Other available languages: none
Brussels, 7 February 2013
Proposed Directive on Network and Information Security – frequently asked questions
Information systems can be affected by security incidents, such as human mistakes, natural events, technical failures or malicious attacks. These incidents are becoming bigger, more frequent, and more complex. 57% of people who responded to a Commission consultation said they had experienced Network Information Security (NIS) incidents over the previous year. A lack of NIS can compromise vital services: it can stop businesses functioning, generate substantial financial losses for the EU economy and negatively affect societal welfare. Digital information systems, in particular the internet, work across borders. A disruption in one EU country can have a knock-on effect in other Member States or the EU as a whole - for example, cross-border movement of goods, services and people could be hampered.
Who will benefit and how?
Citizens and consumers, however they define themselves, will have more trust in the technologies, services and systems they rely on day-to-day. This increased confidence will means a more inclusive cyberspace, and a digital economy that grows even faster, supporting our economic recovery.
Governments and businesses will be able to rely on digital networks and infrastructure to provide their essential services at home and across borders. Secure eCommerce platforms could bring more customers online and create new opportunities.
Providers of ICT security products and services will benefit from specific security measures, combined with a more harmonised EU approach. Demand for their products and services is bound to increase, leading to innovative products and economies of scale.
Activists need to be safe online in order to express themselves freely. A more secure and resilient internet means these vital voices will be heard and protected more than happens today.
The EU economy will benefit as sectors that rely heavily on NIS will be supported to offer a more reliable service. Harmonised NIS requirements will lead to more consistent risk management measures and response and more systematic reporting of incidents. All of these should create more equal and stable conditions for anyone trying to compete in Europe’s Single Market.
When will the Directive come into effect?
Member States will have to implement the Directive within 18 months of its adoption by the Council and European Parliament.
Why do digital technologies, networks and services need protecting?
Because most Europeans rely on digital technologies, networks and services to conduct their day-to-day life, even if they don’t always realise it. Each year, 200 million Europeans – 40% of all citizens – buy over the internet. The ICT sector alone represents almost 6% EU GDP, and Europe's ICT sector and ICT-related investments deliver around half of our productivity growth. The internet economy has generated 21% of EU GDP growth over the last 5 years. Major cybersecurity incidents put jobs and our chances for economic growth at risk.
What is the scale of the problem?
Cybersecurity incidents or breaches can have a major impact on individual companies and on Europe's wider economy. According to a Symantec and Ponemon Institute study, a data breach could cost a company anything up to US$58 million, with equally significant potential side effects like reputational damage, loss of customers and market share. A 2012 PwC survey found that 93% of large corporations and 76% of small businesses had a cybersecurity breach in the past year, with estimated losses of £15,000-30,000 even for smaller businesses.
Recent large-scale problems have included:
Why the new approach? Are existing regulatory measures or initiatives not working?
Past efforts have been on too small a scale and too fragmented, with the voluntary nature of past efforts leaving many gaps in our overall cybersecurity.
For example, under existing EU rules, only telecoms companies and data controllers have to adopt security measures, and telecoms companies alone are required to report significant security incidents. The new proposed Directive works to level the playing field by applying to all owners of critical infrastructure.
What do the proposals on risk management and reporting of security incidents mean for businesses and other organisations?
The Commission proposes to extend the obligation to report significant cyber incidents to:
Will every incident have to be reported?
No. Only incidents having a significant impact on the security of core services provided by market operators and public administrations will have to be reported to the competent national authority. For example, an electricity outage caused by a NIS incident and having a detrimental effect on businesses; the unavailability of an online booking engine that prevents users from booking their hotels or of a cloud service provider that inhibits users to get access to their content; the compromise of air traffic control due to an outage or a cyber attack.
The competent national authority may require that the public be informed. Public announcement will not be mandatory. Wider public interest will need to be considered in such judgements and vulnerabilities should not be disclosed until appropriate security fixes are available.
Why does the Directive target internet companies?
The proposed Directive includes internet companies because it is absurd to work to protect critical internet infrastructure without obliging such companies to take responsibility for their wider role in this ecosystem.
What about Internet Service Providers or the network owners?
These companies are already reporting incidents under the risk management and incident reporting obligations under the EU Telecom Framework Directive. ENISA (European Network and Information Security Agency) has recently published its report on incident reporting in 2011. In total, 51 incidents were reported.
Given that Member States now have more mature national incident reporting schemes compared to 2011, ENISA expects that the next annual report will contain 10 times more incidents.
Who is exempted from the reporting obligations?
Hardware manufacturers and software developers are exempted from the risk management and reporting obligations. The same applies to specific sectors or sub-sectors, for example insurance, water, food supply. The sectors currently covered in the proposed Directive are the ones for which the importance to ensure cybersecurity is widely recognised. The public consultation on NIS also pointed to these sectors. Trust services are not covered as they are covered by the Commission's proposal for a Regulation adopted in June 2012.
Are media companies involved if they provide IT-like services?
The NIS Directive covers key internet enablers, i.e. those players whose services, delivered through the internet, empower key economic and social activities. When such activities or services are suspended for a couple of hours there may be a significant impact. The annexed table gives some examples of players that could be affected. News agencies and publishers, even when they provide IT and/or online services, are not covered. They are not key internet enablers like large eCommerce or cloud platforms, booking engines or social networks. Neither are Web browsers like Mozilla Firefox or websites like Wikipedia or content management systems like Wordpress.
What will you do to ensure companies don't end up dealing with 27 systems for reporting breaches?
Common reporting systems will be developed through implementing measures for the Directive. Specific templates could also be developed by ENISA, which has already brought together national regulators to develop harmonised national measures for risk management and incident reporting as part of the EU telecoms rules. ENISA is going through the same process for Article 4 of the ePrivacy Directive.
Doesn’t security regulation limit freedom and openness?
No. This strategy and the proposed Directive emphasise that security and freedom go hand-in-hand. Security enables citizens to reap the full opportunities that digital technologies offer. It is in full compliance with the EU Charter of Fundamental Rights, respecting privacy, with protection for personal data, freedom to conduct a business, the right to property, the right to an effective remedy before a court and the right to be heard.
Will the EU define minimum standards or level of security?
No, the Commission is not a standard-setting body. The proposed Directive seeks to lift the quality and assurance of cybersecurity, but does not impose any specific technical standards or mandate particular technological solutions. The wider Strategy asks ENISA to work with standardisation bodies and all relevant stakeholders to develop technical guidelines and recommendations for the adoption of NIS benchmarks and good practices The proposed Directive does, however, impose the take-up of a minimum level of security by obliging critical infrastructure operators, key internet companies and public administrations to manage risks and report significant incidents. It also details a minimum set of NIS capabilities which Member States are required to put in place (e.g. a well-functioning Computer Emergency Response Team (CERT) which is adequately staffed and resourced). Member States are free to go beyond and adopt or maintain stricter security requirements.
Why was minimum harmonisation chosen for the proposed NIS Directive?
The current level of NIS in the EU varies across Member States and industries. It is therefore important to first establish a common minimum level, before moving to more advanced cooperation. Those Member States and businesses that want to be frontrunners in terms of NIS by going beyond the minimum requirements are free to do so, even at this stage.
Isn't ENISA already doing enough in the field of cybersecurity in the EU?
Effective cybersecurity cannot be outsourced to a single body. ENISA will continue to provide its expertise and advice at EU level on the basis of its mandate in the new cooperation framework, to be established by the proposed NIS Directive.
How is the EU approach different to the US approach?
President Obama has long recognised cybersecurity as a top priority and recently announced that he will issue an Executive Order on cybersecurity. The executive order is likely to contain recommendations for operators of critical infrastructure such as energy and transport to join a voluntary program and follow a set of cybersecurity standards. The guidance is not thought to prescribe one type of security over another. The main difference is that under the US Executive Order companies will be encouraged, but not required to adopt some non-technical standards, to be defined by the Institute of Standardisation and Technology.
What proof is there that openness and reporting is better for companies than covering up?
The obligation to report incidents will give companies the incentive to ensure that appropriate security processes are in place. Being prepared is vital, given the staggering potential cost of just one data breach. Being open and reporting incidents is also a way to ensure the long-term survival of a company. For example, DigiNotar a Dutch certificate authority, failed to report a significant breach it suffered in 2011. When the breach was unveiled, DigiNotar suffered from a catastrophic loss of reputation and subsequently went bankrupt. Being open about a problem, and what a company is doing to resolve it, can restore confidence.
Examples of companies which are obliged to report cyber incidents