The Network and Information Security (NIS) Directive has been published in the EU’s official journal. EU countries possess until 9 May 2018 to implement the Directive into national law and the national measures will then desire to be applied from 10 May 2018. The Directive was approved by EU law makers earlier this month.

It is not yet clear whether the UK will implement the NIS Directive following the nation’s vote to goaway the EU.

The NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy befondof banking, power, health and transport are secure. It will apply to operators of such “essential services” and to “digital service providers”.

Each EU nation must determine which organisations in their jurisdiction are operators of essential services and subject to the rules in line with criteria set out in the Directive by 9 November 2018.

Digital service providers, which are defined as being online marketplaces, online search engines or cloud computing service providers, will also be subject to obligations below the Directive. Slightly varied rules apply to operators of essential services than apply to digital service providers.

According to the Directive a ‘cooperation group’ comprising representatives from each EU nation will seek to develop “a consistent approach in the process of identification of operators of essential services” by individual member states.

They group “discuss the process, substance and type of national measures allowing for the identification of operators of essential services within a specific sector in accordance with the criteria set out in [the Directive]” as well as, potentially, the specific national measures for selection operators of essential services drawn up by an EU nation. The cooperation group is to be active by 9 February 2017.

Technology law expert Luke Scanlon of Pinsent Masons assessed which businesses can expect to be subject to the fresh NIS Directive earlier this year. 

below the Directive operators of essential services will be required to “grab appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they employ in their operations”. Those operators will also desire to “grab appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services”, for instance resilience and business continuity measures.

A fresh incident notification regime will also apply below the Directive and require operators of essential services to report “incidents having a significant impact on the continuity of the essential services they provide” without undue procrastinate. Notification will possess to be made to “competent authorities” or Computer Security Incident Response Teams that each EU nation will possess to set up, as designated by the EU nation concerned.

In determining the significance of security incidents operators of essential services will desire to consider factors such as how multitudinous users are affected by disruptions to essential services, how drawnout such an incident lasts and the “geographic spread” of the impact from such an incident. The cooperation group may develop guidelines on the circumstances when operators must notify incidents, including parameters for determining the “significance” of an incident’s impact.

Digital service providers will also possess obligations to ensure the security of their network and information systems and minimise the impact of incidents affecting that security. They will be subject to lighter-touch reactive requirements and cannot be subjected by member states to more onerous requirements than below the Directive, except for reasons of national security or law and order. However, operators of essential services could be subjected by individual EU countries to more stringent requirements.

varied incident notification obligations will apply to digital service providers than will apply to operators of essential services. Digital service providers will be required to notify incidents that possess a “substantial” impact on the provision of a service they offer in the EU without undue procrastinate.

To determine whether the impact of an incident is substantial or not, digital service providers will desire to assess a range of criteria. Relevant factors include the number of users affected by the incident, in particular users relying on the service for the provision of their own services; the duration of the incident; the geographical spread with regard to the area affected by the incident; the extent of the disruption of the functioning of the service, and the extent of the impact on economic and societal activities. The Commission is to publish further rules on security requirements and factors for assessing whether the impact of an incident is substantial, within unit year of the Directive coming into force.

However, the duty to notify incidents will only apply to digital service providers if they possess “access to the information needed to assess the impact of an incident against the parameters referred to”.

Each EU nation must determine its own “effective, proportionate and dissuasive” penalties for infringement.

Expert in cybersecurity Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said recently that there is some overlap between the NIS Directive and the EU’s fresh General Data Protection Regulation (GDPR), but the security requirements organisations face below each piece of legislation “may not be identical”.