Preventing or minimizing business risks should result in maximizing profits, but unexpected losses due to cybersecurity incidents can be costly to both businesses and affected consumers. The European Commission has finally addressed this rising issue with the new draft Directive, the Network and Information Security Directive (“NIS Directive”). The intent behind the Directive is to create a higher level of network and information security across the EU by mandating that Member States, by requiring essential services suppliers and digital network providers, adopt higher standards to manage and report cybersecurity incidents.
The NIS Directive requires Member States to establish national network and information security strategy and implementation of regulations to ensure a high level of network security, create a competent national authority to monitor and enforce such regulations as adopted. Member States are mandated to engage in cooperative measures and information sharing between the Member States.
Operators of essential services, including energy, transport, finance, health, drinking water, and digital infrastructure operations, will be obliged to take measures to prevent and minimize any impact of cybersecurity attacks on their network and information systems. This will also apply to many third-party digital service providers that are used in the provision of services by identified essential services. The affected service providers must have a sufficient incident management process to report, monitor, audit and conduct ongoing testing and to ensure continuity of the services provided. Sanctions must be put in place to promote compliance, although it’s yet unknown what those sanctions might be.
So, why should U.S. companies take any notice of the NIS Directive? With the recent erosion of the EU – U.S. Safe Harbor the lack of a clear-cut solution, U.S. companies doing business, whether e-commerce or more traditional, would be wise to take steps to ensure compliance with the minimum thresholds set by the Member States enacting regulations to comply with the NIS Directive. Any EU legislation setting minimum thresholds for data privacy or security will likely replace the requirements for self-certification in the EU-U.S. Safe Harbor.