EU Directive on Security of Network and Information Systems
The Directive on Security of Network and Information Systems (the “NIS Directive”) was adopted by the European Parliament on 6 July 2016 and Member States have until 9 May 2018 to implement it in their national legislation.
The NIS Directive is the first comprehensive legislation on cybersecurity adopted at European Union level in a context where cyber-attacks are becoming more frequent and have more serious consequences. The aim is to achieve a similar standard of cybersecurity capabilities across all the EU Member States.
Cybersecurity in France has been a national priority for several years now and the country has developed a strong regulatory framework of cyber security measures in order to protect information systems. At a national level, France has already taken into account several aspects of the NIS Directive ahead of its implementation.
The main obligations set out by the NIS Directive
The obligations set out by the NIS Directive can be divided into three main areas:
Reinforcement of Member States’ national cyber-security capabilities
Firstly, the NIS Directive provides for the reinforcement of security in the Member States and requires each Member state to adopt cybersecurity strategies and implement concrete policies and regulatory measures.
In France, the point of contact for the implementation of such measures will be the French Agency for the Security of Information Systems (Agence nationale de la sécurité des systèmes d’information “ANSSI”) with the assistance of the European Union Agency for Network and Information Security (“ENISA”). France has already contacted several bodies to discuss the national strategy and a report on strategy, the “French National Digital Security Strategy” was released on 16 October 2015, ahead of the NIS Directive, which sets out measures to strengthen cybersecurity capabilities.
The NIS Directive also provides that Member States must designate Computer Security Incident Response Teams (CSIRTs) responsible for handling incidents and risks. At a national level, this role is already taken by the CERT (« Centre gouvernemental de veille, d’alerte et de réponse aux attaques informatiques ») who will also become the point of contact for France under the NIS Directive. In addition, a network of CSIRTs will be established and their role will be to exchange information, provide support to Member States in the event of incidents and to develop swift operational cooperation.
Increased cooperation at EU-Level
The NIS Directive provides for the establishment of a Cooperation Group in order to support and facilitate cooperation and the exchange of information among Member States. This Cooperation Group will be composed of representatives of the Member States, the EU Commission, and the ENISA. The Cooperation Group supports and facilitate cooperation and exchange of information between Member States.
Security Risk Management and Incident Reporting Obligations for “Operators of Essential Services” and “Digital service Providers”
The NIS Directive sets out certain obligations for two groups of entities, “operators of essential services” and “digital service providers.” These entities must adopt appropriate measures to manage security risks and report serious incidents to the national competent authorities.
The Directive defines “Operators of essential services” as operators that provide: (i) a service that is essential for the maintenance of critical societal and/or economic activities; and (ii) the provision of that service depends on network and information systems, and an incident would have significant disruptive effects on the provision of that service. The business sectors concerned are within the energy, transport, banking, financial market infrastructure, health, water, and digital infrastructure sectors.
“Digital service providers” are defined as those that provide an online marketplace, online search engines, and cloud computing services. Micro and small enterprises are excluded from the scope of the NIS Directive.
Measures already adopted in France
France is one of the first countries to have taken legislative measures to reinforce its cybersecurity in the field of sensitive infrastructure. Cybersecurity provisions have already been taken into account, more particularly in the law of 18 December 2013 on Military Programming, which defines “operators of vital importance” close to the definition of “operators of essential services” under the NIS Directive. France has identified twelve sectors of vital importance, whereas the NIS Directive has only identified six.
The Law for Military Programming provides that operators of vital importance should comply with specific security measures and requires them to notify incidents to the relevant governmental authority, namely the ANSSI.
Several orders for the implementation of the law on Military Programming have been adopted for each different business sector. On 1 July 2016, orders concerning health products, management of water systems, and food came into force. On 1 October 2016, the order relating to electricity, petrol, and gas supply, as well as land, maritime and air transport came into force. Finally on 1 January 2017, the order relating to audio-visual, electronic communication and internet, and industry and finance came into force.
As far as the maritime sector is concerned, the order that came into force on 1 October 2016 provides that each operator must implement a policy on the security of its information systems. In particular, the policy should set out the structure of governance within the organisation and the roles and responsibility of staff and external providers in relation to security, carry out audit procedures on security and define compliance and approval procedures. Organisations must also be able to provide the ANSSI with a topography of their information system.
The implementation of the NIS Directive will complete the current legislation on cybersecurity already in force in France and operators of vital importance who are already subject to the Law of Military Programming will generally be in compliance with the NIS Directive. However, this law does not cover digital service providers, who will have to take steps to be up-to-date when the implementation is carried out.
Although cybersecurity has become a national priority in France and legislative measures have been taken to minimise risks, operators still have to be prepared and be well aware of risks. Preventive measures include inter alia due diligence of all business agreements (e.g. sales agreements), identifying risks with suppliers, reconsidering liability and warranty provisions and reviewing/subscribing to insurance policies to cover cybersecurity risks in the event of incidents. The ANSSI also coordinates various programmes designed to increase awareness of businesses to cyber risks, more particularly for SMEs that are not directly affected by the NIS Directive or the Law of Military Programming. The ANSSI also publishes guidelines for different business sectors and areas where cyber risks may arise. To that effect, a guideline for shipping companies was published in October 2016, setting out basic rules to adopt on board ships to minimise cyber risks.