FYI: EU Network and Information Security Directive

FYI: EU Network and Information Security Directive

While we’ve been focusing on the EU General Data Protection Regulation (GDPR), there’s another EU security initiative that deserves an honorable mention.

First proposed in 2013, the Network and Information Security Directive  (NISD) addresses cybersecurity for “essential services”.

The NIS Directive is not nearly as detailed as the GDPR. Its goal is to improve co-operation between member states with regards to cyber-attacks against critical sectors of the economy — health, energy, banking, telecom, transportation, as well as some online businesses — and to set minimum standards for cyber security preparedness.

The Difference Between NISD and GDPR

NISD asks companies in these sectors to have measures in place to prevent the attacks or minimize their disruption, and to report those incidents that do have a significant impact on the “continuity of the essential services they apply”.

So if hackers steal consumer data from an electric utility, then the NIS Directive would not apply — though the GDPR would kick in.

However, if the attackers are able to, say, remotely insert special code into an electric generator causing it to crash, then in that case they would have to notify the local authority or Computer Security Incident Response Team (CSIRT).

The NISD calls for EU countries to establish CSIRTs to collect these incidents and also liaise with their counterparts in other countries. The CSIRTs would also be in charge of enforcing NISD.

You can think of NISD as being concerned with systems and disruptions, versus the GDPR’s attention to consumer data and exposure.

NISD has a similar intent to the US’s own Critical Infrastructure Cybersecurity Framework for protecting our essential services. A key difference is that the US initiative is (for now) voluntary.

Digital Operators and NISD Obligations

Interestingly, operators of some digital and web services fall under NISD requirements. These include online marketplaces (both consumer and financial), online search engines, and cloud computing services.

If Amazon Web Services or perhaps Airbnb were under a DoS attack in the EU, then it appears they would have to notify the local CSIRT. These companies, of course, fall squarely under current EU laws for personal data protection, and the GDPR when it comes into full effect in 2018.

In other words, in the future these digital operators will have two cyber laws to deal with — a double whammy.

Where NISD Stands

With the EU Parliament having just approved NISD, it’s expected to become law later this summer. Member countries will have 21 months to craft — or “transpose”— NISD into their own local laws.

Then EU countries will have another six months to identify operators of essential services in their own countries.