Service provider liability

EU proposal provides clarity on incoming requirements for digital service providers

The background

The Network and Information Security Directive was passed in 2016 and is due to be implemented into UK law by 9 May 2018.  It aims to increase the level of cybersecurity across the European Union.  As part of that strategy, digital service providers (DSPs) will be required to manage the risks posed to the security of their network and information systems, and to notify the authorities in the event that incidents have a “substantial impact” on the provision of their service.

The Directive provides for the imposition of “dissuasive” penalties on DSPs who fail to meet their obligations.

The development

In September 2017 the European Commission published proposals which clarify the Directive's impact on DSPs.

DSPs must take “appropriate”, systematic measures to ensure the security of their network and information systems, taking into account incident handling, business continuity management, monitoring, and compliance with international standards.  The proposals elaborate on how companies must take each of these elements into account, and provide a useful starting point for organisations who wish to start formulating compliant policies.

The proposals also lay down the criteria for determining if an incident is categorised as “substantial”.  An incident will be substantial if it results in any of the following:

• the service provided by the DSP is rendered unavailable for more than 5,000,000 user hours, being the total number of users affected for a period of sixty minutes

• a “loss of integrity, authenticity or confidentiality” of data affecting more than 100,000 users

• an effect on public safety

• material damage of over €1,000,000 for at least one user

• an effect on at least two Member States.

If an incident is categorised as substantial, DSPs must notify it to their competent authority.  If the DSP cannot show that it has effective security measures in place, a substantial incident is likely to trigger a fine or other penalty.  The nature of enforcement will be left up to Member States, and the UK has proposed incorporating the cybersecurity law into the same framework as the EU privacy law – which allows for fines of up to 4% of global revenue. 

Why is this important?

These proposals provide greater clarity on a law which may have far-reaching impacts for DSPs.  The underlying Directive creates an entirely new area of exposure for DSPs, which going forward will need to consider their relationship with the competent authority in addition to their customers.  It is useful to have more detail on what will constitute “appropriate” measures under the legislation.

DSPs with a greater user-base should take particular note.  A cyber incident at a large DSP, which may have millions of daily users, could easily trigger the proposed criteria to qualify as “substantial”.

Any practical tips?

Organisations should begin reviewing the measures they have in place to ensure the security of their network and information systems.  It is essential that procedures are fully compliant with the law from its implementation date onwards.  In the UK this will be on or before 9 May 2018. 

Although the proposals are still in draft, they are unlikely to see any significant revisions before being published.  Once the proposals are finalised, national legislation cannot impose more stringent requirements.  Creating processes which comply with the EU law will therefore at least comply with requirements of the UK law when it comes into force, and may even go beyond it.

The last thing any organisation needs after suffering a major cyber incident is the threat of regulatory action, and the bad publicity and potential fines which go with it.  Putting the right systems in place now will avoid these headaches, and make good commercial sense in any event.