Implementation of the NIS Directive across EU member states
In the aviation sector, who is an OES?
This depends on the criteria set out in the implementing legislation in each member state.
Under the NIS Directive, a public or private aviation entity of a certain type, i.e. air carriers, airport managing bodies or traffic management control operators, should be an OES if
- they provide an essential service required to maintain critical societal and/or economic activities
- such service is dependent on network and information systems
- an incident would have significant disruptive impact on that service. In determining whether the disruption is likely to be judged ‘significant’ in the event of an incident, EU member states should take into account
- the number of users relying on the service
- the dependency of other sectors on the service
- market share of the entity
- geographical spread
- the importance of the provision of that service.
The UK implemented the Network and Information Systems Regulations (UK NIS) on May 10, 2018.
Under the UK NIS, the following public-facing UK aviation entities will be OESs
- an owner or manager of an aerodrome with annual terminal passenger numbers greater than 10 million
- an air traffic service provider which has been granted an en route air traffic licence by the Secretary of State or Civil Aviation Authority, or has annual terminal passenger numbers greater than 10 million
- an air carrier flying more than 30 per cent of annual terminal passengers at any UK airport which has more than 10 million terminal passengers a year or more than 1 million total annual terminal passengers across all UK airports.
Relevant authorities may judge a UK aviation entity to be an OES, even if it does not meet the above criteria, if an incident involving the entity could cause a significant disruptive effect. The test for a “significant disruptive effect” under the UK NIS is whether the incident impacts economic stability and societal well-being, the factors highlighted by European legislators when drafting the Directive.
The NIS Directive has been partially transposed into French national law by virtue of The French NIS Directive Implementation Act of February 27, 2018 and Decree No. 2018-384 of May 25, 2018 (French NIS).
As with the UK NIS, the French NIS identifies specific categories of services including air carriers, airport managers, air navigation services, aircraft maintenance companies and operators of passenger flow management systems.
However, compared to the UK NIS, the French NIS does not specify thresholds to determine whether an entity is an OES. Rather it relies on a looser test which deems that a French aviation entity is an OES if it
- provides at least one service mentioned in the regulations (which for air carriers, would include passenger transport, check-in, boarding and operations)
- has network and information systems that are necessary to provide that entity’s service
- could be subject to an incident affecting their network and information systems that causes “serious consequences” to the provision of service taking in account the factors mentioned in the NIS Directive.
The NIS Directive was implemented into German national law by virtue of the Implementation Act of June 29, 2017 (German NIS), which was an amendment to the Act on the Federal Office for Information Security of August 14, 2009.
Under the German NIS, the test whether a German aviation entity will be an OES is simply whether an organisation in the transport industry provides services to more than 500,000 citizens per annum.
Under the NIS Directive, each member state is required to designate
- one or more national authorities to oversee the enforcement of the directive on OESs at a national level
- a national single point of contact to liaise with other member states ensuring national and international consistency of the NIS Directive
- one or more computer security incidence response teams (CSIRT) to assist with risk mitigation and incident handling.
The designated national authorities are required to ensure that: each member state is enforcing the NIS Directive in accordance with its objectives; incident reporting is consistent; and general issues are raised, resolved and harmonised across jurisdictions.
The NIS Directive requires that in the event of certain significant incidents involving an OES, the OES will need to notify the national authority or CSIRT “without undue delay”. This has been interpreted in varying ways across different member states.
The authority or CSIRT is required to notify other member states if the incident impacts them and to inform the public if and when appropriate.
Some member states have taken a sector-specific approach, meaning that an OES in the aviation sector will report incidents to a body familiar with the risks and challenges of the sector. Conversely, some jurisdictions have opted for a sector-agnostic approach, with one authority having responsibility for all incidents regardless of sector.
Under the UK NIS, the designated authorities responsible for ensuring NIS Directive compliance are the Civil Aviation Authority (CAA) and Department for Transport (DfT), acting jointly. The National Cyber Security Centre is the single point of contact and is also the CSIRT.
In the event of an incident, an OES must first notify the CAA and DfT who in turn are required to notify the National Cyber Security Centre acting as the CSIRT.
Notification to the CAA and DfT of any incident which has a significant impact on the continuity of the essential service which that OES provides must be made without undue delay and in any event no later than 72 hours after the operator is aware that a NIS incident has occurred.
Under the French NIS, one authority is both the single point of contact and the CSIRT and that is the National Agency for the Security of Information Systems (ANSSI). Sector-specific authorities have not been appointed.
The reporting timeframe is somewhat vaguer under the French NIS than under the UK NIS. The reporting of a security incident to the ANSSI is to be done “as soon as the OES becomes aware [of an incident]”.
Under the German NIS, the Federal Office for Information Security (FOIS) acts as the central authority for all roles relating to the NIS Directive.
Incident reporting requirements are more specific and risk averse than French and UK NIS Directives, requiring immediate reporting to the FOIS of an incident affecting the functionality of a critical service.
What penalties can be imposed for non-compliance?
The NIS Directive states that national authorities have the ability to impose penalties in order to deter OESs from falling below the technical and organisational standards required. The NIS Directive requires penalties to be effective, proportionate and dissuasive. While this has been achieved in some member states, it is questionable whether this is the case in all.
Under UK NIS, a range of penalty thresholds exist and, depending on the severity of the incident and its implications, a penalty can be imposed of up to £17 million.
Compared to the UK, the French NIS takes a more lenient approach in terms of the quantum of penalty that can be imposed, ranging from EUR100,000 to EUR125,000 and commentators have questioned whether the upper limit is sufficient to meet the requirement for penalties to be effective, proportionate and dissuasive. The French legislation does however introduce the potential for criminal liability to be imposed on directors.
Under the German NIS, fines can range from EUR50,000 to EUR100,000. Whether this achieves the stated aim of an effective, proportionate and dissuasive penalties regime is again questionable.