The EU Agency for Network and Information Security (ENISA) warned of the potential overlap between incident reporting obligations in the Network and Information Security (NIS) Directive and the data breach notification rules in the General Data Protection Regulation (GDPR) in new guidance it has issued.
ENISA confirmed that DSPs could have to report the same data breach incidents to different authorities under the NIS and GDPR regimes, but also explained that some data breaches will not be subject to notification by DSPs under the NIS Directive.
The NIS Directive sets out measures designed to ensure critical IT systems in critical sectors of the economy like banking, energy, health and transport are secure. It will apply to operators of such "essential services" and to "digital service providers" (DSPs). DSPs are defined as being online marketplaces, online search engines or cloud computing service providers that normally provide their service "for remuneration, at a distance, by electronic means and at the individual request of a recipient of services".
The Directive, which must be implemented into national law across the EU by 9 May 2018, sets out security requirements and incident notification rules for DSPs which are different from those that apply to operators of essential services. According to the ENISA guidance on incident notification obligations facing DSPs under the NIS Directive (NISD), the Directive's requirements can be summarised as requiring "any incident affecting the availability, authenticity, integrity or confidentiality of data stored, transmitted or processed by a [DSP] through network and information systems, which has a substantial impact on the provision of the digital service offered" to be reported.
However, it said some data breach incidents would not need to be disclosed to authorities under the NIS regime.
"Although we can probably draw a theoretical line between incidents falling under GDPR and the ones under NISD, the situation might differ in practice," ENISA said. "DSPs might have to report the same incident to both authorities responsible. In theory, GDPR covers the privacy of personal data and the NISD covers the confidentiality of the service offered and the underlying data (which in most cases is personal data)."
"A common pattern for incidents affecting confidentiality under the NISD could be the following: a cloud service provider suffers sudden breaches of the confidentiality of their customer’s data (not necessarily personal data) either during transit or at rest ('man in the middle' type attacks). In this case, continuation of provision of the service could seriously damage the confidentiality of customer data (e.g. product technical specifications, commercial secrets, business plans, commercial contracts etc.) leading to serious impact on their business. Thus, when the confidentiality of services delivered cannot be guaranteed and the critical threshold has been reached, the incident should be reported," it said.
"On the other hand, incidents that can be classified as simple data breaches, but where the proper provision of the service is not affected by the breach, should not be reported under the NISD," ENISA said. Other incidents affecting availability, integrity and the security of online identification authentication could, though, have to be reported by DSPs under the NIS regime, it said.
Cybersecurity expert Dr Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said that the ENISA guidance seems to reflect the different thresholds that apply for notification under the NISD and GDPR.
Hon said if a data breach affects the confidentiality of the personal data breached, but not of the provider's service more broadly, it would need to be reported to the GDPR supervisory authority unless it was "unlikely" to result in a risk to the relevant data subjects. That breach could also be reportable under the NIS regime, but not always, as ENISA stated, so DSPs will need to take steps to ensure they are in a position to comply with both regimes, she said.
Under the NIS Directive, DSPs have obligations to ensure the security of their network and information systems and minimise the impact of incidents affecting that security. They are subject to lighter-touch reactive requirements, in contrast to operators of essential services, and cannot be subjected by member states to more onerous requirements than those under the Directive, except for reasons of national security or law and order.
Under the Directive, DSPs will be required to notify the relevant authority, without undue delay, incidents that have a “substantial” impact on the provision of a service they offer in the EU. To determine whether the impact of an incident is substantial or not, digital service providers will need to assess a range of criteria.
Relevant factors include the number of users affected by the incident, in particular users relying on the service for the provision of their own services; the duration of the incident; the geographical spread with regard to the area affected by the incident; the extent of the disruption of the functioning of the service, and the extent of the impact on economic and societal activities.
The duty to notify incidents will only apply to DSPs if they have "access to the information needed to assess the impact of an incident against the parameters referred to".
ENISA has tried to provide some perspective and more granular recommendations on how the Directive's requirements should be interpreted with its new guidance, which it was empowered to produce under the terms of the Directive.
Within its guidance, ENISA addressed the issue of which cloud providers will be considered to be DSPs and subject to the security and incident notification rules.
Cloud providers will be subject to the rules regardless of whether they are providers of infrastructure, platform or software services, or IaaS, PaaS and SaaS providers as they are otherwise known, it said. However, it considered that the rules are aimed predominantly at public cloud providers. Hybrid and community cloud providers could also be subject to the security and incident notification requirements, ENISA said.
ENISA last month also published technical guidelines for the implementation of minimum security measures for DSPs under the NIS Directive.
It said its guidelines are aimed at establishing a "common approach" on security issues for DSPs by defining "common baseline security objectives", outlining " different levels of sophistication of security measures" to help DSPs meet their security objectives, and aligning security objectives against "well-known industry standards, national frameworks and certification schemes".
Further detail on security requirements and incident notification for both DSPs and operators of essential services must be outlined by the European Commission in implementing acts before 9 August 2017.
ENISA said: "Based on valuable input from member states and companies directly impacted by the Directive, this guideline arises from their good practices in matters such as identifying types of incidents, parameters and thresholds and results in an outline technical proposal that can tentatively be applied across EU. At the same time, this guideline serves as a technical input to the foregoing process of adopting the implementing act that will further specify details regarding the incident notification provisions of the NISD."
Hon said that ENISA had acknowledged the views of stakeholders by reflecting the fact that different DSPs play different roles and that the services they provide differ in relation to their level of criticality. She highlighted an ENISA example which said that "lack of availability for a search engine may not pose a significant risk, whereas for a different DSP, this may be more critical".
Hon said: "It is very positive that ENISA has taken such a nuanced approach. ENISA said that 'some security objectives may be prioritised over others and thus the sophistication levels may also differ', and its recommendations indicate areas where online marketplaces and search engines may have fewer security objectives than cloud providers."
"It is helpful that ENISA has mapped its recommended security objectives for DSPs against those under common security standards such as ISO27001, COBIT 5 and, for cloud providers, the Cloud Security Alliance's CCM (Cloud Controls Matrix), and interesting that only two industry standards/schemes, the CCS CSC (CIS Critical Security Controls for Effective Cyber Defence, Version 6.1) and OCF (the CSA's STAR program & Open Certification Framework) meet all of ENISA's the recommended security objectives," she said.