[UPDATE: the Directive has now been published, with Member States required to transpose it into their national laws by 9 May 2018]
The European Council has published the text of the Network and Information Security Directive recently agreed by its representatives and those of the European Parliament. This still needs to be “technically finalised” (in particular Recital and Article numbers will change, so I’ve not included them here) and formally approved by the Parliament; then Member States will have 21 months to bring it into force.
The Directive falls into two parts – national arrangements for improving the security of network and information systems, and duties on operators of socially important services that rely on secure network and information services. The definition of the latter has been shifting through the development of the Directive. This latest version splits them into two groups: “operators of essential services” and “digital service providers”. Interestingly different types of internet service appear in both groups.
The list of “essential services” is similar to the UK’s definition of “critical infrastructure”, though food seems to have been left out. Unlike the original proposal, there’s no mention of any public sector services. And whereas the UK’s definition says “communications”, the Directive specifies Internet Exchange Points, DNS Service Providers, and Top Level Domain Registries. Telecommunications providers are already covered by their own Directive so aren’t included here. Each Member State is expected to come up with a list of the operators of these services – a good thing as, as far as I can see, the definition of “DNS Service Providers” would actually extend all the way down the hierarchy and cover anyone running a resolver. I presume Governments will in practice impose a cut-off when developing their (finite) lists.
“Digital service providers” are of three types: “online marketplaces”, “online search engines” that aim to index all websites or all sites in a particular language, and “cloud services” defined in a way that appears to cover everything from Infrastructure as a Service to Software as a Service. The definition of clouds doesn’t appear to be limited to fully public clouds and Member States are specifically warned against developing lists of Digital Service Providers. However the duties imposed on DSPs are required to be proportionate to the risk that their services represent, which should reduce the impact on clouds with limited user communities.
The duties imposed on both groups are familiar ones: to “take appropriate and proportionate technical and organisational measures” to manage risks to the security of service and to report significant breaches to national regulators. However this Directive appears more explicitly focussed than others on the “continuity of service” aspect of security. The requirement to notify only applies where incident have “a significant impact” on continuity of service, taking into account factors like duration, number of users and geographical spread of the impact. Also, there’s no fixed timescale for reporting – it should be “without undue delay”.
The provisions on incident response teams seem to recognise that quite a lot of development has taken place while this Directive has been under discussion. There’s explicit recognition of existing national and international cooperation and that different sectors may well be covered by different incident response teams. The list of CERT functions is now much less prescriptive – the member states to whom this is addressed should all know what a CERT does by now!