ENISA Guidance: Incident Reporting for Digital Service Providers under Cyber Security Directive and the interplay with GDPR

The new report referenced in the article above, follows comprehensive guidelines (the "Guidelines") published by ENISA in February 2017 for Member States and the European Commission on how to implement incident notification for "digital service providers" ("DSPs") across the EU, in the context of the Cyber Security Directive.

DSPs: The Cyber Security Directive sets out obligations in respect of "operators of essential services" and DSPs, with a slightly "lighter touch" approach applying to the latter. DSPs are limited to three types of services:

• online marketplaces - which allow consumers and traders to conclude online sales or service contracts with traders and are the final entity where the contract is concluded. The term excludes both online "intermediaries" to third party services through which a contract can be concluded, as well as online price comparison services of different traders that redirect the user to the preferred trader to purchase the product;
• online search engines - excluding search functions that are limited just to the content of a specific website; or
• cloud computing service providers - spanning a wide range of activities that can be delivered according to different models.

In each case, the service must also normally be provided "for remuneration, at a distance, by electronic means and at the individual request of a recipient of services". The Guidelines provide further colour around each of these three categories.

Key DSP obligations: In particular the Cyber Security Directive requires DSPs to:

• adopt risk management practices (including technical and organisational security measures); and
• notify the appropriate national authority "without undue delay" of any incident having a "substantial impact" on the provision of a service that they offer within the EU. The directive goes on to set out parameters to consider when determining the impact of an incident, including the number of users affected (particularly users relying on the service for provision of their own service), duration, geographical spread of the area affected, extent of the disruption and the extent of the impact on economic and societal activities. The duty to notify only applies where the DSP has access to the information required to assess the impact of an incident against these parameters.

Mandatory notification examples: The Guidelines summarise the types of incident requiring notification within the context of the Cyber Security Directive as "any incident affecting the availability, authenticity, integrity or confidentiality of data stored, transmitted or processed by a DSP through network and information systems, which has a substantial impact on the provision of the digital service offered". It goes on to provide examples of where notification is required under the Cyber Security Directive e.g. if an event has an adverse effect on the security of network and information systems such that the service becomes unavailable to customers and the impact meets or exceeds the critical threshold referenced above.

Interplay with GDPR: The Guidelines also acknowledge examples where there is a potential overlap with notification requirements under other regulatory regimes e.g. under the new EU General Data Protection Regulation ("GDPR") where an incident affects "confidentiality". It is possible to draw a "theoretical line" between the GDPR (which relates to the privacy of personal data) and the Cyber Security Directive (which covers the confidentiality of the service offered and the underlying data - whether this comprises personal data or not). However, in practice, DSPs will need to consider whether an incident affects the confidentiality of personal data and/or that of the service offered, to determine whether to report the same incident to one or more appropriate authorities. DSPs therefore ought to review both regimes when considering their internal compliance programmes.

Member States have until 9 May 2018 to adopt appropriate national legislation to comply with the Cyber Security Directive and the national legislation will apply from 10 May 2018. The Guidelines follow related ENISA guidance published earlier in the year on the implementation of minimum security measures for DSPs under the directive. Both sets of guidance will provide a welcome initial insight for Member States implementing the directive as well as organisations falling within its remit.

Click here to view the ENISA Guidance.