Since 9 November 2018, the Network and Information Systems Security Act (in dutch: “Wet beveiliging network – en informatiesystemen”) has been applicable in the Netherlands, also known as the Cyber Security Act. This Act is the Dutch translation of the European Cyber Security Directive (EU Network and Information Security Directive 2016/1148). Each Member State is mandatory to have its own translation of the directive. The directive applies to operators of essential services and providers of digital services. This directive may also apply to your organization. In this article the operators of essential services and digital service providers are explained first and then the duty of care arising from the European Cyber Security Directive will be discussed.
When are you a operator of essential services or a provider of digital services?
Essential service operators include organizations in the energy, financial and transport sectors. The digital service providers includes for example cloud services, search engines and online market places, also known as “DSPs”. However, not every party that offers a digital service is automatically covered by the European Cyber Security Directive. For example, social media and web shops also offer digital services, but do not necessarily have to comply with the European Cyber Security Directive. Required is that the organization must have a head office or representation in the Netherlands. In addition, more than 50 employees must be employed within the organization or there must be a balance sheet total or an annual turnover of more than 10 million euros. Small and micro-enterprises therefore do not fall under the scope of the European Cyber Security Directive.
The failure or disruption of operators of essential services or digital service providers can lead to major social disruption. The European Cyber Security Directive therefore includes a duty of care for security measures.
The duty of care
The duty of care means that operators of essential services and the digital service providers must take appropriate organizational and technical measures to manage security risks and to reduce the consequences of incidents. In the GDPR (art. 24) we also have such an arrangement for the processing of personal data. However, the European Cyber Security Directive specifically focuses on digital security and includes the operators of essential services and the digital service providers in the broad sense.
The European Cyber Security Directive works out five aspects that operators of essential services and the digital service providers must take into account. This elaboration is based on art. 2 Implementing Regulation (EU) 2019/151 and consists – in brief – of taking the following measures:
First of all, the network and information systems must be adequately secured. In addition, organizations must be able to demonstrate that they take measures in the event of incidents. This could include processes for reporting incidents and for identifying shortcomings and weaknesses in the system. Provision must also be made for measures to properly maintain or restore business continuity and services after an incident. These measures include the establishment and use of contingency plans. It is also relevant that regular checks are made to ensure that the measures in question work properly and are therefore periodically tested. Finally, international standards must be taken into account in all of this.
All these measures aim to ensure that operators of essential services and the digital service providers comply with the principle of duty of care as set out in the European Cyber Security Directive: “taking appropriate measures to prevent incidents and, if incidents do occur, the consequences thereof so as much as possible “.
The duty of care in practice
The European Cyber Security Directive mainly indicates what needs to be done, but not how the implementation of this duty of care should subsequently be given shape.
Operators of essential services and the digital service providers must complete the implementation of the duty of care and the measures themselves, whereby each Member State needs to have a supervisory body (the Telecom Agency in the Netherlands) to supervise and take enforcement action if needed. However, because the duty of care and the measures are lacking, it is to be expected that organizations have many uncertainty about this. This could result in a failure to fulfill their duty of care.
Recommendation therefore deserves legal advice in applying the duty of care arising from the European Cyber Security Directive as correctly as possible in practice. It is important thereby that a balance is found in complying with the duty of care and respecting the commercial interests of companies and the privacy of natural persons. Creating a security protocol with a concrete step-by-step plan/checklist could be an example of this. However, due to the diversity of organizations that fall within the scope of the European Cyber Security Directive, this is a matter of customization.
What does this mean for the insurer?
The imposition of a specific duty of care on one hand, but the absence of specific standards on the other hand, makes the operators of essential services and the digital service providers vulnerable not only to the regulator but also to (possible) claims.
This increases the risk of an insurer that insures operators of essential services and the digital service providers. For insurance companies it is therefore advisable to take this into account in the underwriting processes regarding these operators and providers. For example this can be done by checking whether protocols and step-by-step plans to meet the duty of care are present within the organization. It is also advisable to oblige insured operators of essential services and digital service providers to inform the insurer of any changes to this duty of care within the organization.