- How Businesses Will Be Affected By The New Cybersecurity Directive
- March 29, 2017 | Authors: Yasmine Aquilina; Nicole Attard
- Law Firm: GVZH Advocates - Valletta Office
Cyber security is a prominent issue on the EU’s digital agenda. Many governments and companies are vulnerable to cyber security threats. For this reason, there has recently been a push for a directive which would harmonise member state rules on cyber security. This led to a proposal by the European Parliament and of the Council for a Directive concerning measures for a high common level of security of network and information systems across the Union. An agreement on the proposal was reached on the 7th of December 2015, and on the 14th of January 2016, the EU’s internal market committee voted to support the agreement. Companies affected by this legislation are twofold: those which are considered to be “providers of essential services” and “digital service providers”.
PROVIDERS OF ESSENTIAL SERVICES INCLUDE:
- Financial Market Infrastructures
- Digital Infrastructure
- Internet exchange points
- Domain name system (DNS) providers
- Top-level domain name registries
- Health Sector
- Drinking water supply and distributionProcessing of Personal Data (Electronic Communications Sector) Regulations
- The duty to take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provisions of such essential services.
- The duty to notify the competent authority without undue delay, incidents having a significant impact on the continuity of the services they provide.
- The number of users affected by the disruption of the essential service
- The duration of the incident
- The geographical spread with regard to the area affected by the incident
- Provide the information needed to assess the security of their networks and systems; and
- Provide evidence of effective implementation of security policies
- Services which allow online consumers or traders to conclude online contracts (sales or service);
- Online search engine services: in-built website search functions do not fall under the scope of this Directive
- Different types of cloud computing services.
DUTIES OF PROVIDERS OF DIGITAL SERVICES
The digital service providers falling within the scope of this Directive must:
- Identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their networks and information systems, whilst taking into account the following elements:
- Security of systems and facilities;
- Incident management;
- Business continuity management;
- Monitoring, auditing and testing; and
- Compliance with international standards
- Take measures in order to ensure the continuity of the services by preventing and minimising the impact of incidents that affect the security of the networks and information systems used; and
- Conform with a reporting scheme which is to be established by the Member State in question, whereby it must notify, without undue delay, to the competent authority, any incident which may have a substantial impact on the provision of the service.
- The number of users affected by the incident, particularly the number of users which rely on the service in order to provide their own services;
- The duration of the incident
- The geographical area affected by the incident
- The extent of the disruption of the functioning of the service
- The extent of the impact on economic and societal activities.
- Require the digital service providers to provide information needed to assess the security of their networks, including documented security policies; and
- Require the digital service providers to remedy any failure to fulfil the previous requirements.
Smaller companies may also be affected by this directive, as they may need to implement security protocols into their system in order to fall in line with these laws. By the time this Directive comes into force, which will be in 2018, all companies falling within its remit will need to be fully compliant.
It is therefore recommended that companies:
- Implement a wide cyber policy in order to ensure IT and information security
- Identify any areas within their IT networks which might be vulnerable to an attack
- Prepare a network and information security response plan
- Set up an incident response team
- Ensure that suppliers and subcontractors implement security measures and provide periodical evidence that these measures are appropriate and effective
- Implement training and awareness programmes and ensure employees and suppliers are aware of the security response plan, and are able to comply with it.