The NIS directive is the first initiative of EU-wide legislation on cybersecurity. Its goal is to ensure a high and common level of security for European information systems and networks. To achieve this objective the directive focuses on four key points:

• Consolidating the member states’ national cybersecurity capabilities
• Creating a political and organizational cooperation framework on cybersecurity across the EU,
• Ensuring the cybersecurity of operators of essential services (OES). OES are private or public entities providing essential services for the maintenance of economic and societal activities. The provision of these services depends on network and information systems.
• Ensuring the cybersecurity of digital service providers (DSP). DSPs are defined as “any service normally provided for remuneration, at a distance by electronic means and at the individual request of a recipient of services”[1]. Three types of services are mentioned in the NIS Directive: Cloud computing services, online marketplace and online search engines.

On the one hand, the security of operators of essential services is a sovereign prerogative of states while onn the other hand, the role of the EU is to ensure the proper functioning of the European market. In order to reconcile these two objectives, the NIS directive clearly states that: “This Directive should be without prejudice to the possibility for each Member State to take the necessary measures to ensure the protection of the essential interests of its security, to safeguard public policy and public security, and to allow for the investigation, detection and prosecution of criminal offences.”[2]. Each country can therefore adapt the legislative text to fit its priorities and strategic objectives as well as to guarantee its security and that of its networks and information systems. The NIS directive, however, sets common requirements in terms of; transposition of the directive into national legislation, of sectors concerned, of risk identification, of supervision, of implementation of technical and organisational measures, of cyber incident notification, and of sanctions in case of non-compliance.

This analysis brings together elements on the transposition of the NIS directive in each of the 27 member states of the European Union, as well as in the United-Kingdom and Switzerland. It highlights the various approaches and underlines the similarities and differences between countries, especially in the context of the upcoming evolution of the legislative text. Indeed, a proposal to revise the NIS directive has been adopted by the European Commission in December 2020 and aims at replacing the original text.

An achieved transposition for certain themes…

Different types and numbers of legislative texts to transpose the NIS

The transposition of the NIS occurred in all the national legislations of EU member states. However, there is heterogeneity in the type of legislative text adopted. In most countries, the transposition takes the form of a law (twenty-two countries), to which thirteen countries have added at least on other legislative text (ordinance, decree, regulation, amendment or ministerial decision). In two countries, the transposition took place in each sectoral law which increases the number of legislative texts (four texts or more).

A general implementation of cyber incident notification processes

All countries managed to implement cyber incident notification processes. Once again, there are various approaches depending on the country.

There are six different procedures for transmitting alerts during a cyber incident:

• In the first case (nine countries), the operator of essential services must first notify the competent national authority of the occurrence of a cyber incident,
• A second process (ten countries) exists in which the first point of contact is the CSIRT, the Computer Security Incident Response Team, also called CERT (Computer Emergency Response Team),
• In a lower number of cases (three countries), the OES must notify the competent sectoral authority,
• The notification of cyber incident is carried out via a secure platform in four countries.
• Even less frequently (two countries), the single point of contact (SPOC) has to be alerted.
• Finally, for one country (Hungary), the OES alerts an event management centre.

In addition, all member states must notify the point of contact of a member state, if it is also affected by the cyber incident, and must inform the public when necessary.

To comply with the constraints imposed by the NIS, certain states have even gone further

The NIS directive initially applies to the following sectors: transport, energy, health, drinking water, banking, finance, and digital. In the transposition, more than half of the analysed countries added other essential sectors and sub-sectors in addition to the seven previously mentioned. They are listed below, sorted by frequency of occurrence :

• Austria, Croatia, Cyprus, Lithuania, Malta, Slovakia, Spain and Switzerland also mention public administration,
• Cyprus, Estonia, Germany, Lithuania, the Netherlands, Slovakia, Spain and Switzerland add information and communication technologies and IT.
• Estonia, France, Germany, Hungary, Lithuania, Slovenia, Spain, Switzerland add
• The Czech Republic, Lithuania, the Netherlands, Spain complete the list with industry.
• Estonia, Germany and Switzerland also mention heating and housing.
• Lithuania and Slovakia subjoin defence, Switzerland national security.
• Lithuania and Slovenia add the protection of the environment.
• France is the only one to add education.
• Spain is the only one to mention space and research centres.

… However, the variation needs to be finalized on other themes.

Strong disparities on state supervision

Several categories and different levels of control are exercised by authorities to certify compliance with the NIS. The strong disparities concern in particular the authorities ensuring the control (national or sectoral authority) as well as the expected level of control (supervision, inspection, audit, evaluation…): there is no consensus around the process to adopt. Moreover, six countries do not provide any information on the type of supervision implemented.

Heterogeneous level and diffusion of security measures

Except for six countries for which no information has been given on the type of security measures implemented, there are two main approaches:

• The security measures are directly mentioned in the body of the legislative text(s) transposing the NIS (eleven countries),
• They are enumerated in; a guide, a list of recommendations, an online publication and established by different entities (government, regulation, decree…) in twelve countries.

For the measures included in the body of the legislative text(s), there are similarities on their organisation:

• The international norm ISO27001 and the cybersecurity framework NIST are used as models to establish the security measures in respectively four and two countries.
• The same six categories (security of systems and installations, handling of incidents, business continuity management…) are used in four countries.

Different amount and format of penalties

The financial penalty for not complying with the directive varies in the different countries and can range from less than a 100k€ to 20M€ maximum (except for Finland which has not implemented any sanctions). Most countries have chosen to apply a fine of less than 200k€ (eighteen countries) whereas four countries have decided that the maximum should be beyond 1M€. It should also be noted that the sanctions are likely to accumulate in the event of multiple non-conformities, which does not make the overall maximum amount of a sanction a certainty.

Imprisonment sentences have been implemented in two countries (Belgium and Cyprus).

Finally, four countries have not yet communicated the penalties in case of non-compliance.

Conclusion

The goal of the NIS directive was to address the unequal levels of security of networks and information systems within the European Union. To achieve it, it has now been transposed in all the member states. This has led to the creation of a common security framework while also leaving the possibility for states to ensure their security and the protection of their essential and strategic interests. Indeed, each country designates its operators of essential services and chooses the sectors it deems the most strategic to protect. In addition, the transposition of the directive as well as the supervision and cyber incident notification processes are carried out by the authority deemed competent. This is non dependantwhether national or sectoral, whether it is the CSIRT or the single point of contact. This flexibility makes it possible for the NIS to adapt to the organisation of all member states. There are visible similarities creating groupings between the countries, as well as major dissimilarities. These leave room for many variations and make the comparison relevant and rich.

A proposal to revise the NIS directive  was adopted in December 2020, but its provisional calendar has not yet been communicated. However, its main objectives has  been listed and includes reaching a higher level of cybersecurity and more homogeneous processes within the EU, while further increasing the cooperation between member states. The revision of the NIS directive revolves around;

• the abandonment of the distinction between OES and DSPs
• the designation of OES by the Directive and not the states
• the creation of a new European network for major cyber incidents
• imposition of CSIRTs supportive of entities,
• the control by the states of the technical and organisational measures implemented (for risk analysis and crisis management).

These changes will be detailed further in a new article.

Sources :

Directive Network and Information System – Article ANSSI Link: Link to the article on NIS Directive

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union Link : Link to the NIS Directive

On Digital Service Providers (DSPs) – ANSSI Article – May 23rd 2018 Link : Link to the article on DSPs

On Operators of Essential Services (OES) – ANSSI Article Link : Link to the article on OES

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 Link: Link to the proposal of the revised NIS Directive

[1] Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015.

[2] Directive (UE) 2016/1148 of the European Parliament and of the Council of 6 July 2016.

Cet article While preparing the NIS 2, update of the European overview of NIS transposition by the Member States…toward convergence ? est apparu en premier sur RiskInsight.

The NIS directive: a major piece of legislation

At a national level, the directive requires the establishment of a cybersecurity strategy and the establishment of a CSIRT, along with an authority figure to oversee these matters. For companies, it introduces two new areas of responsibility for two different types of players:

• Operators of Essential Services must implement technical and organizational measures to manage network and information system security risks
• Digital Service Providers are required to notify the appropriate authority of security incidents

The need for a robust and standardized approach

The NIS Directive is the security counterpart to the European Digital Single Market strategy, which was launched in 2015 and aims to turn digital systems into an engine of growth. Business and consumer trust is essential to this project: because without trust, there will be no growth!

European countries are becoming increasingly dependent on digital and information systems while their networks are becoming ever-more interconnected. This interconnectivity is both a strength and a weakness because an information system’s level of security is only as good as its weakest link.

However, there are marked differences when it comes to Member States because to date, cybersecurity issues have been handled at national level.

It is this inherent systemic risk that Europe is seeking to remedy with the NIS Directive, which is the first piece of European legislation to govern cybersecurity practices in a cross-sectoral manner.

The NIS Directive  differs from regulations designed to deal with specific issues, such as the GDPR. Though often associated with the NIS Directive, the GDPR does not have the same objectives –  its scope is solely about the protection of personal data. Conversely, the directive aims to ensure a base level of cybersecurity through the implementation of security standards and a requirement to give notice when incidents occur (whether they are personal-data related or not). Having said that, a cyber-attack often involves both areas, and it doesn’t make sense to not(?) consider the two pieces of legislation when thinking about compliance.

A transposition process already in motion

As the text is a directive and not a regulation, each Member State has to transpose the directive’s provisions into its own national legislative framework.

Many countries have already announced their first steps:

• The UK has confirmed that it plans to transpose the text, despite Brexit; the levels of penalties provided for in the text, which are particularly heavy, have recently been announced;
• Poland has announced the opening of a new national center dedicated to cybersecurity (NC Cyber);
• Belgium has set out six flagship measures to strengthen cybersecurity: a reaction to WannaCry, a global cyber-attack that paralyzed many businesses in recent months;
• The Czech Republic (Czehia) has amended its cybersecurity laws to take account of more critical sectors and comply with the directive’s requirements;
• Italy has revised its National Plan for Cyber Protection and Digital Security to align with the directive’s provisions;
• Croatia has set up a working group to determine how the directive will be transposed;
• Sweden has already revealed some of the details of its transposition, such as the levels of penalties and the bodies responsible for implementation.

In several respects, the text is very “non-directive” –  setting out objectives but not specifying how they should be achieved. It will be up to each country to work out its own interpretation and draw up the concrete measures that will meet the objectives.

The challenge, therefore, is to reduce the degree of difference between European countries, while standardizing the levels of cybersecurity to a greater extent by avoiding large differences so that players operating in several countries don’t face undue complexity..

To achieve this goal, collaboration is taking place at the EU level:

• A review of the remit of ENISA (the European agency in charge of network and information security) is being considered with the aim of, among other things, giving it the powers needed to carry out directive-related activities.
• A Cooperation Group made up of national representatives, ENISA, and the European Commission, will provide strategic direction;
• A network of CSIRTs will also be active and able to ensure that good practice is communicated and exchanged, as well as supporting Member States on directive-related matters.

How should you prepare for the directive coming into effect ?

Or, more specifically, how can you prepare for this new legislation now and what plan of action will you need to have in place? In practice, that depends on the type of entity in view (an OES or DSP).

For Digital Service Providers (DSPs), a standardized approach is needed: Member States cannot impose additional security or notification requirements and, therefore, for this type of player the directive is closer to an EU regulation. This particular treatment, compared with OESs, arises from the cross-border nature of their activities and the fact that many are foreign companies without bases in Europe.  DSPs will have to appoint an entity which is based in a member state to be their official representative on NIS-related issues (as required by Article 18 of the directive). Thus, it is essential that each Member State has the same requirements, ensuring that future decisions to  enter an EU country are not influenced by uneven interpretation of these criteria.

The obligations for DSPs are somewhat less onerous. For example, they are obliged to notify regulator about an incident only in cases where they have access to the information needed to assess its impact against the criteria defined in the directive (Article 16).

It is already time for DSPs to begin the process of compliance since the implementing acts were published In August of 2016.

For the Operators of Essential Services (OESs) in France, there are two main scenarios.

First, let’s consider the operators already identified as VIOs—Vitally Important Operators—under the French Military Programming Act. For them, the issue of compliance is less significant given that the Act already introduces numerous obligations. The directive probably will not impose more onerous requirements. Some elements such as reporting may be adapted, but there are no major changes in sight.

However, the scope of the directive is likely to be wider than that of the Act, and some operators within the critical sectors defined by each state under the directive will need to begin complying. Member States have until November 2018 to designate operators as “OESs” based on the criteria defined in the text. This list will then be reviewed by the European Commission in May 2019.

Those involved will then have to ensure that they monitor legislation in order to follow developments in the transposition process, which is important because Member States have the power to impose measures that go beyond the common, base-level requirements set out in the directive.

Much of the development of the directive’s provisions must now be carried out by Member States: the specification of the security measures to be put in place, the definition of notification procedures, the penalties to be applied—not to mention the designation of critical sectors and OESs in each country.

The upshot of all this is a genuine renewal of the European cybersecurity legislative landscape, with the primary aim of increasing standardization of IS security levels between Member States—a process that will prove interesting to follow.

Cet article The EU NIS directive: what are the issues and how can you prepare for it? est apparu en premier sur RiskInsight.

Une 4^ème Directive Européenne plus ambitieuse

Depuis février 2013, une nouvelle directive est en effet en cours de rédaction. Ce processus a abouti avec l’adoption de la 4^ème directive par le parlement européen le 20 mai 2015.

Elle répond à un double objectif :

• Adapter, d’une part le cadre juridique aux nouveaux risques de blanchiment et de financement du terrorisme.
• Mettre à jour, d’autre part la législation européenne en intégrant les recommandations du GAFI de février 2012.

Autant d’éléments indispensables entrant dans une dynamique plus importante de transparence et de fluidité dans la lutte anti-blanchiment.

8 avancées permises par la nouvelle directive

1 – Des mesures de vigilance plus strictes

La 4^ème Directive met en place des mesures de vigilance minimales y compris en cas de risque faible, notamment en renforçant les contrôles sur la monnaie électronique anonyme. De plus, afin d’harmoniser l’analyse par les risques entre les Etats membres, des situations présentant un risque faible ou plus élevé sont listées en annexe.

2 – Une transparence accrue de l’information sur les bénéficiaires effectifs

La 4^ème Directive introduit un nouvel « outil » dans le paysage de la LAB/FT, en mettant en place des registres centralisés sur les bénéficiaires effectifs des personnes morales largement ouverts aux autorités de contrôle, organismes assujettis et au public. A noter toutefois que les mesures visant les trusts sont moins contraignantes que pour les autres personnes morales.  Grâce à cette mesure qui accroît la transparence de l’information sur les bénéficiaires effectifs, les établissements devraient être plus à même de remplir leurs obligations de vigilance.

3 – Une liste européenne des juridictions non coopératives

L’Union Européenne publiera une liste noire des juridictions non coopératives regroupant les pays dont la législation est défaillante en matière de LAB/FT(Lutte anti-blanchiment/Financement du terrorisme). Cette liste prendra en compte les listes existantes dont celles du GAFI (Le Groupe d’action financière).

4 – Distinction des PPE nationales et étrangères

La notion de PPE (Personne Politiquement Exposée) est affinée et distingue PPE nationales et étrangères. Une PPE nationale est une personne physique qui est ou a été chargée de fonctions publiques importantes par un État membre. Alors qu’une personne physique qui est ou a été chargée de fonctions publiques importantes par un pays tiers répond désormais à la définition de PPE étrangère.

5 – Modification des prérogatives des Cellules de Renseignement Financiers (CRF)

L’indépendance opérationnelle et l’autonomie des CRF sont renforcées.

6 – Renforcement du contrôle interne et des procédures LAB/FT à l’échelle groupe

Les exigences en matière de contrôle interne ainsi que les procédures LAB/FT  sont précisées et renforcées si la taille et la nature de l’activité le justifient :

• Obligation de mettre en œuvre des procédures de LAB/FT à l’échelle du groupe.
• Nomination d’un responsable du contrôle du respect des obligations LAB/FT.
• Mise en place d’une fonction d’audit interne indépendante.

7 – Durcissement des sanctions

La 4^ème Directive prévoit une harmonisation minimale des sanctions applicables. De plus, elle introduit des plafonds de sanctions en distinguant les personnes physiques et les personnes morales de sorte que des sanctions pécuniaires puissent désormais être infligées aux personnes physiques.

8 – Révision du règlement (CE) n° 1781/2006

Le Règlement sur les informations accompagnant les virements de fonds dont la mise en application est simultanée avec la 4^ème Directive a pour objectif de réformer le règlement actuel (CE) 1781/2006, de prendre en compte la recommandation n°16 du GAFI et enfin de renforcer les informations accompagnant les transferts de fonds en introduisant de nouvelles obligations relatives au bénéficiaire.

Une 4^ème Directive pourtant déjà remise en question

Avant même son adoption, la nouvelle Directive suscite déjà des critiques. Tout d’abord, la notion de PPE est limitée aux seules fonctions nationales et internationales. Les décideurs régionaux et locaux qui pourtant présentent les plus grands risques de corruption ne seraient donc pas considérés comme des PPE.

Par ailleurs, sa mise en œuvre au sein des établissements financiers français devrait avoir peu d’impacts en France. En effet, l’Ordonnance de 2009 a été amendée par des modifications du code monétaire et des lignes directrices de l’ACPR (Autorité de contrôle prudentiel et de résolution) afin d’anticiper les futures évolutions de la réglementation européenne et celles des recommandations du GAFI.

Cependant, dans le souci d’harmoniser les règlementations des Etats membres, l’affirmation des mesures de cette nouvelle Directive LAB/FT  est indispensable. Dans cette lutte contre le blanchiment et le financement du terrorisme, l’amélioration ne peut se faire que pas à pas. Et en ce sens, la 4ème directive apporte déjà une avancée qu’il serait dommage de remettre fondamentalement en cause.

Cet article Lutte anti-blanchiment & financement du terrorisme : ce que va changer la 4ème Directive Européenne est apparu en premier sur RiskInsight.