EU Cybersecurity Directive finalised: The knights who say NI(S)

The European Union has finalised its first pan-European cybersecurity rules. The Directive on the Security of Network and Information Systems (NIS) is part of the EU cybersecurity strategy launched in 2013. The Directive aims “to ensure a high common level of network and information security.” To do so, it will require that member states mandate that sector-specific companies implement baseline security measures.

Specifically, the NIS Directive requires EU member states to develop and implement strict security and notification requirements for “operators of essential services” such as internet exchange points, and more flexible rules for so-called digital service providers, meaning companies that provide cloud computing services, online search engines, and online marketplaces. As we discuss below, there are potential risks for privacy in this approach.

The agreed-upon text between the EU institutions was approved by the EU member states in December, and by the EU Parliament Committee on Consumer Rights on January 14th. Next, it will be scheduled for a vote in the plenary for the EU Parliament. Since it’s a Directive, the legislation sets minimum standards that EU member states must comply with, but does not prevent states from adopting stricter rules if they are necessary.

How will the Directive affect privacy?

In many respects, this is a “wait and see” situation. While the text calls for uniform standards to be developed, the vagueness of the Directive, and the discretion given to member states, could lead to the implementation of different sets of rules across the EU.

Digital services were originally excluded from the scope of the Directive, but now companies that provide them will have to comply, implementing new security measures and notification systems if  incidents occur that put infrastructure security at risk, as determined by the member states.

Including digital services in the scope of the Directive raises privacy concerns. There is potentially a large amount of users’ personal data that companies could share with national authorities when they report on an incident. To minimise the risks, the NIS rightfully does not set any new privacy rules but requires that both critical infrastructure – such as electricity and water suppliers or internet exchange points – and companies that provide digital services comply with EU data protection rules when they process personal data.

This means that when companies notify authorities about a security incident, they must do so in a way that abides by the data security rules set out under the soon-to-be-adopted General Data Protection Regulation (GDPR). If a security incident leads to a breach of personal data that puts users’ privacy at risk, companies will have to notify the data protection authorities so that users have the opportunity to seek remedy.

The Directive does not, however, address governments’ capabilities as they handle the data being reported, either in terms of how they will protect users’ privacy or how they will use the data for analysis. This means that oversight of national data protection authorities will be crucial for ensuring compliance with privacy standards.

No new security standards for companies? Not so fast.

Notably, there is provision that was added to the Directive in the final stages of the negotiations, aimed at limiting member states’ ability to impose on digital service providers security or notification requirements that extend beyond those set out in the text.  However, if security standards are fully harmonised, there is the risk that inadequate data security practices would become widespread. Government standards can be informative, but the nature of security challenges is continually evolving, and these standards could get outdated. Member states would then be dependent on these deficient standards.

However, the limit for setting additional security standards for companies is not absolute. EU countries can still put into place such requirements for “national security” purposes or to “maintain law and order”. This means that in the end, companies will likely have to comply with a patchwork of security measures in the EU.

What’s next? Member states must uphold their obligations under EU law.

In the upcoming months, the agreed-upon text of the NIS Directive will be set for a vote in the plenary of the EU Parliament. Once it’s ratified, member states will have 21 months to implement the measures domestically.

In the past, EU member states seeking to avoid their obligations to protect users’ personal data have had a tendency to rely on ill-defined, untested “national security” exceptions. This is a mistake. Member states should not use these exceptions to negate to their obligations under EU law, including their commitment to the rule of law and compliance with the EU Charter of Fundamental Rights. We urge national lawmakers to take utmost account of their obligations to respect human rights when they implement the Directive.

Lucie Krahulcova contributed to this post.

Image: Wikimedia Commons & reference