The NIS Directive is applicable and obliges a number of companies to reinforce their cybersecurity plan beyond what already provided by the GDPR.
I have discussed in several instances about the security measures that the GDPR requires to put in place (Read on the topic “Top 3 lessons learnt on data breach events and how to be ready to face them“). But I have not touched the impact of the Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the so called “NIS Directive“) that is applicable in Italy with effect from the 24th of June 2018 and imposes additional security measures and obligations.
To which companies is the NIS Directive applicable?
Unlike the GDPR that applies to any entity processing personal data, the NIS Directive is applicable only to
- providers of digital services i.e. an online marketplace, an online search engine and a cloud computing service that offer services to persons located within the European Union, regardless of the place where they are established; and
- operators of essential services i.e. companies operating in the following sectors: energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution and digital infrastructure that are established in the European Union, as identified by the 9th of November 2018 by each EU Member State according to criteria that take into account (i) the relevance of the service provided for societal and economic activities, (ii) the fact that the service is provided through network and information systems and (iii) the circumstance that an incident would have significant disruptive effects on the provision of that service.
We are monitoring the publication of the list of operators of essential services by the EU Member States that in a number of countries has not happened yet.
What obligations are imposed on providers of digital services and operators of essential services?
Under the terms of the NIS Directive, entities to which it is applicable shall
- take appropriate technical and organisational measures to secure their network and information systems where the level of security shall be assessed taking into account the risk posed, in the view of the state of the art;
- take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity; and
- notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.
The modalities of compliance with the obligations above are subject to localizations under the implementation laws of each EU Member State. And indeed, the Italian authority in charge of receiving the notifications is the Italian CSIRT which also published a template to perform notifications.
Why is the NIS Directive going beyond the GDPR?
The NIS Directive contains a cross reference to the GDPR when the measures required by the NIS Directive impact on the processing of personal data. But it is not a directive aimed at protecting personal data. On the contrary, the goal is to set a standard of cybersecurity across the European Union in relation to services that might impact the economy and the society.
Therefore, for instance, in case of data breach that did not impact personal data, a notification to the competent data protection authority might not be necessary. On the contrary, a notification to the CSIRT could be required if the incident has a significant impact on service continuity.
There is no time left and immediate actions are necessary. I will be happy to discusse and you may read on data breach obligations under the GDPR the following article “Personal data breach – Your To-Do list to get ready under the GDPR“.