The EU recently finalized its Network and Information Security (NIS) Directive, the first of its kind. The goal of the NIS Directive is to “achieve a high common level of security of network and information systems within the EU” by improving the cybersecurity capabilities of EU member states, increasing communication on cybersecurity between member states and (of primary interest to our members) requiring parts of the private sector to meet certain obligations regarding their cyber-risk and their reporting of cyber incidents.
Both “operators of essential services” and Digital Service Providers (DSPs) are required to take steps to mitigate their cyber-risk and are required to report major cybersecurity incidents to their Member State’s Computer Security Incident Response Team (CSIRT). Each Member State is required by the Directive to set up one of these CSIRTs to respond to domestic cybersecurity breaches. Because “the degree of risk for operators of essential services is higher than for digital service providers,” DSPs have less stringent obligations for both security and reporting than “operators of essential services” do.
But how does the Directive define DSPs and “operators of essential services”? A DSP is defined in the Directive as a company that provides an online marketplace, a search engine and/or a cloud computing service. Notable DSPs include Google and Microsoft, but there are many others. The Directive applies to all DSPs operating in the EU, not just the ones based there.
In contrast, Member States themselves determine the “operators of essential services” within their own borders, based on three criteria set out in the Directive. In order to be considered an “operator of essential services,” a company must provide a service which:
- is essential for the maintenance of critical societal/economic activities,
- “depends on network and information systems,” and
- would be significantly disrupted by a cybersecurity incident.
As such, as with a DSP, it does not matter if a company is based in a Member State for it to be considered an “operator of essential services” by that state. That said, only certain types of entities within specific sectors – energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution and digital infrastructures – can be considered “operators of essential services.” Within financial market infrastructures sector, operators of trading venues and central counterparties can be considered “operators of essential services.” Within the healthcare sector, only healthcare providers can.
It’s worth noting, before concluding, that the NIS Directive could have an effect on the market for cyber insurance. While there is not a mandatory purchasing requirement in the Directive itself, many companies may look to cyber insurance providers for expertise on mitigating cyber risk. Stay tuned for more updates