftheDirective.
79Currently,theePrivacyRegulation(COM2017/10/final)isfound
atthetrilogueEUlaw-makingstage,mostlikelytobefinalisedin early2019,whichinturnmeansthataperiodofafewyearsuntil itbecomesfullyeffectiveintheEU.
80ThegeneralideabeingthattheePrivacylegalframework
“com-plementsandparticularises” theGDPR,withoutthisavoidingthat casesofambiguityaltogether.SeealsoEuropeanDataProtection Board,Opinion5/2019ontheinterplaybetweentheePrivacy Direc-tiveandtheGDPR,inparticularregardingthecompetence,tasks andpowersofdataprotectionauthorities(12March2019).
81SeealsoKunerC/SvantessonD/CateF/LynskeyO/MillardCin
Theriseofcybersecurityanditsimpactondataprotection,editorial, InternationalDataPrivacyLaw,Volume7,Issue2,1May2017.
82Seearticle5.1(f)oftheGDPR.
compliancerequirementsasefficientlyaspossible,we con-sideritdifficultforittobeansweredinabstracto.Compliance obligationsundereach legal instrumentare tobeassessed separately,fordifferentpurposes, underdifferent contexts, andindeedbydifferentauthorities.Thereisnoapparentlegal reasonfordecisionsreachedunderonecontexttobe consid-eredbindingundertheother.Administrativefinesorother enforcementmeasures,forthesamepurposes,shouldbe con-sidered cumulative and notmutually exclusive. Regardless ofthefactthatthepracticalnetworksecuritymeasuresmay bethe same forbothlegal instruments,we considerit es-sential that they be listed separately, in each compliance documentationrespectively,and,intheeventofabreachor incident,thattheybejudgedindependently,eachforitsown merits underthe given circumstances and applicablelegal framework.
AnotherpointofinteractionbetweentheEUdata protec-tionandtheEUcybersecuritylegalsystemscouldrefertoan informationsystems’breachthatwouldinvitebothan inci-dentnotificationundertheNISDirective83and a data breach
notificationunder the GDPR.84 Could the two co-incide, or
would a provider have to duplicateits effort so as to sat-isfybothlegalinstrumentsseparately?85Heretootheauthors
believethat ananswer cannotbeprovidedin abstracto,but wouldhavetotakeintoaccounttheparticularbreach circum-stanceseachtime.Inprinciple,however,againthetwo proce-duresshouldbeconsideredunrelatedandgiventhedifferent subject-matteroftheGDPRandtheNISDirectiverespectively, providerswillmostlikelyhavetonotifyseparately,eachtime undertherequirementsofeachlegalact.
AsregardsanycasesofconflictbetweentheNISDirective andtheGDPR,whileinprincipleanyscopeoverlapsoughtto beresolvedthroughalexspecialis/lexgeneralisrelationship,86in
theeventofconflict,theGDPRwillhavetoprevail.Thisisthe resultofboththeGDPRimplementingarticle16(2)TFEU87as
wellasthepresumedrelationshipbetweentheapplicable le-galinstrumentseachtime.Asregardstheformer,Article16(2) TFEUaddedtherighttodataprotectiontothelistof funda-mentalEUrights;88Consequently,respectoftherighttodata
protection,asparticularisedinthetextoftheGDPR, consti-tutesahorizontallegalobligationwithintheEUandifthese twoobligations,meaningprotectionofpersonaldataand cy-bersecurity,everneedtobebalanced,the formerwillhave toprevail.89Thisfindingisfurtherstrengthenedifthenature
83SeeitsArticle14. 84SeeitsArticle33.
85On this issue see the UK ICO’s guidance on “The GDPR
and NIS” (https://ico.org.uk/for-organisations/the-guide-to-nis/ gdpr-and-nis/)andalsoENISA’s“IncidentnotificationforDSPsin thecontextoftheNISDirective”,February2017,p.20.
86Perhapsalsointhespiritofarticle2oftheNISDirective. 87SeealsoPreamblepar.(1)and(12)oftheGDPR.
88Initspar.1.
89SeeinparticulartheBreyerdecision(CJEU,PatrickBreyerv
Bun-desrepublikDeutschland,Case C-582/14,par.63 and64),whereby