BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

U.S. Companies Unaware Of EU Cybersecurity Regulations

Following
This article is more than 4 years old.

U.S. companies have been abuzz about compliance requirements with the European Union’s (EU) Global Data Protection Regulation (GDPR), which became effective May 25, 2018. The GDPR was so scary because the enforcement provisions allowed fines up to 2-4% of total global turnover. U.S. businesses are largely unaware, however, of the EU’s regulatory actions on cybersecurity, particularly the Directive on Security of Network and Information Systems, known as the NIS Directive.

The Directive became effective August 9, 2016, and it empowers EU Member States to regulate – and enforce – cybersecurity requirements for a large number of companies. It was followed by a Communication from the Commission to the European Parliament and the Council (“Communication on NIS Directive”), which includes an Annex and is intended to help Member States implement the NIS Directive. 

Although the EU has dominated the privacy issue since its 1995 Data Protection Regulation, the U.S. seized global leadership on cybersecurity in 1996 when President Clinton established the President’s Commission on Critical Infrastructure Protection via Executive Order 13010 and identified critical infrastructures that needed to be protected. The first U.S. National Strategy to Secure Cyberspace was also developed in 2001. 

Since that time, Congress and U.S. states have enacted numerous laws and regulations pertaining to cybersecurity. The National Institute of Standards and Technology (NIST) has published Federal Information Processing Standards, Special Publications on cybersecurity best practices, and Interagency Reports on cybersecurity research.  The U.S. Department of Homeland Security (DHS) established the US Computer Emergency Response Team (US-CERT) and has facilitated public-private interaction and information sharing on cyber threats.  In 2008, the U.S. Cyber Command was established by the Secretary of Defense to protect U.S. national security interests. And more, but these are some of the major actions.

From 2013 forward, the EU has aggressively taken on cybersecurity as an issue equivalent to privacy – but U.S. businesses have failed to pay attention.

While the EU was always very helpful in the area of countering cybercrime and providing investigation assistance, it did not really focus on cybersecurity until 2013 when it set forth an EU Cybersecurity Strategy. From 2013 forward, the EU has aggressively taken on cybersecurity as an issue equivalent to privacy – but U.S. businesses have failed to pay attention. 

The NIS Directive & Operators of Essential Services

The NIS Directive applies to “operators of essential services” (OES) – which are essentially critical infrastructure companies – and digital service providers (DSP). Each Member State had to transpose the Directive into national law by May 9, 2018, and it had to identify OES within its borders by November 9, 2018.

The Directive has teeth. It requires designated OES companies to:

·     Implement required security technical and organizational measures to prevent risks and manage the security of the network and information systems, and

·     Notify relevant national authorities of serious incidents.  

The Directive also imposes obligations on Member States. They must:

·     Develop a cybersecurity strategy.

·     Establish a national point of contact for coordination with other Member States.

·     Establish one or more Computer Security Incident Response Teams (CSIRTs) to monitor events at a national level, provide early warnings and alerts about incidents, share information among stakeholders, and respond to incidents.

·     Assign one or more national competent authorities to ensure the NIS Directive is being complied with and OES are managing risks to the security of their networks and systems. (Member States are allowed to set stricter security requirements than those established by the EU.)

·     Ensure that national competent authorities have the power and resources to:

o  Assess whether OES are complying with the NIS Directive

o  Compel OES to provide information necessary for the assessment, including evidence of implementation

o  Issue binding instructions to OES to remedy deficiencies.

·     Ensure that OES minimize the impact of incidents and notify national authorities or the CSIRT without delay.

The NIS applies to U.S. companies with operations in Member States. This means that U.S. companies may have to implement security requirements, turn over operational data to allow national authorities to assess their compliance, and perform required remediation measures. 

Enforcement of the NIS Directive varies, with each Member State setting its own fines and penalties for non-compliance. Nevertheless, it is serious business. Some countries, such as the UK and Germany, consider whether an incident involves a GDPR violation, in which case, the fines could run in parallel to those imposed under GDPR. Belgium established administrative and criminal penalties, with imprisonment up to two years.  Alexander Duisberg, a partner at Munich’s Bird & Bird, noted that, “We have a scattered and diversified level of implementation, including sanctions, throughout Member States, which makes it difficult for companies to comply with the Directive.” Bird & Bird has compiled a useful summary of Member States’ implementation and enforcement provisions that may be helpful to readers. 

The NIS Directive & Digital Service Providers

Now, let’s look at how the Directive applies to DSPs, which includes search engines, cloud computing services, and online marketplaces (e-commerce sites). The Directive defines an online search engine as “a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query…and returns links in which information related to the requested content can be found.” The Communication on the NIS Directive noted there are three main types of cloud service models: Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), and Platform-as-a-Service (PaaS).  The Directive makes clear that online marketplaces may include the processing of transactions, aggregations of data, profiling of users, and application software stores.  DSPs with fewer than 50 employees and not more than €10 million revenue are exempted.

Although DSPs are not identified in each Member State (as OES are), they are automatically subject to security and notification requirements under the Directive.  The European Commission determines security and notification requirements for DSPs, and Member States are not allowed to impose stricter requirements on them. Mandatory DSP requirements include security measures for the network and information systems, including incident handling, business continuity, monitoring, auditing and testing, and compliance with international standards. Throughout the Directive, there is an emphasis on EU and international standards. 

DSPs must take measures to minimize the impact of incidents and notify the national authority or CSIRT without undue delay for incidents having a substantial impact on service, including any impacts of third party providers. The national authority or CSIRT has discretion to inform the public or require the DSP to inform them.

If a DSP has a primary business establishment in one Member State and networks and systems located in other Member States, then the DSP should register with the national authority of its main location and the national authorities of other Member States will cooperate with that national authority. If a company is not established in the EU but offers services within it, the DSP must designate a representative in the EU where its services are offered. A European Commission Implementing Regulation set rules for DSP risk management and determination of when an incident has a substantial impact. 

What Should U.S. Companies Do?

U.S. companies are behind the curve on the NIS Directive. There has been little to no attention given to the Directive and follow-on actions of the EU with respect to its implementation.  U.S. companies can take some actions to determine the applicability of the Directive to their own operations and meet compliance requirements:

·     Determine whether the company is an OES or DSP within the Directive.

·     Identify the Member States where the company or its subsidiaries are doing business.

·     Identify national authorities and CSIRTs in countries where the company is doing business.

·     Take actions to prepare for compliance with NIS Technical requirements:

o  Conduct a comprehensive risk assessment against international standards.

o  Develop good inventories of assets and know the devices and services needed.

o  Review intrusion detection, prevention, event management, and log analysis to ensure they are in alignment with best practices.

o  Review incident response plans and ensure they are aligned with NIS reporting requirements. 

o  Review backup and recovery plans and test them.

o  Review business continuity and disaster recovery plans and updated as needed.

·     Take actions to prepare for compliance with NIS Organizational requirements:

o  Have governance policies and processes in place, including an enterprise approach to risk management.

o  Understand and manage risks associated with the company’s supply chain.

o  Ensure staff are appropriately trained and have the necessary skills.

The EU has proven to be masterful at applying extraterritorial jurisdiction to its laws. Its insistence on “adequacy” of protection for EU data that is transferred outside the EU has resulted in a number of countries emulating EU privacy laws. Others have copied the approach and named Data Protection Authorities; the list of global DPAs may be surprising to some companies.

Although the EU is only regulating critical infrastructure within its borders and digital service providers that reach into its countries, the reach of the NIS Directive is breathtaking. Stay tuned for more articles on this topic and others. Even less attention has been given to the EU Cybersecurity Act, which was adopted on April 17, 2019 and became effective June 27, 2019 (some articles are not effective until June 28, 2021) and permanently establishes the EU Cybersecurity Agency and a certification process for information communication technology products, services, and processes. Yikes!

Follow me on TwitterCheck out my website