Belgium – The NIS Directive turns one: time for implementation (Linklaters)

In July 2016, the EU adopted the Network and Information Systems Directive (“NIS Directive”). This minimum harmonisation directive establishes common security and co-operation rules for all EU Member States. We consider its implementation under Belgian law.

Scope

The NIS Directive was adopted due to increased awareness about the crucial role networks and information systems play both for the economic and social activities of Member States and for the functioning of the internal market. It is targeted at companies from two sectors:

• operators of essential services. These are operators in the energy, transport, banking, financial market infrastructures, health, drinking water supply and digital infrastructures sectors; and
• digital services providers. These are providers of online marketplaces, online search engines and cloud computing services.

Each Member State will have to determine which operators of essential services will the subject to the NIS Directive. The following criteria will be used to make this determination:  (i) the essential character of their services for the maintenance of critical social and/or economic activities; (ii) the fact that provision of that service depends on network and information systems; and (iii) the disruptive effects that an incident would have on the provision of that service.

By contrast, all digital services providers that are “considered to offer digital services on which many businesses in the Union increasingly rely” will automatically be caught by the NIS Directive. Given that these providers generally operate on a pan-EU basis, the legislator presumably considered there was little point in Member States conducting their own national assessment of whether they should be subject to the NIS Directive.

Leading principles

The obligations imposed by the NIS Directive can be grouped into three key principles.

First, Member States must adopt a national strategy which aims at defining “the strategic objectives and appropriate policy and regulatory measures with a view to achieving and maintaining a high level of security of network and information systems”. This strategy must include, among others, an inventory of the measures relating to preparedness, response and recovery. While the strategy will have to be communicated to the European Commission, EU Member States can exclude matters relating to national security. Each Member State will also have to designate the national authority competent in this field and one or more computer security incident response teams (CSIRTs).

Secondly, the NIS Directive encourages co-operation between Member States. This will be facilitated by the designation in each Member State of a single point of contact, as well as by the creation of a co-operation group and of a network of CSIRTs at an EU-level.

Thirdly, Member States must ensure that operators of essential services and digital service providers that are subject to the NIS Directive:

• adopt appropriate and proportionate technical and organisational measures to manage risks and prevent incidents (preventive part); and
• notify the incidents having a significant impact on the continuity of the essential or digital services they provide (responsive part). Member States must also grant the competent authorities the necessary means to impose on the relevant companies the communication of the required information and the correction of any failure.

Transposition in Belgium

Member States must implement the NIS Directive by May 2018. In Belgium, the legislator will have the task of co-ordinating these new obligations with a range of existing legislation, such as the Law of 1 July 2011 on the security and protection of critical infrastructures. This law indeed already establishes a national point of contact competent for the protection of critical infrastructure, the national analysis of threats targeting this critical infrastructure, as well as the obligation for each operator of a critical infrastructure to establish a security plan.

Moreover, for certain operators already subject to an obligation to notify incidents, it will have to be assessed how the various existing obligations to notify security breaches can be combined with the new notification obligations under the NIS Directive (e.g. in terms of time frame, authorities to which the notification must be made and form of the notification).

Entities operating in the sectors covered by the NIS Directive should closely monitor the national implementation of the NIS Directive under Belgian law and, as the case may be, try to ensure that the new requirements can be combined in the best possible way with the existing rules, reducing to the maximum extent the additional administrative burden.

In July 2016, the EU adopted the Network and Information Systems Directive (“NIS Directive”). This minimum harmonisation directive establishes common security and co-operation rules for all EU Member States. We consider its implementation under Belgian law.

Scope

The NIS Directive was adopted due to increased awareness about the crucial role networks and information systems play both for the economic and social activities of Member States and for the functioning of the internal market. It is targeted at companies from two sectors:

• operators of essential services. These are operators in the energy, transport, banking, financial market infrastructures, health, drinking water supply and digital infrastructures sectors; and
• digital services providers. These are providers of online marketplaces, online search engines and cloud computing services.

Each Member State will have to determine which operators of essential services will the subject to the NIS Directive. The following criteria will be used to make this determination:  (i) the essential character of their services for the maintenance of critical social and/or economic activities; (ii) the fact that provision of that service depends on network and information systems; and (iii) the disruptive effects that an incident would have on the provision of that service.

By contrast, all digital services providers that are “considered to offer digital services on which many businesses in the Union increasingly rely” will automatically be caught by the NIS Directive. Given that these providers generally operate on a pan-EU basis, the legislator presumably considered there was little point in Member States conducting their own national assessment of whether they should be subject to the NIS Directive.

Leading principles

The obligations imposed by the NIS Directive can be grouped into three key principles.

First, Member States must adopt a national strategy which aims at defining “the strategic objectives and appropriate policy and regulatory measures with a view to achieving and maintaining a high level of security of network and information systems”. This strategy must include, among others, an inventory of the measures relating to preparedness, response and recovery. While the strategy will have to be communicated to the European Commission, EU Member States can exclude matters relating to national security. Each Member State will also have to designate the national authority competent in this field and one or more computer security incident response teams (CSIRTs).

Secondly, the NIS Directive encourages co-operation between Member States. This will be facilitated by the designation in each Member State of a single point of contact, as well as by the creation of a co-operation group and of a network of CSIRTs at an EU-level.

Thirdly, Member States must ensure that operators of essential services and digital service providers that are subject to the NIS Directive:

• adopt appropriate and proportionate technical and organisational measures to manage risks and prevent incidents (preventive part); and
• notify the incidents having a significant impact on the continuity of the essential or digital services they provide (responsive part). Member States must also grant the competent authorities the necessary means to impose on the relevant companies the communication of the required information and the correction of any failure.

Transposition in Belgium

Member States must implement the NIS Directive by May 2018. In Belgium, the legislator will have the task of co-ordinating these new obligations with a range of existing legislation, such as the Law of 1 July 2011 on the security and protection of critical infrastructures. This law indeed already establishes a national point of contact competent for the protection of critical infrastructure, the national analysis of threats targeting this critical infrastructure, as well as the obligation for each operator of a critical infrastructure to establish a security plan.

Moreover, for certain operators already subject to an obligation to notify incidents, it will have to be assessed how the various existing obligations to notify security breaches can be combined with the new notification obligations under the NIS Directive (e.g. in terms of time frame, authorities to which the notification must be made and form of the notification).

Entities operating in the sectors covered by the NIS Directive should closely monitor the national implementation of the NIS Directive under Belgian law and, as the case may be, try to ensure that the new requirements can be combined in the best possible way with the existing rules, reducing to the maximum extent the additional administrative burden.

Guillaume Couneson and Sophie Carton de Tournai