Cybersecurity in essential services: NIS Directive still to be transposed

May 9, 2018 marks the end of the period granted to Member States to complete the transposition into domestic law of Directive (EU) 2016/1148 of the European Parliament and of the Council, of 6 July 2016, concerning measures for a high common level of security of network and information systems across the Union (the “NIS Directive”).

The context and the NIS Directive

The magnitude, frequency and impact of cyber-incidents are increasing and, in this environment, concern for their possible consequences on services essential to the EU has been given special legislative attention at European level through various instruments, primarily the NIS Directive. This Directive lays down, for all Member States, a framework of similar requirements concerning the security of network and information systems and creates an opportunity for consolidation of a European cybersecurity industry. It also aims to make progress in the fight against cybercrime, reducing the risk it entails for public security and for national security.

The three pillars of the directive are: the creation of capabilities in all Member States in connection with cybersecurity strategy; transnational cooperation; and the supervision, at a national level, of essential industries.

Under the NIS Directive, the first two pillars take the shape of obligations for each Member State to implement a national strategy on the security of network and information systems, to designate computer security incident response teams (CSIRT) and to facilitate strategic cooperation with the CSIRTs of other Member States.

The NIS Directive defines mechanisms to ensure that those regarded as operators of essential services and digital service providers are subject to certain obligations, which refer to: (1) the implementation of security measures appropriate to the security risks faced by the network and information systems they use, so as to ensure the ongoing provision of essential services; and (2) the notification of security incidents capable of having a significant impact on their services, in some cases adding the possibility of informing the general public, where this is justified by objectives related to prevention or reaction, or is otherwise in the public interest. The directive aims to encourage operators to implement a risk management culture that entails an assessment of risk and the application of the appropriate security measures.

The supervisory mechanism and the measures imposed in the NIS Directive vary according to the activity’s degree of risk, distinguishing between activities in essential industries (energy, transport, drinking water supply, health sector, banking and financial market infrastructures), on which an ex ante supervisory procedure and stricter measures are imposed; and those of digital service providers (internet exchange point, DNS service providers, top-level domain name registries), which are subject to less rigorous requirements and ex post supervision.

The NIS Directive requires Member States to identify operators of essential services, and gives them until November 9, 2018 to indicate these operators. In contrast, Member States are not obliged to identify digital service providers, given that the NIS Directive should apply to all digital service providers included within its scope, ensuring that they are subject to a more harmonized approach at Union level with respect to security and reporting requirements.

Under the NIS Directive, Member States must also lay down rules on penalties applicable to infringements.

Actions taken and outlook for transposition in Spain

In November 2017, the Spanish Administration published a preliminary bill on the security of network and information systems, for the purposes of transposing the NIS Directive in Spain, and a public consultation period was opened until January 8, 2018.

In December 2018, the Spanish government approved a new National Security Strategy (NSS) highlighting cyber-threats and threats to critical infrastructures as two of the “Threats and Challenges to National Security”. The new NSS sets specific objectives and lines of action in matters of cybersecurity.

On March 19, 2018, the National Cybersecurity Council assessed and analyzed the status of the preliminary bill on the security of network and information systems intended to transpose the NIS Directive. It also studied the advisability of preparing a new National Cybersecurity Strategy.

The Spanish Government has yet to approve the Draft Law on the Security of Network and Information Systems that is to transpose the NIS Directive into the Spanish legal system or to initiate the parliamentary process for its approval. Even though the term for its enactment ends on May 8, 2018, given the current status of the processing deadlines, it already appears that this deadline will be difficult to meet. The future law transposing the NIS Directive, together with the definitive entry into force of the new European General Data Protection Regulation on May 25, 2018, will be a major turning point in the culture of risk management related to the security of information in the Spanish business arena.