All eyes are on the GDPR, but this is not the only important piece of legislation in the field of data security with an impending deadline. By 9 May 2018, Member States have to transpose the EU Network and Information Systems Directive (Directive 2016/1148), the first EU-wide legislation on cybersecurity, into national legislation.
The NIS Directive provides legal measures to strengthen the level of cybersecurity in the EU. Businesses in sectors such as energy, banking, healthcare and digital infrastructure that are identified by the Member States as operators of essential services will have to take appropriate security measures and notify serious incidents to the relevant national authorities. Also key digital service providers, i.e. providers of search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the new Directive.
On 30 January 2018, the European Commission adopted an implementing regulation that further specifies elements and parameters for setting the security and notification requirements for digital service providers such as cloud providers. For instance, the regulation clarifies which measures need to be adopted with regard to (i) incident handling (e.g. detection processes, reporting policies, incident severity assessments, etc.), (ii) business continuity management, and (iii) monitoring and auditing. The regulation also further specifies the parameters for determining whether a security incident has a substantial impact, thus triggering the obligation to notify the competent authority, and sets the following thresholds:
- the provider’s service was unavailable for more than 5,000,000 user-hours;
- the incident resulted in a loss of integrity, authenticity or confidentiality of data or the related services offered by, or accessible via the provider’s system affecting more than 100,000 users in the EU;
- the incident created a risk to public safety, public security or of loss of life; or
- the incident caused material damage to at least one user in the EU where the damage caused to that user exceeds EUR 1,000,000.
The implementing regulation will apply from 10 May 2018.