This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Digital Business Lawyer
DON'T FORGET: Subscribers can download the latest issue in PDF format - click here to access your account and downloads.

ENISA’s new guidelines on incident notification for DSPs under the NIS Directive

The EU’s Directive on Network and Information Security (the ‘NIS Directive’) must be implemented into Member States’ local laws by 9 May 2018. It is the first true inter-governmental initiative to address cyber security and one of its central tenets is for digital service providers ('DSPs') who provide online marketplaces, online search engines or cloud computing services to notify authorities of any incident having a substantial impact on their services. The European Union Agency for Network and Information Security (‘ENISA’) has recently issued guidelines to help DSPs manage incident notification (the ‘Guidelines’). James Walsh and Sabba Mahmood of Fieldfisher LLP examine the Guidelines in the context of the NIS Directive for DSPs.

The NIS Directive: the back story

If you ask the average lawyer what May 2018 will mean for businesses, they are unlikely to mention the NIS Directive. Attention in the privacy sphere has primarily been focusing on the General Data Protection Regulation (‘GDPR’), which also comes into force in May 2018. However, it would be dangerous for businesses that provide digital services to ignore the potential impact - and importance - of the NIS Directive.

In summary, the NIS Directive seeks to replace the current patchwork of European laws dealing with cyber security and impose a high common level of network and information security across the EU. To that end, the NIS Directive:

• requires Member States to adopt their own network and information security strategies, and to designate national authorities for monitoring the application of the NIS Directive at national level;

• requires Member States to designate one or more Computer Security and Incident Response Teams (‘CSIRTs’) that are responsible for handling incidents in order to promote effective operational cooperation and information sharing; and

• establishes a Cooperation Group to facilitate strategic cooperation among Member States including representatives of Member States, the Commission and ENISA.

Security and incident notification requirements

Perhaps the most important aspects of the NIS Directive for DSPs are that:

• it imposes an obligation on DSPs to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use; and

• it requires them to notify authorities without undue delay of incidents having a substantial impact on their services.

Incident notification will allow competent authorities and CSIRTs to take appropriate action to share information concerning the threats. In particular, where an incident affecting a DSP concerns two or more Member States, the competent authority or the CSIRT shall inform the other affected Member States - although they must comply with EU law and preserve the DSP’s security and commercial interests as well as the confidentiality of the information provided.

Penalties for noncompliance will be set locally but they must be ‘effective, proportionate and dissuasive.’

What incidents need to be notified?

The notification regime for DSPs applies to any incident having a substantial impact on the provision of a service that they offer within the EU. Such notifications should include information to enable the competent authority or the CSIRT to determine the significance of any cross-border impact.

In order to assess whether the impact of an incident is substantial, the following parameters are set out in the NIS Directive:

• the number of users affected by the incident, in particular users relying on the service for the provision of their own services;

• the duration of the incident;

• the geographical spread with regard to the area affected by the incident;

• the extent of the disruption on the functioning of the service; and

• the extent of the impact on economic and societal activities.

Unhelpfully, the NIS Directive does not elaborate further on the types of incidents that would trigger notification. The Guidelines released by ENISA are therefore intended to help DSPs determine when to report incidents under the NIS Directive.

What the Guidelines say

The Guidelines have been prepared by ENISA on a preliminary basis to indicate how incident notification provisions could be effectively implemented for DSPs across the EU. They aim to identify the types of incidents, parameters and thresholds that should be taken into account. ENISA has suggested that the incident notification requirements would apply to: ‘Any incident affecting the availability, authenticity, integrity or confidentiality of data stored, transmitted or processed by a DSP through network and information systems, which has a substantial impact on the provision of the digital service offered.’

The Guidelines set out information as to when the impact on availability, authenticity, integrity or confidentiality would be considered to be substantial under the NIS Directive. It is important to note that the factors to be taken into account to determine the impact of an incident relate to the services provided, not just the data that may be disclosed when they are compromised. This is an important contrast to requirements under the GDPR for the notification of data breaches and could apply in situations such as distributed denial of service attacks that may not even result in personal data being compromised.

The Guidelines set out the following proposed methodology for determining the impact of an incident:

• Identify the geographical spread of the incident - does the incident affect the proper accessibility of the service within the EU?

• Determine the extent of the disruption - is the service unavailable, unusable or unsafe to use?

• Determining the USERTIME - this is the multiple between the ‘number of users affected’ and the ‘duration of the incident’ - is the impairment caused by the incident above the absolute or relative thresholds of USERTIME?

• Determining the extent of the impact on economic and societal activities - this is an estimative exercise.

Practical implications for businesses

The analysis of incidents using these methodologies would allow a DSP to put more precise figures around what the likely impact of an incident is on its service. It may therefore be useful for businesses to apply. If Member States implement the NIS Directive without further change or clarification, then a DSP may well find the Guidelines useful to justify if and when it would be required to issue notifications. However, the NIS Directive and ENISA’s Guidelines have some practical limitations. The Guidelines acknowledge that the incident notification requirements may overlap with the reporting requirements under the GDPR. While the NIS Directive and the GDPR were developed somewhat concurrently by the European Commission, the notification requirements do not align. There may be situations where DSPs must notify competent authorities under one or both pieces of legislation. Some DSPs may also be providing communications networks or services to which the Directive on Privacy and Electronic Communications (and the potential new ePrivacy Regulation) may apply. The possibility of handling three separate notification regimes may be difficult to manage.

The effectiveness of the Guidelines will also depend on how uniformly Member States implement - and interpret - the NIS Directive. ENISA has gone into a good amount of detail as to how the incident notification requirements should apply to DSPs. However there is nothing that would prevent Member States from imposing a higher standard. DSPs who pay heed to the Guidelines could well find themselves having to re-engineer their systems and processes for incident notification on a local basis when the NIS Directive is actually implemented.

Brexit will clearly be one of the issues that DSPs who provide their services in the UK will be concerned about. While some of the provisions of the NIS Directive can easily be implemented on a local basis, the NIS Directive is underpinned by cooperation provisions that can only operate effectively if a solution is negotiated with the EU to allow Britain to continue to remain part of the cooperation network that is established under the NIS Directive. This will hardly be high on the priority list in the Brexit negotiations.

Despite their potential limitations, the Guidelines were never meant to provide a full answer to incident notification for DSPs. They do provide a useful and defensible indication of minimum standards that DSPs should consider building into their network and information security strategies for notification purposes. At a minimum, DSPs should review their network and information security incident response plans - and those of their service providers - to ensure that they can comply with the Guidelines. They should also monitor local law implementation and any national regulatory guidelines and communications issued by competent authorities, to keep track of any differences that need to be taken into account when implementing the NIS Directive.

James Walsh Partner

Sabba Mahmood Associate

Fieldfisher, London

Search Publication Archives

Our publication archives contain all of our articles, dating back to 1999.
Can’t find what you are looking for?
Try an Advanced Search

Log out of digital business lawyer
Download latest issue PDF
E-Law Alerts
digital business lawyer Pricing

Social Media

Follow digital business lawyer on Twitterdigital business lawyer on LinkedIndigital business lawyer RSS Feed