New Rules on Cybersecurity – Operators of Essential Services and Digital Service Providers Prepare
The annual cost of cyberattacks for EU member states has been estimated as being in the region of €33.6 billion, with that cost increasing every year.
In that context, it is somewhat surprising that the first set of EU wide rules on cybersecurity are only due to come into effect on 10 May 2018 in the form of the Cybersecurity Directive (Directive (EU) 2016/1148).
On 12 September 2017, the European Commission announced a cybersecurity package setting out measures to respond to the changed cyber-threats landscape.
Those new rules will establish security and notification requirements concerning cyber security threats and incidents.
With the General Data Protection Regulation (GDPR) coming into force on the 25 May 2018, organisations across Ireland are busy ensuring that they can comply with the GDPR on or before that date. Given the size of that task from a management and operational perspective, it is not surprising that many organisations are not giving much attention to the new rules on cybersecurity.
Like the GDPR, the Cybersecurity Directive requires certain organisations to ensure the security of the network and information systems which they use but, unlike the GDPR, Ireland can decide how it adopts those rules.
As the Irish legislation transposing the Cybersecurity Directive into Irish law has not yet been published, we do not know precisely how Ireland will adopt the new rules. What we do know is that Ireland must comply with these new rules and that there are essential differences between the GDPR and the Cybersecurity Directive.
Although the Cybersecurity Directive applies to a narrower group of entities, once it applies, it is wider in scope than the GDPR:
- The Cybersecurity Directive requires that all of the information on network and information systems is protected, not just personal data; and
- Under the Cybersecurity Directive all incidents affecting relevant information must be notified to the regulator, not just incidents involving personal data (and incidents involving personal data may have to be notified to two separate regulators).
Who does it apply to?
The Cybersecurity Directive will apply to Operators of Essential Services and Digital Service Providers.
Ireland must, before November 2018, identify Operators of Essential Services in the following sectors: Energy; Transport; Banking; Financial Market Infrastructures; the Health sector; Water Production, Supply and Distribution and Digital Infrastructure.
Operators of Essential Services will include: electricity companies; gas and oil companies; airlines; shipping firms; ports and airports; rail and road authorities; traffic management authorities; banks, other credit institutions, some financial intermediaries; hospitals and clinics; water distribution; and, internet based companies.
A Digital Service Provider is any online marketplace, cloud computing service and/or a search engine.
Some Operators of Essential Services and Digital Service Providers will be exempt, for example, based on:
- employee numbers and annual turnover; or
- where they are subject to sector specific or other European law which requires them either to ensure the security of their network and information systems or to notify incidents provided that such requirements are at least equivalent in effect to the obligations laid down in the Cybersecurity Directive.
Impact
Different rules will apply to Operators of Essential Services and Digital Service Providers.
Operators of Essential Services must:
- take measures to detect and manage risks posed to the networks and information systems that they control and use in their operations; and
- report incidents that have a significant impact on the services they provide.
An ‘incident’ is defined widely, and is any event having an actual adverse effect on the security of network and information systems. This would include not only cyberattacks on those systems but also physical incidents impacting those systems.
Digital Service Providers must:
- ensure the security of their network and information security systems and minimise the impact of incidents affecting that security;
- notify incidents that have a substantial impact on the services they provide.
The European Commission has published specific rules on the security and notification requirements that apply to digital service providers.
Importantly, where an OES relies on the services of a DSP, the OES must also notify any incident affecting the DSP having a significant impact on the services provided by the OES. Operators of essential services should therefore ensure that contracts with any digital service provider enables compliance with this obligation.
Consequences of Breach
Any breach or infringement of the Cybersecurity Directive may lead to the imposition of financial penalties. We do not yet know what those penalties will be. Those penalties must be “effective, proportionate and dissuasive”.
Next Steps
The Cybersecurity Directive obliges member states to give effect to it by 10 May 2018.
A draft of the Cyber Security Bill has not yet been published. The Irish Governments legislative programme for Spring/Summer 2018 notes that “preliminary work is underway”.
The Department of Communications, Climate Action and Environment has:
- adopted a national strategy on the security of network and information systems;
- established the National Cyber Security Centre (NCSC) at the Department of Communications, Climate Action and Environment;
- established the Computer Security Incident Response Team (CSIRT-IE) within the NCSC as the single point of contact;
- published a consultation paper on security measures and incident reporting for Operators of Essential Services on 15 November 2017. The consultation paper sets out a proposed approach for measures which certain key infrastructure operators will be required to comply with if designated as Operators of Essential Services under the Cybersecurity Directive. The paper also sets out a draft set of incident reporting guidelines.
Operators of Essential Services and Digital Service Providers will be busy ensuring that they can comply with the security and notification requirements of the Cybersecurity Directive.
Any organisation that might be considered to be an Operator of Essential Services or a Digital Service Provider and has not yet started that review should immediately take steps to:
- ensure that it can comply with the Cybersecurity Directive;
- update its IT Security Policy and Procedures and Incident Response Plans; and
- update its contracts.
If you have any queries in relation to the above, please contact Judith Curtin.