New cybersecurity obligations for operators of essential services and digital service providers

Nowadays, all organizations are digital by default. Not saying that all organizations deliver its products and/or services through digital channels, but almost all operate with the cultures, technology and processes of the internet era. No wonder that the World Economic Forum now rates a large-scale cyberattack and a massive incident of data fraud/theft as two of the ten most serious risks facing the world today (“Global Risks Report 2017”, World Economic Forum, 11 January 2017). The magnitude, frequency and impact of security incidents are increasing, and represent a major threat to the functioning of network and information systems. By some estimates cybercrime damages will cost the world up to US$ 6 trillion in 2021 annually (“Cybercrime Report 2017 Edition”, Cybersecurity Ventures, 19 October 2017).

In this digital framework, the European lawmakers found it crucial to develop common security requirements for certain businesses in order to respond effectively to challenges of the security of network and information systems.

The NIS Directive focusses on operators of essential services and digital service providers

On 6 July 2016 a piece of EU-wide legislation on cybersecurity was born. In general it provides legal measures to boost the overall level of cybersecurity in the EU. The Directive on security of network and information systems (also referred to as the NIS Directive) focusses on two main groups of service operators/providers:

1. operators of essential services; and
2. digital service providers.

The network and information systems of those two groups play a vital role in society. Their reliability and security are essential for the maintenance of critical economical and societal activities.

The companies envisaged in the group of the operators of essential services are active in the energy sector (among others: electricity, oil and gas undertakings; distribution and transmission system operators), the transport sector (among others: air carriers, airport managing bodies, traffic management control operators, railway undertakings, road authorities and operators of intelligent transport systems), the banking sector (among others: credit institutions), the financial market infrastructure sector (among others: operators of trading venues and central counterparties), the health sector (among others: health providers), the drinking water supply and distribution sector (among others: suppliers and distributors of water intended for human consumption) and the digital infrastructure sector (among others: IXPs, DNS service providers and TLD name registries).

The companies envisaged in the group of the digital service providers are companies that provide digital services relating to online marketplace, online search engine or cloud computing.

The NIS Directive introduces security requirements and incident notification

While we await on the actual implementation of the NIS Directive by the Belgian government, we understand from the NIS Directive that operators of essential services and digital service providers will have to fulfill three main requirements:

1. identify and take appropriate and proportionate technical and organizational measures to manage risks posed to the security network and information systems which they use in their operations;

2. take measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services; and

3. notify the competent authority.

Documented security policies in order to be protected against enforcement

According to the NIS directive, the designated Belgian authority will have the power and means to require operators of essential services and digital service providers to:

-provide the information necessary to assess the security of their network and information systems, including documented security policies; and

-remedy any failure to meet the certain by law determined requirements.

The NIS directive explicitly emphasizes the use of European an internationally accepted standards and specifications relevant to the security of network and information systems. There are two relevant international standards that set out a best-practice approach: ISO/IEC 27001:2013, the international standard for an information security management system (ISMS), and ISO 22301:2012, the international standard for a business continuity management system (BCMS). Besides these practices ENISA (the European Agency for Network and Information Security) published strict minimum guidelines for digital service providers. Requirements include (besides ISMS and BCMS) NIST and Cobit5.

EY/EY Law has the knowledge and experience in order to help entities to undergo the process of transposition with NIS.  EY/HVG can help with Evaluation of the NIS strategy in line with the NIS directive:

– Assessment of the overall security;
– Assist in the risk assessments around NIS requirements;
– Review of the internal security processes;
– Design an internal security and response strategy and align with the board of directors;
– Analyze the processes and technology to support data breach notifications;
– Implement minimum level of security (ISO/IEC 27001:2013SO, ISO 22301:2012, NIST, COBIT5, …)