Last month, a major data security law went into effect that will impact businesses both in the EU and the US. No, I’m not talking about the General Data Protection Regulation (GDPR), which we’ve mentioned more than a few times on the IOS blog. While more narrowly focused on EU “critical infrastructure”, the NIS Directive or NISD also has some surprising implications for non-EU companies not remotely in the business of running hydroelectric plants or other critical or essential services.
It’s a Directive!
A key point to keep in mind is that this new law is a directive. We know from the pre-GDPR Data Privacy Directive (or DPD) that, in the language of EU bureaucrats, a directive is an outline or template for a law. Individual EU countries will have to fill in the details when they “transpose” it into local laws.
NISD merely says the certain companies that perform “essential services” — EU-speak for critical infrastructure — must take “appropriate technical and organizational measures” against cyber attacks and then notify authorities “without undue delay” when there’s a significant security incident.
That is all she wrote!
Because NISD is not in any way prescriptive, there’s a lot of wiggle room for legislators to fill in the details. Yes, this does mean that, like the older DPD privacy law, NISD will vary signficanlty by country – with some national regulators being far stricter with fines and enforcement
A few countries have already implemented NISD — for example, the UK has localized its version – but most are still hammering out the details. As it turns out, the laggards have a little more time to work out their individual laws. NISD says that EU countries really have until November 2018 to identify specific operators of essential services.
That’s right! Unlike the GDPR, the NISD (for the most part) will apply to an explicit set of companies in the essential services sector, which include energy, transportation, health, financial and banking.
As I write this, I am not aware of any EU country that has produced this list. In effect, NISD is on pause until we hear more from local governments on the essential service picks.
US Digital Service Providers Are Under NISD
However, NISD carves out an exception for digital service providers. EU countries do not have to come up with a list of companies that offer essential online infrastructure. According to NISD, any company offering cloud computing, online marketplaces connecting buyers with sellers, or search engine services are automaticall digital providers!
And they would fall under NISD rules right now. (FYI: Micro and small digital providers that have under 50 employees and less than €10 million revenue are excluded.)
US companies in the cloud and online marketplace space — and there are many — will certainly have to up their game for their EU locations.
But there’s another catch.
Remember how the GDPR applies to companies outside the EU even if they don’t have a physical presence there?
Like the GDPR, NISD also has an expanded territorial scope aspect. If a US company has, say, an online marketplace for apartment vacation rentals and promotes that service in the UK or France, then it would fall under NISD. You can read more about the international territorial scope of NISD in this legal article.
Reporting a NISD Cyber Attack
NISD lists a few parameters to help digital service providers decide whether a cyber attack has had a “substantial impact” on its operations. They include the number of subscribers affected, duration, geographical scope, and economic costs.
For example, a ransomware, DDoS, or other disruptive cyber-attack impacting a US online service company offering, say, apartment or car sharing, web hosting, or, cough, search engines in the EU market, regardless of whether they have physical EU servers, are covered by NISD. And they would have to report the incident to the local regulator, know in NISD as a Computer Security Incident Response Team or CSIRT.
There will be fines for noncompliance!
As a baseline, the UK’s implementation of NISD has set maximum fines of €17 million. Mileage can vary, of course, as each EU country is free to set their own fines and penalties.
In any case, US digital providers now have another EU law to take into account. In short, not only do they have to comply with the GDPR’s security and privacy rules for personal data, but also NISD’s more general requirements for securing IT and networking infrastructure against disruption.