The new EU cybersecurity framework: The NIS Directive, ENISA's role and the General Data Protection Regulation

(1)

Tilburg University

The new EU cybersecurity framework

Markopoulou, Dimitra; Papakonstantinou, Vagelis; de Hert, Paul

Published in:

Computer Law and Security Review

DOI:

10.1016/j.clsr.2019.06.007

Publication date:

2019

Document Version

Version created as part of publication process; publisher's layout; not normally made publicly available

Link to publication in Tilburg University Research Portal

Citation for published version (APA):

Markopoulou, D., Papakonstantinou, V., & de Hert, P. (2019). The new EU cybersecurity framework: The NIS

Directive, ENISA's role and the General Data Protection Regulation. Computer Law and Security Review, 35(6),

1-11. [105336]. https://doi.org/10.1016/j.clsr.2019.06.007

General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain

• You may freely distribute the URL identifying the publication in the public portal

Take down policy

If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.

(2)

Availableonlineatwww.sciencedirect.com

journalhomepage:www.elsevier.com/locate/CLSR

The

new

EU

cybersecurity

framework:

The

NIS

Directive,

ENISA’s

role

and

the

General

Data

Protection

Regulation

✩

Dimitra

Markopoulou

a

_,

_Vagelis

_{Papakonstantinou}

a,∗

_,

_Paul

_de

_Hert

a,b,† a_Vrije_Universiteit_Brussel_(LSTS),_Belgium

b_Tilburg_University_(TILT),_the_Netherlands

a

r

t

i

c

l

e

i

n

f

o

Articlehistory: Availableonlinexxx Keywords: EUdataprotection Cybersecurity NISDirective ENISA

a

b

s

t

r

a

c

t

TheNISDirectiveisthefirsthorizontallegislationundertakenatEUlevelfortheprotection ofnetworkandinformationsystemsacrosstheUnion.Duringthelastdecadese-services, newtechnologies,informationsystemsandnetworkshavebecomeembeddedinourdaily lives.ItisbynowcommonknowledgethatdeliberateincidentscausingdisruptionofIT servicesandcriticalinfrastructuresconstituteaseriousthreattotheiroperationand con-sequentlytothefunctioningoftheInternalMarketandtheUnion.Thispaperfirstdiscusses theDirective’saddresseesparticularlywithregardtotheircomplianceobligationsaswellas MemberStates’obligationsasregardstheirrespectivenationalstrategiesandcooperation atEUlevel.Subsequently,thecriticalroleofENISAinimplementingtheDirective,as rein-forcedbytheproposalforanewRegulationonENISA(theEUCybersecurityAct),isbrought forward,beforeelaboratinguponthe,inevitable,relationshipoftheNISDirectivewithEU’s GeneralDataProtectionRegulation.

1. Introduction

Directive2016/11481_on_security_of_network_and_information

systems(theNISDirective)isthefirsthorizontallegislation undertaken atEuropeanUnion(EU)level forthe protection

ofnetworkandinformationsystemsacrosstheUnion. Dur-ing thelast decadese-services,newtechnologies, informa-tion systemsand networkshave becomeembeddedinour dailylives.Itisbynowcommon knowledgethatdeliberate incidentscausingdisruptionofITservicesandcritical infras-tructuresconstitutea seriousthreattotheir operationand

✩_This_research_has_been_funded_under_the_European_{Commission’s}_H2020_project_FORTIKA_{– Cyber}_Security_Accelerator_for_trusted

SMEsITEcosystems,GrantAgreement740690.

∗_{Corresponding}_author:_Vagelis_{Papakonstantinou,}_Vrije_Universiteit_Brussel_(LSTS),_Belgium.

E-mail addresses: dimitra.markopoulou@vub.be (D. Markopoulou), evangelos.papakonstantinou@vub.be (V. Papakonstantinou),

paul.de.hert@vub.ac.be(P.de Hert).

†_The_authors_wish_to_thank_Lina_Jasmontaite_for_useful_comments_and_feedback.

1_Directive_2016/1148_of_the_European_Parliament_and_the_Council_concerning_measures_for_a_high_common_level_of_security_of_network

andinformationsystemsacrosstheUnion(the“NISDirective”).

https://doi.org/10.1016/j.clsr.2019.06.007

(3)

frame-consequentlytothefunctioningoftheInternalMarketand the Union.2 _This_risk,_combined_with_the _fact_that _existing

counter-measuresintermsofsecuritytoolsandprocedures arenotsufficientlydevelopedintheEU,andcertainlynot com-moninallMemberStates,madetheneedforacomprehensive approachatUnionlevel,concerningthesecurityofnetwork andinformationsystems,unquestionable.TheNISDirective aimstoaddress thisneedbyputtingforward“themeasures

with aview toachievingahighcommonlevelofsecurityof

net-workandinformationsystemswithintheUnionsoastoimprove

thefunctioningoftheinternalmarket”.3

TheNISDirectivewaspublishedinJuly2016,howeverthe EUhasbeenaddressingcybersecurityissuesina comprehen-sivemannersince2004,whenENISA(EuropeanUnionAgency forNetworkandInformationSecurity),4_a_new_specialised_EU

agency,wasfounded.TheNISDirectiveitselfhasitsrootsin theCommission’sCommunicationof2009,whichfocuseson preventionandawarenessand definesaplanofimmediate actiontostrengthenthe securityand trustinthe informa-tionsociety.5_This_was_followed,_in_2013,_by_a_joint

Commu-nicationreleasedbytheCommissionandtheHigh Represen-tativeoftheUnionforForeignAffairsandSecurityPolicyon theCybersecurityStrategyoftheEuropeanUnion.6_From₂₀₁₃

to2015theCommission,theCouncilandtheParliament dis-cussedthedraftputforwardbytheCommissionintenselyand thesediscussionsresultedintheNISDirectivethatentered intoforceinAugust2016.Thedeadlinefornational transpo-sitionbytheEUMemberStateswasthe9thofMay,2018.7,8

TheNISDirectiveconsistsof27articles.Articles1–6setits scope andmaindefinitions,including afurtherclarification regardingtheidentificationofoperatorsofessentialservices (article5),aswellasthemeaningofsignificantdisruptive ef-fect(article6).Articles7–10describethenationalframeworks thatneedtobeadoptedbyeachMemberStateonthesecurity ofnetworkandinformationsystems.Theseframeworks in-clude,amongothers,MemberStates’obligationtointroduce anationalstrategyandtodesignatenationalcompetent au-thorities(includingasinglepointofcontractand the com-putersecurityincidentresponseteams(CSIRTs),aswell as,

2_For_cyber-crime_statistics_see_Carrapico_H./Farrand_B._in

Cyber-crimeasafragmentedpolicyfieldinthecontextoftheareaoffreedom, securityandjustice,inRipollServentA./TraunerF.(Eds.),Routledge HandbookontheAreaofFreedom,SecurityandJustice,Routledge, 2018.

3_See_article₁_of_the_NIS_Directive. 4_See_{https://www.ENISA.europa.eu/}_.

5_See _{Communication}_from_the _Commission_to _the_European

ParliamenttheCounciltheEuropeanEconomicandSocial Com-mittee andtheCommittee ofthe RegionsonCritical Informa-tionInfrastructureProtection“ProtectingEuropefromlarge-scale cyber-attacksanddisruptions:enhancingpreparedness,security andresilience(COM(2009)149).

6_Joint_{Communication}_to_the_European_Parliament,_the_Council

the European Economic and Social Committee and the Com-mittee of the regions, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (available at

http://eeas.europa.eu/archives/docs/policies/eu-cyber-security/ cybsec_comm_en.pdf).

7_See_article₂₅_of_the_Directive_{(transposition).}

8_At _the_time _of _drafting_this _paper_the _majority_of _Member

StateshaveimplementedtheDirective.

thecreationoftheCooperationGroup.Thecooperation mech-anismisprovidedinChapterIIIandmorespecificallyin ar-ticles11–13.Thearticlesthatfollow(14–18)definethe secu-rity requirementsand incident notificationforoperatorsof essentialservicesanddigitalserviceproviders,respectively. Theadoptionofstandardsandtheprocessofvoluntary no-tificationaredealtwithinarticles19and20.Finallyarticles 21–27includetheDirective’sfinalprovisions.

Intermsofstructure,thisarticleisdividedintoseven chap-ters:the firstthreechaptersdiscusstheDirective’saffected parties and their obligationsunder its provisions,chapters fourand fivesetMember States’obligationsasregards na-tionalstrategy,aswellascooperationatEUlevel,whereasthe criticalroleofENISAinimplementingtheDirective,asthisis reinforcedbytheproposalforanewRegulationonENISA(the EUCybersecurityAct),9_is_presented_in_chapter_6._Finally,_the,

inevitable,relationshipoftheDirectivewithEU’sGeneralData ProtectionRegulation10_are_established_in_the_final_chapter_7.

2. Operators

of

essential

services

(first

target

of

the

NIS

Directive)

2.1. Definition:anAnnexapproach

TheNISDirectiveaffectstwocategoriesofundertakings, un-deranadmittedlydifferentiatedapproachintermsof obliga-tionsplaceduponeach oneofthem:operatorsofessential servicesanddigitalserviceproviders.11_Their_definitions_are

includedinarticle4andconsistofacombinationofarticles ofthisDirective12_{and its}_annexes,_{as well as Directive}_(EU)

2015/1535.13_With_regard_to_the_first_category,_that_is_operators

ofessentialservices,theirdefinitionincludesapublicor pri-vateentitythatactivatesinspecificsectors,suchasthesector ofenergy,transport,bankingandhealth,14_and_which_at_the

sametimemeetssomeessentialcriteriathatqualifyitasan entityofsuchtype.15_{Consequently,}_not_all_operators_of

essen-tialservicesfallwithinthescopeoftheNISDirective.Member

9 _See _https://eur-_{lex.europa.eu/legal-}_{content/EN/TXT/HTML/}

?uri=CELEX:52017PC0477&from=EN.

10_Regulation_(EU)_2016/679_on_the_protection_of_natural_persons

withregardtotheprocessingofpersonaldataandonthefree movementofsuchdata,andrepealingDirective95/46/EC(General DataProtectionRegulation).

11_On_identifying_the_entities_under_cyber_security_obligations_see

alsoKuleszaJ.inDefiningCybersecurity-CybersecurityandCritical In-frastructure,theActors,inKuleszaJ./BallesteR.(Eds.)Cybersecurity andhumanrightsintheageofcyberveilance,Rowman&Littlefield, 2016.

12_See_article₄₍₂₎_on_the_definition_of_digital_service_and_article

5(2)onthecriteriaanoperatorofessentialservicesshouldmeet.

13_Directive_(EU)_2015/1535_of_the_European_Parliament_and_of_the

Councilof9September2015layingdownaprocedureforthe pro-visionofinformationinthefieldoftechnicalregulationsandof rulesonInformationSocietyservices.

14_For_the_full_list_of_sectors_and_sub-sectors_see_Annex_II_of_the

NISDirectiveandSection1(a)ofthispaper.

15_See_article₅₍₂₎_of_the_NIS_Directive:_(a)_an_entity_that_provides

(4)

frame-Statesaretaskedwiththeprocessoftheircategorisationand identificationassuch,asthisisdescribedindetailbelow.

Inthe event ofsectorspecificUnionlegal acts,Member Statesshouldapplythatlegislation,aslongasitcontains re-quirementsthat are,atleast,equivalenttotheonesofthe NISDirective.Someexamples includeoperatorsinthe wa-tertransportsector,16_undertakings_providing_public

commu-nicationnetworksorpubliclyavailablecommunications ser-vices,17 _trust_services _providers,18 _as _well_as _the _sectors_of

bankingandfinancialmarkets.19

Wesawthatoperatorsofessentialservicesincludeany pri-vateorpublicentitythatmeetspecificcriteriaandatthesame timeareofthetypesincludedinAnnexIIoftheNISDirective. Allentitiesthatfallwithinthisdefinition,shouldcomplywith thesecurityandnotificationrequirementsincludedinthe Di-rective.AnnexIIincludesalistofthesectorsandsubsectors, aswellastypesofentitiesthatarecategorisedasoperators ofessentialservices.20_Once_an_entity_is_categorised_as_one

ofthetypeslistedintheAnnex,thenextsteplieswiththe MemberStates,whoareresponsibletocarryoutan identifica-tionprocess,inordertodeterminewhichindividual compa-niesmeettheadditionalcriteriaofthedefinitionofoperators ofessentialservices.Tothisend,theNISDirectiverequires MemberStatestoadoptnationalmeasuresasaresultofthe identificationprocess,inordertodeterminetheseentities.21

wouldhavesignificantdisruptiveeffectsontheprovisionofthat service.

16_See_recital₁₁_of_the_NIS_Directive_where_it_is_clarified_that

Mem-berStates,whenidentifyingoperatorsinthewatertransport sec-tor,shouldtakeintoconsiderationinternationalcodesand guide-linesdevelopedbytheMaritimeOrganisations,aswellasarticle1 (7)oftheDirective.

17_See_Framework_Directive_2002/21/EC_on_a_common_regulatory

frameworkforelectroniccommunicationsnetworksandservices andthesecurityrequirementsprovidedtherein.

18_See_Regulation_910/2014_on_electronic_{identification}_and_trust

servicesforelectronictransactionsintheInternalmarketand re-pealingDirective1999/93/ECandthesecurityrequirements pro-videdtherein.

19_See_recital₁₂_of_the_NIS_Directive:_{“Regulation}_and

supervi-sioninthesectorsofbankingandfinancialmarketinfrastructures ishighlyharmonisedatUnionlevel,throughtheuseofprimary andsecondaryUnionlawandstandardsdevelopedtogetherwith theEuropeansupervisoryauthorities.Withinthebankingunion, theapplicationandthesupervisionofthoserequirementsare en-suredbythesinglesupervisorymechanism.ForMemberStates thatarenotpartofthebankingunion,thisisensuredbythe rele-vantbankingregulatorsofMemberStates.Inotherareasof finan-cialsectorregulation,theEuropeanSystemofFinancial Supervi-sionalsoensuresahighdegreeofcommonalityandconvergence insupervisorypractices.TheEuropeanSecuritiesMarkets Author-ityalsoplaysadirectsupervisionroleforcertainentities,namely credit-ratingagenciesandtraderepositories”.

20_In_particular_the_following_sectors_and_subsectors_are_listed:

energy(electricity,oilandgas),transport(air,rail,waterandroad), banking(creditinstitutions,financialmarketinfrastructures (trad-ingvenues,centralcounterparties),health(healthcareproviders, includinghospitalsandprivateclinics),water(drinkingwater sup-plyanddistribution),anddigitalinfrastructure(internetexchange points,domainnamesystemserviceproviders,topleveldomain namesregistries).

21_See_also_recital₂₅_of_the_NIS_Directive_that_reads_as_follows:

“asaresultoftheidentificationprocess,MemberStatesshould

By9November2018,MemberStatesthereforehadtoidentify theoperatorsofessentialserviceswithanestablishmenton theirterritoryforeachsectorandsubsectorreferredtointhe Annex.22_This_list_of_identified_operators_of_essential_services

shallbeupdatedbyMemberStatesatleasteverytwoyears af-terMay9,2018inordertoensurethatpossiblechangesinthe marketareaccuratelyreflected.Takingintoaccountthe mini-mumharmonisationrequirementinarticle3oftheDirective, MemberStatescanadoptlegislationensuringahigherlevel ofsecurity.Inthisregard,MemberStatesmayexpandthe se-curityandnotificationobligationsprovidedforoperatorsof essentialservicestoentitiesbelongingtoothersectorsand sub-sectorsthanthoselistedintheAnnexoftheNIS Direc-tive.Accordingly,severaladditionalsectors,notmentionedin theAnnex,havebeenbroughttothetablebydifferent Mem-berStates,including amongothers,publicadministrations, thepostalsector,the foodsector,thechemicaland nuclear industry,theenvironmentalsectorandcivilprotection.23

2.2. Securityrequirements(art.14par.1and2ofthe NISDirective)

Pursuanttoarticle14(1)oftheNISDirective,MemberStates are required to ensure that operators ofessential services takeappropriate measures,technicaland organisational,to managetherisksposedtothesecurityofthe networkand informationsystemstheyuse.Inaccordancewitharticle14 (2),appropriatemeasuresshallpreventandminimisethe im-pactofincidentsaffectingthesecurityoftheirsystems.Main objectiveshouldbetoensurecontinuityofsuchservices.How couldacommonperspectivebyallMemberStatesbeachieved though,asfarasthesesecurityrequirementsareconcerned? It is well understood that the Directive sets the general obligationforMemberStatestoadoptanationalstrategyon this subject,howeverthe specificapproach tothe national transpositionofarticle14(1)oftheDirectiverestswitheach MemberState.Inorderhoweverforthenationalprovisions onsecurityrequirementstobealignedtothegreatestextent possible, the Commission encourages Member States to followtheguidancedocumentdevelopedbytheCooperation Group.24_In_this_document_the_Cooperation_Group_lays_down

adoptnationalmeasurestodeterminewhichentitiesaresubject toobligationsregardingthesecurityofnetworkandinformation systems.Thisresultcouldbeachievedbyadoptingalist enumer-atingalloperatorsofessentialservicesorbyadoptingnational measuresincludingobjectivequantifiablecriteria,suchasthe out-putoftheoperatororthenumberofusers,whichmakeit possi-bletodeterminewhichentitiesaresubjecttoobligations regard-ingthesecurityofnetworkandinformationsystems.Thenational measures,whetheralreadyexistingoradoptedinthecontextof thisDirective,shouldincludealllegalmeasures,administrative measuresandpoliciesallowingfortheidentificationofoperators ofessentialservicesunderthisDirective”.

22_See_article₅_par.₁_of_the_NIS_Directive.

23_See_{Communication} _from_the_Commission _to_the _European

ParliamentandtheCouncil-MakingthemostofNIS– towardsthe effectiveimplementationofDirective(EU)2016/1148concerning measuresforahighcommonlevelofsecurityofnetworkand in-formationsystemsacrosstheUnion,COM(2017)476.

24_See_Cooperation_Group’s_Reference_document_on_security

mea-sures for operators of essential services, https://ec.europa.eu/ digital-single-market/en/nis-cooperation-group.

(5)

frame-somegeneralprinciplesthatshouldbetakeninto considera-tionbyallMemberStatesduringadoptingsecuritymeasures. These measures should be effective, tailored, compatible, proportionate,concrete,verifiableandinclusive.

2.3. Notificationrequirements(art.14par.3and4ofthe NISDirective)

Thesecurityrequirementsthatneedtobeadoptedbythe op-eratorsofessentialservicesareaccompaniedbyanother obli-gationthatofnotifyingthecompetentauthoritiesofany in-cidentthathasanimpactonthecontinuityofthe(essential) servicesanoperatorprovides.Pursuanttoarticle14(3), Mem-berStateshavetoensurethatoperatorsofessentialservices notify“anyincidenthavingasignificantimpactonthecontinuity

oftheessentialservices”.Consequently,operatorsofessential

servicesshouldnotnotifyanyminorincidentsbutonly seri-ousincidentsaffectingthecontinuityoftheessentialservice. Article14par.4providesalistofparametersthatshouldbe takenintoaccount,whendeterminingthesignificanceofthe impactofanincident,namelythenumberofusersaffected, thedurationoftheincidentandthegeographicalspreadwith regardtotheareaaffectedbytheincident.Again,consistency inthenationalapproaches,asfarasthenotificationprocess isconcerned,isoftheessence.Asinthecaseofsecurity re-quirements,theCooperationGrouphaspublishedareference documentonthisissue.25

3. Digital

service

providers

(second

target

of

the

NIS

Directive)

3.1. Definition:acatchallapproach

Digitalserviceprovidersare thesecondcategoryofentities thatfallunderthescopeoftheNISDirective.Digitalservice providersincludeanylegalpersonthatprovidesadigital ser-vice26_and _more_specifically_an_online_market_place,_an

on-linesearchengine,oracloudcomputingservice.27_Their

reg-ulation,asfarassecurityandnotificationrequirementsare

25_See_Reference_document_on_Incident_Notification_for_operators

ofessential services.https://ec.europa.eu/digital-single-market/ en/nis-cooperation-group.

26_That_is_a_service_within_the_meaning_of_point_(b)_of_article₁₍₁₎

ofDirective(EU)2015/1535,whichisofatypelistedinAnnexIII oftheNISDirective.Accordingly,ServicemeansanyInformation Societyservice,thatistosay,anyservicenormallyprovidedfor remuneration,atadistance,byelectronicmeansandatthe indi-vidualrequestofarecipientofservices.Forthepurposesofthis definition:(i)“atadistance” meansthattheserviceisprovided without thepartiesbeing simultaneouslypresent;(ii)“by elec-tronicmeans” meansthattheserviceissentinitiallyandreceived atitsdestinationbymeansofelectronicequipmentforthe pro-cessing(includingdigitalcompression)andstorageofdata,and entirelytransmitted,conveyedandreceivedbywire,byradio,by opticalmeansorbyotherelectromagneticmeans;(iii)“atthe indi-vidualrequestofarecipientofservices” meansthattheserviceis providedthroughthetransmissionofdataonindividualrequest.

27_The_three_types_of_services_were_chosen_to_be_regulated_due_to

theincreasingnumberofbusinessesthatfundamentallyrelyon themfortheprovisionoftheirownservices.

concerned,isjustifiedduetothefactthatmanybusinesses dependontheseprovidersfortheprovisionoftheirown ser-vices.Consequently,adisruptionofthedigitalservicecould haveanimpactonkeyeconomicandsocietalactivitiesinthe Union.28_It_should_be_noted_that,_in_comparison_to_the

oper-atorsofessentialservices,theNISDirectivedoesnotrequire MemberStatestoidentifydigitalserviceproviders, warrant-ingthusacatch-allapproach.

Three types of digital service providers fall under the scope ofthe NIS Directive: online market place providers, onlinesearchengineprovidersandcloudcomputingservice providers.Anonlinemarketplacedenotesadigitalservice29

thatallowsconsumersand/ortraderstoconcludeonline ser-vices or service contracts with traders.30 _An_online _search

engineisdescribedasadigitalservicethatallowsusersto per-formsearchesofwebsitesonthebasisofaqueryonany sub-ject.31_Finally,_cloud_computing_service_means,_a_digital_service

thatenablesaccesstoascalableandelasticpoolofshareable computingresources.32

3.2. Securityrequirements(art.16par.1and2ofthe NISDirective)

TheDirectivedescribes,initsarticle16,thesecuritymeasures thatdigitalserviceprovidersshouldtakeinordertomitigate therisksthatthreatenthesecurityofthenetworkand infor-mationsystemstheyusefortheprovisionoftheirservice.The samearticleregulatestheincidentnotificationprocessdigital

28_See_recital₄₈_of_the_NIS_Directive_that_reads_as_follows:_“the

security,continuityandreliabilityofthetypeofdigitalservices referredtointhisDirectiveareoftheessenceforthesmooth func-tioningofmanybusinesses.Adisruptionofsuchadigitalservice couldpreventtheprovisionofotherserviceswhichrelyonitand couldthushaveanimpactonkeyeconomicandsocietalactivities intheUnion.Suchdigitalservicesmightthereforebeofcrucial importanceforthesmoothfunctioningofbusinessesthatdepend onthemand,moreover,fortheparticipationofsuchbusinesses intheinternalmarketandcross-bordertradeacrosstheUnion. ThosedigitalserviceprovidersthataresubjecttothisDirectiveare thosethatareconsideredtoofferdigitalservicesonwhichmany businessesintheUnionincreasinglyrely”.

29_For_the_definition_of_digital_service_see_footnote₁₃_above. 30_See_article₄₍₁₇₎_and_recital₁₅_of_the_NIS_Directive,_as_well_as

ENISA’sIncidentnotificationforDSPsinthecontextoftheNIS Directive.Asperarticle4(17)“onlinemarketplace” meansa digi-talservicethatallowsconsumersand/ortradersasrespectively definedin point(a) and inpoint (b)ofarticle4(1)ofDirective 2013/11/EUoftheEuropeanParliamentsandoftheCouncilto con-cludeonlinesalesorservicecontractswithtraderseitheronthe onlinemarketplace’swebsiteoronatrader’swebsitethatuses computingservicesprovidedbytheonlinemarketplace.

31_See_article₄₍₁₈₎_of_the_Directive_and_recital₁₆_of_the_NIS

Direc-tive.Asperarticle4(18)onlinesearchenginemeansadigital ser-vicethatallowsuserstoperformsearchesof,inprinciple,all web-sitesorwebsitesinaparticularlanguageonthebasisofaquery onanysubjectintheformofakeyword,phraseorotherinput, andreturnslinksinwhichinformationrelatedtotherequested contentcanbefound.

32_See_article₄₍₁₉₎_and_also_recital₁₇_of_the_NIS_Directive._As_per

article4(19)cloudcomputingservicemeansadigitalservicethat enablesaccesstoascalableandelasticpoolofshareable comput-ingresources.

(6)

frame-serviceprovidersshouldfollowinordertocomplywiththe provisionsoftheDirective.

Article16(1)liststheelementsthatneedtobetakeninto account byadigital service provider whenidentifying and adopting securitymeasures forits network,thatis: (a) the securityofthesystemsandfacilities,(b)incident handling, (c)business continuitymanagement, (d)monitoring, audit-ing andtestingand(e)compliancewithinternational stan-dards.TheCommission,byvirtueofarticle16(8)oftheNIS Directive,33_issued_an_Implementing_Regulation34_that

speci-fiesfurthertheseelements.35_The_need_for_an_additional

leg-islativemeasurethatclarifiestheprovisionsoftheNIS Direc-tive,asfarastheobligationsofdigitalserviceprovidersare concerned,wasconsidered essential.Thereason forthatis thatdigitalserviceproviders,contrarytooperatorsof essen-tialservices,arefreetotaketechnicalandorganisational mea-surestheyconsiderappropriateandproportionatetomanage theriskposedtothe securityoftheirsystems.Tothisend, theguidelinesandclarificationsprovidedbythe Implement-ingRegulationcontributesothatdigitalserviceprovidersin theUnionadopt,tothegreatestextentpossible,acommon approachwhenaddressingthisissue.

3.3. Notificationrequirements(art.16par.3and4ofthe NISDirective)

Exceptforthesecurityrequirementsmentionedabove,in or-derforadigitalserviceprovidertosafeguardthesecurityof itsnetworkandinformationsystem,anincidentnotification procedureshouldbefollowed.Theobligationofdigitalservice providerstonotifyanyincidentswithasubstantialimpacton theprovisionoftheirserviceisregulatedunderarticle16par.3 and4.Inthiscontext,MemberStatesshallensurethatdigital serviceprovidersnotifythecompetentauthorityortheCSIRT (seebelow)ofanyincidentwithasubstantialimpactonthe provisionoftheirservice.Article16(4)mentionsthe param-eterstobetakenintoaccountinordertodeterminewhether theimpactofanincidentissubstantial,namely(a)the num-berofusersaffectedbytheincident,inparticularusersrelying ontheservicefortheprovisionoftheirownservices;(b)the durationoftheincident;(c)thegeographicalspreadwith re-gardtotheareaaffectedbytheincident;(d)theextentofthe disruptionofthefunctioningoftheservice;(e)theextentof theimpactoneconomicandsocietalactivities.These param-etersarefurtherspecifiedintheImplementingRegulation.36

33_The _Commission_shall_adopt_implementing_acts _in_order_to

specifyfurthertheelementsreferredtoinparagraph1andthe pa-rameterslistedinparagraph4ofthisarticle.Thoseimplementing actsshallbeadoptedinaccordancewiththeexamination proce-durereferredtoinarticle22(2)by9August2017.

34_Commission_Implementing_Regulation_(EU)_2018/151,_of₃₀

Jan-uary 2018, laying down rules for application of Directive (EU) 2016/1148oftheEuropeanParliamentandoftheCouncilas re-gardsfurtherspecificationoftheelementstobetakeninto ac-countbydigitalserviceprovidersformanagingtherisksposedto thesecurityofnetworkandinformationsystemsandofthe pa-rametersfordeterminingwhetheranincidenthasasubstantial impact.

35_See_article₂_of_the_Implementing_Regulation. 36_See_articles₃_and₄_of_the_Implementing_Regulation.

Thissofterregulationofdigitalserviceprovidersinterms ofsecurityandnotificationrequirements isalsoevidentin theirobligationtonotifyanincidentonlyinthosecaseswhere theyhaveaccesstotheinformationneededtoassessthe im-pactofsuchincident.37_Furthermore,_in_the_case_of_digital

ser-viceproviders,contrarytooperatorsofessentialservices,the competent authoritiestake action,ifnecessary, throughex postsupervisorymeasureswhenprovidedwithevidenceby thedigitalserviceprovideritselforauseroranother compe-tentauthority.38

4. Is

the

different

approach

towards

digital

service

providers

and

operators

of

essential

services

well

justified?

The Directive’s lighter approach towards digital service providers,asfarasthesecurityandnotificationrequirements areconcerned,aswellastheirexpostsupervisionbythe com-petentauthorities,isevidentthroughoutitstext.Inaddition totheDirective’smainarticles,manyofitsrecitalsdeal exten-sivelywiththeissue.Otherthanrecital60mentionedabove, recital49pointsoutthatdigitalserviceprovidersshouldbe freetotakemeasurestheyconsiderappropriatetomanage therisksposedtotheirsystems.39_In_the_same_context,_recital

57acknowledgesthedifferencesbetweenoperatorsof essen-tialservicesanddigitalservice providersandsuggests that MemberStatesshould notidentifydigitalservice providers andatthesametimeshouldpursueadifferentlevelof har-monisationinrelationtothosetwogroupsofentities.40

Thesofter approachtowards digitalservice providers is mainlybasedon thedifferentnatureoftheinfrastructures theyuseaswellasoftheservicestheyprovide.Itisnot

with-37_See_article₁₆₍₄₎_of_the_NIS_Directive.

38_See_recital₆₀_of_the_NIS _Directive_“Digital_service_providers

shouldbesubjecttolight-touchandreactiveexpostsupervisory activitiesjustifiedbythenatureoftheirservicesandoperations. Thecompetentauthorityconcernedshouldthereforeonlytake actionwhenprovidedwithevidence,forexamplebythedigital serviceprovideritself,byanothercompetentauthority,including acompetentauthorityofanotherMemberState,orbyauserof theservice,thatadigitalserviceproviderisnotcomplyingwith therequirementsofthisDirective,inparticularfollowingthe oc-currenceofanincident.Thecompetentauthorityshouldtherefore havenogeneralobligationtosupervisedigitalserviceproviders”. Seealsoarticle17oftheDirective.

39_See _recital ₄₉ _of _the _NIS _Directive _“…the _security

require-mentsfordigitalserviceprovidersshouldbelighter.Digital ser-viceprovidersshouldremainfreetotakemeasurestheyconsider appropriatetomanagetherisksposedtothesecurityoftheir net-workandinformationsystems”.

40_See_recital_49:_“Given_the_fundamental_differences_between

op-eratorsofessentialservices,inparticulartheirdirectlinkwith physicalinfrastructure,anddigitalserviceproviders,in particu-lartheircross-bordernature,thisDirectiveshouldtakea differ-entiatedapproachwithrespecttothelevelofharmonisationin relationtothosetwogroupsofentities.Foroperatorsof essen-tialservices,MemberStatesshouldbeabletoidentifytherelevant operatorsandimposestricterrequirementsthanthoselaiddown inthisDirective.Member Statesshouldnotidentifydigital ser-viceproviders,asthisDirectiveshouldapplytoalldigitalservice providerswithinitsscope”.

(7)

frame-outmeaningthattheterm“essential” distinguishesthe ser-vices providedbythe operatorsofessential services– it is evenincludedintheirdefinition.Moreover,thedistinction“in favour” of digitalservice providers hasanextra benefitfor them,asitleavesthemwithmorefreedomtoconduct busi-ness,whichisconsideredakeyfactortotheirsuccessful op-eration.ThisisalsotheconclusionreachedbyENISA,which, inits2017incidentnotificationsforDSPsinthecontextofthe NISDirectivepaper,observesthat“Inthisrespect,thelight-touch

approachaimsatavoidingoverburdeningtheDSPswhilenot

ham-peringthecapacityoftheEUtoreacttocybersecurityincidentsina swiftandefficientmanner”.41

Shouldhoweverthislightertreatmenteverretreatswhen specialconditionsoccur?Forinstance,therearecaseswhere operatorsofessentialservicesrelyondigitalserviceproviders toprovidetheirservices.Thiswouldbethecaseforexample ofahospital(operatorofessentialservicesactivatedinthe healthsector)hostingits patientrecordsinthe cloud (digi-talserviceproviderthatprovidescloudcomputingservices). Should these cases of digital service providers be treated differently? TheNIS Directive,with the exception of some casesofnationalsecurityandmaintenanceoflawandorder, stronglydiscouragesMemberStatesfromimposingany fur-thersecurityandnotificationrequirementsondigitalservice providers.42_However,_there_are_several_references_in_the_text

thatleavespaceforadifferentreadingoftheDirective.Recital 54forinstancementionsthat“wherepublicadministrationsin MemberStatesuseservicesofferedbydigitalserviceproviders,in particularcloudcomputingservices,theymightwishtorequirefrom

theprovidersofsuchservicesadditionalsecuritymeasuresbeyond

whatdigitalserviceproviderswouldnormallyofferincompliance

withtherequirementsofthisDirective.Theyshouldbeabletodoso

bymeansofcontractualobligations”.Relevantreferenceismade

alsoinrecital56,“thisDirectiveshouldnotprecludeMemberStates

fromadoptingnationalmeasuresrequiringpublic-sectorbodiesto

ensurespecificsecurityrequirementswhentheycontractcloud

com-putingservices.Anysuch nationalmeasuresshouldapplyto the

public-sectorbody concernedand nottothecloudcomputing

ser-viceprovider”.Bothrecitalsdepictthesameconcern,thatis,

howsecurityobligationsofdigitalserviceproviderscouldbe strengthenedifspecialconditionsapply.WhattheNIS Direc-tivesuggestsisthat,ifthereisaneedforadditionalsecurity measures,thisshouldbeimplementedcontractuallybetween thepartiesandnotbymeansoftheDirective’sprovisions.At thesametimeanyfurthernationalsecuritymeasuresshould applytotheoperatorsofessentialservicesandnottodigital serviceproviders.Article16(5)leadstothesameconclusionby definingthattheburdenofnotifyinganincidenttothe

com-41_See _{https://www.ENISA.europa.eu/publications/}

incident-notification-for-dsps-in-the-context-of-the-nis-directive

42_See _article₁₆₍₁₀₎_“Without_prejudice _to_article₁₍₆₎_member

Statesshallnot imposeanyfurther securityornotification re-quirementsondigitalserviceproviders.” Article1(6)readsas fol-lows:“ThisDirectiveiswithoutprejudicetotheactionstakenby MemberStatestosafeguardtheiressentialstatefunctions,in par-ticulartosafeguardnationalsecurity,includingactionsprotecting informationthedisclosureofwhichMemberStatesconsider con-trarytotheessentialinterestsoftheirsecurityandtomaintain lawandorder,inparticulartoallowfortheinvestigation, detec-tionandprosecutionofcriminaloffences”.

petentauthority,evenincaseswheretheoperatorofessential servicesreliesonathirdpartdigitalserviceproviderforthe provisionoftheservice,stayswiththeoperatorsofessential services.

5. National

frameworks

on

the

security

of

network

and

information

systems:

national

strategies

and

national

authorities

(articles

7–10

of

the

NIS

Directive)

EachMemberStatemustadoptanationalframeworkin or-dertosucceedcompliancewiththeprovisionsoftheNIS Di-rective.Thenationalframeworkincludesthenational strat-egyonthesecurityofnetworkandinformationsystemsand thedesignationoftheauthoritiesthatshallberesponsiblefor themonitoringtheimplementationoftheNISDirective.As far asthefirst parameterisconcerned,Article7ofthe Di-rectivesetstheobligationofeach MemberStatetoadopta nationalstrategyonthesecurityofnetworkandinformation systemsinordertoachieveahighlevel ofsecurityofsuch networks.Thisnationalstrategymustaddressalistofissues, asdescribedinarticle7(1),including,amongothers,arisk as-sessmentplan,agovernanceframeworktoachievethe objec-tivesofthenationalstrategy,theidentificationofmeasures relatingtopreparedness,responseandrecoveryetc.Member StatesmayturntoENISAforadviceandassistancewhen de-velopingtheirnationalstrategies.Asperarticle7(3)Member Statesoughttocommunicatetheirnationalstrategiestothe Commissionwithinthreemonthsfromtheiradoption.

Articles8,9,11and12oftheNISDirectivespecifythe au-thoritiesandotherbodiesthatshallbetaskedwiththeroleof monitoringitsapplicationatnationalandEUlevel.Each Mem-berStateoughttodesignateoneormorenationalcompetent authoritiesonthesecurityofnetworkandinformation sys-tems.TheseshallmonitortheapplicationoftheNISDirective atnationallevel.EachMemberStateshallalsodesignatea na-tionalSinglePointofContacttoliaiseandensurecross-border cooperationwithotherMemberStates.Designatedcompetent authoritiesandsinglepointofcontact,aswellastheirtasks, shouldbenotifiedtotheCommission(article8).

(8)

frame-established,theCompetenceCentreshallalsocontributeto betterunderstandingcybersecurityandreducingskillsgaps ontheUnionrelatedtocybersecurity.43

Member Statesare alsoaskedtointroduceoneor more computersecurityincidentresponseteamsCSIRTs(article9). TheCSIRTsrole,asperAnnex IoftheDirective,isto mon-itorincidentsatnationallevel,provideearlywarning,alerts andinformationtorelevantstakeholdersaboutrisksand in-cidents,respondtoincidents,providedynamicriskand inci-dentanalysisandincreasesituationalawareness,aswellas, toparticipateinanetworkoftheCSIRTsacrossEurope.

The NIS Directive does not impose a structure or hier-archy forthecompetent authority,the singlepointof con-tact orthe CSIRTs.Theymay formasingleorganisationor beseparate.Therefore,aCSIRTmaybeestablishedwithina competentauthority.CSIRTsshallberesponsibleforriskand incidenthandling.Asregardstherelevantmechanism,all in-cidentnotificationsreceivedbythecompetent Authorityor the CSIRTsshall benotified tothe SinglePoint ofContact, which,inturn,shallsubmitannualsummaryreportstothe CooperationGrouponthenotificationsreceivedandthe ac-tionstakeninaccordancetotheDirective.

TheDirective’sstructuregrantsMemberStatesspaceto de-signandadopttheirnationalstrategiesonthesecurityof net-workandinformationsystems.TheDirectivesetsthe frame-workwithinwhichMemberStatesshouldactasfarassecurity andnotificationrequirementsforbothoperatorsofessential servicesand digitalservicesprovidersare concerned.What theseparticularmeasuresandrequirementswillbethough restsentirelywitheachMemberState.Inviewofthe flexibil-ityprovidedtoMemberStatesundertheDirective,thefirst questionthatcomestomindiswhetherharmonised imple-mentationoftheDirective’sprovisionsindifferentMember Statesisfeasible.

GiventhatthisisthefirstregulatoryattemptatEUlevel fortheprotectionofinformationsystemsandinviewofthe factthatthe Directiveaimstoregulateasectorunder con-stantreformand development,itistheauthors’beliefthat thisflexibilityinimplementationcouldprovebeneficialinthe long term.AllowingMember Statestoadaptthe Directive’s provisionstotheneedsandspecialcharacteristicsofthe un-dertakingsoperatingwithintheirterritorycouldcontributeto moreeffectiveassessmentandimplementationofthe mea-suresandrequirementssuggestedintheDirective’stext.

However,potentiallydivergingMemberStates’approaches istakenunderconsiderationintheDirective’stext.Tothisend aseriesofsafeguardsareintroduced.Morespecifically,article 19par.1oftheDirectivesuggeststhatMemberStates encour-agetheuseofEuropeanorinternationallyacceptedstandards andspecificationsinordertopromoteconvergent implemen-tation.AtthesametimeboththeCommission’s Implement-ingRegulation,44_as_well_as_the_Cooperation_Group’s_guidance

notes45 _are _aimed_towards_the _above_purpose._ENISA’s_role

43_See_Proposal_for_a_Regulation_of_the_European_parliament_and

oftheCouncilestablishingtheEuropeanCybersecurityIndustrial, TechnologyandResearchCompetenceCentreandtheNetworkof NationalCoordinationCentres,COM(2018)630final.

44_See_footnote_35. 45_See_footnotes₂₅_and_26.

whileassistingMemberStatesinimplementingtheDirective isalsoexpectedtocontributetothesameend.46 _It_remains

tobeseen,however,whethertheabovesafeguardswillsuffice towardsaharmonisedimplementationoftheDirectivewithin theEU.

6. Cooperation

at

EU

level:

the

Cooperation

Group

(article

11),

the

CSIRTs

network

(article

12)

and

the

Wannacry

case

AtEUlevel,theCooperationGroup(“CG”)establishedunder the NISDirective(article11), shall bechairedbythe Presi-dencyoftheCounciloftheEuropeanUnion.Itshallgather representativesofMemberStates,theCommission(actingas secretariat)andENISA.Giventheimportanceofinternational cooperationoncybersecurity,theGroup’sroleistofacilitate strategic cooperation and exchange of information among MemberStatesand helpdeveloptrustand confidence.The CooperationGrouphasmetseventimesto-datestartingfrom February 2017.47 _The_Group’s _tasks _are _described _in _article

11(3).ItsfunctioningisfurtherclarifiedbytheImplementing DecisionissuedbytheCommission,byvirtueofarticle11(5) oftheDirective.48,49

Finally,article12establishesthecreationofanetworkof thenationalCSIRT’s.TheCSIRTsnetworkshallbecomposed ofrepresentativesoftheMemberStates’CSIRTsandCERT-EU (theComputerEmergencyResponseTeamfortheEU institu-tions,agenciesandbodies).Amongthetasksthatfallwithin theCSIRTsnetwork’scompetenciesistheexchangeof infor-mationonCSIRTs’services,operationsandcooperation capa-bilities,theexchangeofinformationrelatedtoincidentsand associatedrisks,identification ofacoordinatedresponseto anincident,andprovisionofsupporttoMemberStatesin ad-dressingcross–borderincidents.TheCommissionparticipates intheCSIRTsNetworkasan observer.ENISA provides sec-retariatservices,activelysupportingthecooperationamong theCSIRTs.TwoyearsafterentryintoforceoftheNIS Direc-tive(by9August2018),andevery18monthsthereafter,the CSIRTsNetworkwillproduceareportassessingthebenefits ofoperationalcooperation,includingconclusionsand recom-mendations.ThereportwillbesenttotheCommissionasa contributiontothereviewofthefunctioningoftheDirective.

46_See_Section₆_below:_the_role_of_ENISA_in_the_new_landscape. 47_{https://ec.europa.eu/digital-}_single-_{market/en/news/}

nis-cooperation-group-meetings-agendas

48_Commission_implementing_Decision_(EU)_2017/179_of₁

Febru-ary2017layingdownproceduralarrangementsnecessaryforthe functioningoftheCooperationGrouppursuanttoarticle11(5)of theDirective(EU)2016/1148oftheEuropeanParliamentandofthe Councilconcerningmeasuresforahighcommonlevelofsecurity ofnetworkandinformationsystemsacrosstheUnion

49_Among_others, _the_decision _mentions_that_the_Cooperation

Groupoperatesbyconsensusandcansetupsub-groupsto ex-aminespecificquestionsrelatedtoitswork.Thegroupworkson thebasisofbiennialworkprogrammes.Itsmaintasksaretosteer theworkoftheMemberStatesintheimplementationofthe Di-rective,byprovidingguidancetotheCSIRTsnetworkandassisting MemberStatesincapacitybuilding,sharinginformationandbest practicesonkeyissues,suchasrisks,incidentsandcyber aware-ness.

(9)

frame-ThefirstrecordedcybersecurityincidentatEUleveldates backtoMay2017andreferstotheWannaCryRansomware attack.Thetermransomware50_has_been_around_for_decades

but the WannaCry attack was the first global ransomware heist that impacted entire statehospital systems, interna-tionalbusinessesandcountriesasawhole.Estimatesofthat timesuggestedthatapproximately190,000computersinover 150countrieswereaffected.51_This_was_a_year_in_which_the

operationalcooperationoftheCSIRTsnetworkwastestedand proveditsreadinessandabilitytocooperateduringlargescale securityincidents.Despiteitsnegativeimpactworldwide,this incidentdemonstratedtheseverityoflarge-scalecrossborder cyberattacksandtriggeredtheneedforinternational cooper-ation.52

7. The

role

of

ENISA

in

the

new

landscape

ENISAistheEuropeanUnionAgencyforNetworkand Infor-mationSecurity.ItislocatedinGreece(HeraclionCrete)and hasanoperationalofficeinAthens.ENISA wasfoundedby Regulation(EC)No460/2004,53_whereas_its_current_regulatory

frameworkconsistsofRegulation(EU) No526/2013.54 _Since

2004,ENISAhasbeenactivelycontributingtowards warrant-ingahighlevelofnetworkandinformationsecuritywithin theEU.ENISA’smissionistoraise“awarenessofnetworkand

informationsecurityandtodevelopandpromoteacultureof

net-work and information security in society for the benefit of

citi-zens,consumers,enterprisesandpublicsectororganisationsinthe

Union”.55_A_proposal_for_a_new_Regulation_on_ENISA,_repealing

Regulation(EU)526/2013andonInformationand Communi-cationTechnologycybersecuritycertification(“Cybersecurity Act”),56 _promises_to_reform_the_Agency_and_enhance_its

ca-pabilitiesandcapacitiesaimingatachievingcybersecurity re-silienceandbettersupportingMemberStates.InDecember 2018,theEuropeanCommission,theEuropeanParliamentand theCounciloftheEuropeanUnionreachedapolitical agree-mentontheCybersecurityAct.57_In_March₂₀₁₉_the_European

ParliamentadoptedtheCybersecurityAct.58_The_Council_of

50_A_virus_infiltrates_a_computer_device,_locks_down_its_data_and

wouldnotreleaseituntilaransomispaid.

51_See _{https://www.ENISA.europa.eu/publications/info-notes/}

wannacry-ransomware-outburst

52_See _also

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/regardingtheNotPetya attack.

53_Regulation_(EC)_No_460/2004_of_the_European_Parliament_and

oftheCouncilof10March2004establishingtheEuropean Net-workandInformationSecurityAgency(TextwithEEArelevance), asamendedbyRegulation(EC)No1007/2008andamendedby Reg-ulation(EC)No580/2011.

54_Regulation_(EU)_No_526/2013_of_the_European_Parliament_and_of

theCouncilof21May2013concerningtheEuropeanUnionAgency forNetworkandInformationSecurity(ENISA)andrepealing Reg-ulation(EC)No460/2004.

55_See_article₁_of_ENISA’s_Regulation_(EU)_526/2013. 56_See_footnote_10.

57_See

https://ec.europa.eu/commission/news/cybersecurity-act-2018-dec-11_en

58_See _{https://ec.europa.eu/digital-}_single-_{market/en/news/}

cybersecurity-act-strengthens-europes-cybersecurity

theEuropeanUnionmustnowapprovetheActresultingin thisnewEURegulationthatwillenterintoforce20daysafter itspublicationintheEUOfficialJournal.

AbroaddescriptionofENISA’scontributiontonetworkand informationsecurityincludes,amongothers,issuing recom-mendations,supportingpolicy-making,aswellas“hands-on” work,whereby ENISAcollaboratesdirectly withoperational teamsthroughouttheEU.AsummaryofENISA’sstrategyfor theyears 2016–2020is beingpublished,59 _{incorporating}_the

followingpriorities:(a)anticipateandsupportEuropein fac-ingemergingnetworkandinformationsecuritychallenges,(b) promotenetworkandinformationsecurityasanEUpolicy pri-ority,(c)supportEuropeinmaintainingstateoftheartNIS capacities,(d)fostertheemergingEuropeanNISCommunity, and(e)reinforceENISA’simpact.60_At_the _same_time_ENISA

activelyassists thecompetentauthorities byappointingits representativeintheCooperationGroupandbyprovidingthe secretariatintheCSIRTsnetwork.61

AsregardstheNISDirectiveinparticular,ENISA’srolein implementing its provisionsis practically embedded inits text.Recital36statesthatENISAshouldassistMemberStates and the Commission by providing expertise whereas both MemberStatesandtheCommissionshouldbeableto con-sultENISA.62_Also,_recital₃₈_refers_to_ENISA’s_{responsibility}_to

assisttheCooperationGroupandbeinvolvedinthe develop-mentofguidelines.63_Finally,_according_to_recital₆₉_the

Com-missionshouldconsultENISAwhenadoptingimplementing acts.64_ENISA’s_enhanced_role_is_also_evident_in_several_of_the

Directive’sarticles.65

In practice, and as far as digital service providers are concerned,ENISAhasissuedareporttoassistMemberStates intheirefforttoprovideacommonapproachregardingthe minimumsecurity measuresfordigitalservice providers.66

Objectives of the report are to define common baseline security objectives fordigital service providers,to describe different levels of sophistication in the implementation of securityobjectives,aswellastomapthesecurityobjectives

59_See _{https://www.ENISA.europa.eu/publications/corporate/}

ENISA-strategy

60_On_the_role_of_ENISA_see_also_Robinson_N._in_European_Cyber

Se-curitypolicy,inAndreassonK.(Ed.)Cybersecurity,PublicSectorThreat andResponses,Taylor&FrancisGroup,2012.

61_See_article₁₁_par.₂_and₁₂_par.₂_of_the_NIS_Directive,

respec-tively.

62_See_recital₃₆_“ENISA_should_assist_the_Member_States_and_the

Commissionbyprovidingexpertiseandadviceandbyfacilitating theexchangeofbestpractice.Inparticular,intheapplicationof thisDirective,theCommissionshould,andMemberStatesshould beableto,consultENISA.

63_See_recital₃₈_“In_general,_ENISA_should_assist_the_Cooperation

Groupintheexecutionofitstasks…ENISAshouldalsobeinvolved inthedevelopmentofguidelinesforsector-specificcriteriafor de-terminingthesignificanceoftheimpactofanincident”.

64_See_recital₆₉_“When_adopting_implementing_acts_on_the

se-curityrequirementsfordigitalserviceproviders,theCommission shouldtaketheutmostaccountoftheopinionofENISA”.

65_See_for_instance_article₅_par._7,_article₇_par._2,_article₉_par._5,

article12,article19.

66_See

https://www.ENISA.europa.eu/publications/minimum-security-measures-for-digital-service-providers

(10)

frame-againstwell-knownindustrystandards,nationalframeworks andcertificationschemes.

Inaddition,ENISAhaspublishedanothersetofguidelines tofurtherdescribetheincidentnotificationprocessimposed ondigitalserviceprovidersasperarticle16oftheNIS Direc-tive.67_Their_objective,_as_stated_in_their_par._1.1,_is_“to_develop

asetofguidelinesforallconcernedstakeholders(EUlevel authori-ties,public,private),aimedatsupportingtheimplementationofthe NISDirective(hereafterreferredtoas“theDirective” or“NISD”)

re-quirementsregardingmandatoryincidentnotification”.The

guide-linessignificantlycontributetofurtherelaboratingand clar-ifyingnotionsthatare includedintheDirective’stext,such asthe“incidents” thatfallwithinthenotificationobligation, theterm“substantialimpact” aswellasthe“parameters” that mustbetakenintoaccountwhendeterminingtheimpactof anincident,astheseareincludedinarticle16(4)oftheNIS Directive(numberofusers,durationofincident,geographical spread,extentofdisruptionandextentofimpactoneconomic andsocietalactivities).

TheEUhasalreadyundertakenactionsinordertoenhance ENISA’srole inensuringahigh levelofnetworkand infor-mationsecurity,aswellasinassistingMemberStatesto im-plementanefficientnationalsecuritypolicyforthispurpose. Sinceitsestablishmentin2004,ENISAhasbeendesignated asasignificantplayerinthecybersecurityindustry.TheNIS DirectivefurtherspecifiedENISA’spowersandtasksand at-tributedtotheAgencyakeyroleasfarasimplementationof theDirectiveisconcerned.Anissuethatremainsunaddressed untiltodayhowever,andwhichhopefullywillberegulatedby thenewRegulationonENISA,68_is_that_ENISA_remains_the_only

EUagencywithafixed-termmandate.Aspointedoutinthe ExplanatoryMemorandumoftheProposalforaRegulationon ENISA,thislimitsitsabilitytodevelopalong-termvisionand supportitsstakeholdersinasustainablemanner.

Thefixed-termmandatealsocontrastswiththeprovisions oftheDirective,whichentrustENISAwithtaskswithnoend date.UndertheProposal,ENISAwouldbegranteda perma-nentmandateandthusbeputonastablefootingforthe fu-ture.69_This_reform,_in_combination_with_the_EU_general_ICT

cybersecuritycertificationframework,70_is_considered_as_the

preferredoptioninorderfortheEUtoreachitsobjectivesas farasitsresponsetocybersecuritychallengesisconcerned.

Inadditiontothemandateamendment,theproposed reg-ulationintroducessomeothernovelties.Inmoredetailit pro-vides,amongothers,foranindependentagency,thatshallbe namedthe“EUCybersecurityAgency” andwhichshall oper-ateasacentreofexpertiseoncybersecurity,shallassistthe Unioninstitutions,agenciesandbodies,shallsupport capac-itybuildingandpreparednessacrosstheUnion,shallpromote cooperationacrosstheUnionandshallpromotetheuseof

cer-67_See

https://www.ENISA.europa.eu/publications/incident-notification-for-dsps-in-the-context-of-the-nis-directive

68_See_the_Proposal_for_a_Regulation_as_cited_in_recital₅₁_above. 69_See_the_explanatory_memorandum_of_the_Proposal_for_a

Regula-tiononENISAathttps://eur-lex.europa.eu/legal-content/EN/TXT/ HTML/?uri=CELEX:52017PC0477&from=EN.

70_The_draft_Proposal_also_outlines_a_{cybersecurity}_{certification}

scheme and the creation of the EU cybersecurity certification group(Articles43-54oftheProposal).

tificationbycontributingtotheestablishmentofa cybersecu-ritycertificationframeworkatUnionlevel.Inlightofthe con-tinuallyevolving cyberthreatsand large-scalecross-border cybersecurityincidents,newenhancedroleofENISA’sis ur-gentlyneeded.

8. The

NIS

Directive

and

the

General

Data

Protection

Regulation

TheGeneral DataProtectionRegulation,thatbecame appli-cableon25May2018,isaimedatprotectingindividualswith regardtotheprocessingoftheirpersonaldata,aswellas, war-rantingthefreemovementofsuchdatawithintheEU.71

Re-leaseofthetwolegalinstruments,theNISDirectiveandthe GDPR,largelycoincided,theNISDirectivebeingpublishedon July2016andtheGDPRinAprilofthesameyear.However, thetwolaw-makingprocessestookplaceindependentlyand inparallel,withoutmuchattentionbeingpaidfromonetothe other.TheironlyinteractionwasnotedasearlyasinJune2013, intheformofanopinionissuedbytheEDPSontheNIS Direc-tive.72

NeithertheNISDirectivenortheGDPRacknowledgeseach otherintheirrespectivetexts.73_The_NIS_Directive_only_takes

passing,ifnotlimited,interestindataprotection,initsarticle 2or,forexample,whenmentioningthatit“respectsthe funda-mentalrights,andobservestheprinciples,recognisedbytheCharter ofFundamentalRightsoftheEuropeanUnion,inparticulartheright torespectforprivatelifeandcommunications,theprotectionof

per-sonaldata,[…]”,74_or,_by_asking_that_competent_authorities_and

DPAscooperatewheneverpersonaldataarecompromisedin theeventofincidents.75_From_its_part,_the_GDPR_takes_account

ofcybersecurity-relatedprocessingonlyforitsownaimsand purposes,forexamplewhenclarifyingthat“processingof per-sonaldatatotheextentstrictlynecessaryandproportionateforthe

purposesofensuringnetworkandinformationsecurityconstitutes

alegitimateinterestofthedatacontrollerconcerned”,alsolisting CERTsandCSIRTsamongrecipientsoftheseclarifications.76

Inthe samecontext,thatofexaminingthe relationship betweenthe NISDirective and theEU dataprotection sys-tem,somerelevancemaybefoundbetweenthe NIS Direc-tiveandtheePrivacylegalframework.77_{Notwithstanding}_the

factthattheePrivacylegalframeworkissometimesbroader thanthatoftheGDPR,becauseprivacyandconfidentialityof

71_See_article₁_of_the_GDPR.

72_See_Preamble_par.₇₃_of_the_NIS_Directive.

73_Admittedly,_the_NIS_Directive_does_refer_to_the_Data_Protection

Directive(Directive95/46)thattheGDPRreplaced,initsArticle 2,inhoweverapassing,alreadyoutdated(theGDPRwasalready published)andmostlyuninterestedmanner:“processingofpersonal datapursuanttothisDirectiveshallbecarriedoutinaccordancewith Di-rective95/46/EC”.

74_See_Preamble,_par._75.

75_See_article_15.4_and_par.₆₃_of_the_Preamble. 76_See_Preamble_49.

77_As_set,_today,_by_the_ePrivacy_Directive_(Directive_2002/58/EC_of

(11)

frame-communicationsareexplicitlylistedwithinitsscope,the def-initionof“networkandinformationsystems” intheNIS Direc-tiveexplicitlyincludes“electroniccommunicationsnetworks” in the ePrivacycontext,78 _thus_invoking_parallel_application_of

thetwolegalinstrumentsinrelevantoccasions.Thisinturn createslegaldifficulties,notonlybecausetheePrivacyEU le-galframeworkiscurrentlyunderreviewthatwillnotbecome finalinthenearfuture,79_but_also_because_the_relationship

be-tweentheePrivacylegalframeworkandtheGDPRitselfisat timesproblematic.80

Nevertheless,lackofexplicitacknowledgementdoesnot mean thatthe NISDirective andthe GDPRare unrelated.81

Onthecontrary,aslongasnetworkandinformationsystems areusedfortheprocessingofpersonaldata,bothlegal instru-mentsfindapplicationatthesametime.Itistherefore impor-tantfirsttoidentifypointsofinteractionandthentodiscuss whathappensintheeventofconflicts.

Asregardstheformer,pointsofinteractionbetweenthe GDPR and the NIS Directive may occur wheneverpersonal data are found in the systems ofdigital service providers and/oroperatorsofessentialservices.Anobviousfirstsuch point refers to the security of (personal) information. The principleofsecurityofthepersonaldataisoneofthebasic principlesoftheGDPR.Whilearelevantanalysisexceedsthe purposesof thispaper, here it isenoughto benotedthat, according to the principle of integrity and confidentiality, “personaldatashould beprocessedinamannerthatensures ap-propriatesecurityofthepersonaldata,includingprotectionagainst

unauthorisedor unlawfulprocessingandagainstaccidental loss,

destruction or damage, using appropriate technical or

organisa-tionalmeasures”.82_This_is_made_concrete_for_controllers_and

processorsinvariousprovisionsoftheGDPR,mostnotablyin aspecialisedarticle,article32,butalsowhilekeepingrecords of their processingactivities (Art.30), whilenotifying data breaches(Art.33),whilepreparingtheirimpactassessments (Art.35)orcodesofconduct(Art.40),orevenwhenassessing theadequacyofthelevelofprotectioninathirdcountryin internationaltransfers(Art.45).

Theobviousquestioninthiscaseiswhethersecurity mea-suresundertakeninthecontextoftheNISDirectiveshould be considered sufficient in the context of the GDPR, and vice versa.However,althoughthis maybeanexpectedand reasonablequestiononbehalfofcontrollersandprocessors, ordigitalserviceprovidersandoperatorsofessentialservices respectively, who wouldpresumably wish toorganisetheir

78_See_article_4.1(a)_of_the_Directive.

79_Currently,_the_ePrivacy_Regulation_(COM_{2017/10/final)}_is_found

atthetrilogueEUlaw-makingstage,mostlikelytobefinalisedin early2019,whichinturnmeansthataperiodofafewyearsuntil itbecomesfullyeffectiveintheEU.

80_The_general_idea_being_that_the_ePrivacy_legal_framework

“com-plementsandparticularises” theGDPR,withoutthisavoidingthat casesofambiguityaltogether.SeealsoEuropeanDataProtection Board,Opinion5/2019ontheinterplaybetweentheePrivacy Direc-tiveandtheGDPR,inparticularregardingthecompetence,tasks andpowersofdataprotectionauthorities(12March2019).

81_See_also_Kuner_C/Svantesson_D/Cate_F/Lynskey_O/Millard_C_in

Theriseofcybersecurityanditsimpactondataprotection,editorial, InternationalDataPrivacyLaw,Volume7,Issue2,1May2017.

82_See_article_5.1(f)_of_the_GDPR.

compliancerequirementsasefficientlyaspossible,we con-sideritdifficultforittobeansweredinabstracto.Compliance obligationsundereach legal instrumentare tobeassessed separately,fordifferentpurposes, underdifferent contexts, andindeedbydifferentauthorities.Thereisnoapparentlegal reasonfordecisionsreachedunderonecontexttobe consid-eredbindingundertheother.Administrativefinesorother enforcementmeasures,forthesamepurposes,shouldbe con-sidered cumulative and notmutually exclusive. Regardless ofthefactthatthepracticalnetworksecuritymeasuresmay bethe same forbothlegal instruments,we considerit es-sential that they be listed separately, in each compliance documentationrespectively,and,intheeventofabreachor incident,thattheybejudgedindependently,eachforitsown merits underthe given circumstances and applicablelegal framework.

AnotherpointofinteractionbetweentheEUdata protec-tionandtheEUcybersecuritylegalsystemscouldrefertoan informationsystems’breachthatwouldinvitebothan inci-dentnotificationundertheNISDirective83_{and a data breach}

notificationunder the GDPR.84 _Could _the _two _co-incide, _or

would a provider have to duplicateits effort so as to sat-isfybothlegalinstrumentsseparately?85_Here_too_the_authors

believethat ananswer cannotbeprovidedin abstracto,but wouldhavetotakeintoaccounttheparticularbreach circum-stanceseachtime.Inprinciple,however,againthetwo proce-duresshouldbeconsideredunrelatedandgiventhedifferent subject-matteroftheGDPRandtheNISDirectiverespectively, providerswillmostlikelyhavetonotifyseparately,eachtime undertherequirementsofeachlegalact.

AsregardsanycasesofconflictbetweentheNISDirective andtheGDPR,whileinprincipleanyscopeoverlapsoughtto beresolvedthroughalexspecialis/lexgeneralisrelationship,86_in

theeventofconflict,theGDPRwillhavetoprevail.Thisisthe resultofboththeGDPRimplementingarticle16(2)TFEU87_as

wellasthepresumedrelationshipbetweentheapplicable le-galinstrumentseachtime.Asregardstheformer,Article16(2) TFEUaddedtherighttodataprotectiontothelistof funda-mentalEUrights;88_{Consequently,}_respect_of_the_right_to_data

protection,asparticularisedinthetextoftheGDPR, consti-tutesahorizontallegalobligationwithintheEUandifthese twoobligations,meaningprotectionofpersonaldataand cy-bersecurity,everneedtobebalanced,the formerwillhave toprevail.89_This_finding_is_further_strengthened_if_the_nature

83_See_its_Article_14. 84_See_its_Article_33.

85_On _this _issue _see _the _UK _ICO’s _guidance _on _“The _GDPR

and NIS” (https://ico.org.uk/for-organisations/the-guide-to-nis/ gdpr-and-nis/)andalsoENISA’s“IncidentnotificationforDSPsin thecontextoftheNISDirective”,February2017,p.20.

86_Perhaps_also_in_the_spirit_of_article₂_of_the_NIS_Directive. 87_See_also_Preamble_par.₍₁₎_and₍₁₂₎_of_the_GDPR.

88_In_its_par._1.

89_See_in_particular_the_Breyer_decision_(CJEU,_Patrick_Breyer_v

Bun-desrepublikDeutschland,Case C-582/14,par.63 and64),whereby