3,012
Views
3
CrossRef citations to date
0
Altmetric
Articles

Don’t tell them now (or at all) – responsible disclosure of security incidents under NIS Directive and GDPR

&
Pages 101-115 | Received 29 Sep 2020, Accepted 07 Jan 2021, Published online: 11 Feb 2021
 

ABSTRACT

In this article, we critically analyse the timeline for notifications of third parties under the NIS Directive and the GDPR in the case of security and privacy incidents from a legal and technical perspective. While a need to mitigate an immediate risk of damage for an individual would call for prompt notification of data subjects, there are scenarios which may justify a delay in communication, for instance where a service provider needs to analyse the current attack to prevent further attacks and assess the full impact. Further, we argue that notification duties in the GDPR and NISD have different protection goals which may conflict in the context of a given incident. Since they are triggered by the same incident, they may contain redundancies, which bears potential for synergies which should be capitalised by the competent authorities.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Notes

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 04.05.2016, pp. 1–88.

2 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.07.2016, pp. 1–30.

3 OES must be identified as such on a national basis by Member States.

4 Providers of digital services have to self-determine whether they offer services of a type listed in Annex III of the NIS Directive[4] in order to fall within the scope of application of the Directive.

5 Art. 5(2) NIS Directive enlists as criteria inter alia whether the entity provides a service which is essential for the maintenance of critical societal and/or economic activities, and an incident would have significant disruptive effects on the provision of that service. These criteria resemble the definition of “critical infrastructure” in Art. 2(1) ECI Directive (Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, OJ L 345, 23.12.2008, pp. 75–82) with the difference that only entities depending on NIS may qualify as OESs, and thus fall within the scope of the NIS Directive.

6 The NIS Directive provides for great flexibility either to implement a centralised or decentralised approach for designation of competences at national level: A slight majaority of Member States opted to designate a single NCA, others designated several sectoral NCAs. Spain, for instance, employs a decentralised approach where the competent authority depends on whether the operator concerned is an OES or DSP (Cf. Art. 9(1) Real Decreto-ley 12/2018 de 7 de septiembre de seguridad de las redes y sistemas de información)); the same applies to the UK, where the NCA for OES further depends on the sector concerned.

7 According to Art. 9 NIS Directive, Member States shall designate one or more CSIRTs, which may be established within a NCA and must be responsible for risk and incident handling.

8 See Art. 14(3) NIS Directive as regards OES, and Art. 16(3) as regards DSP. Guidelines for incident reporting by DSPs have been issued by ENISA, see ENISA Citation2017.

9 Sec. 11(3)(b)(i) UK Network and Information Systems Regulations 2018 for OES and sec. 12(6)(a) UK Network and Information Systems Regulations 2018 for DSPs.

10 This applies only to OES, see § 8(1) Küberturvalisuse seadus.

11 For instance Germany, see § 8b(4) BSIG.

12 Arts. 14(6) and 16(6) NIS Directive.

13 What is considered “effective, proportionate and dissuasive” varies significantly between Member States, with administrative fines of up to EUR 50,000 in Germany (§ 14(2) BSIG) and fines of up to GBP 17,000,000 in the UK (Art. 18(6)(d) Network and Information Systems Regulations 2018).

14 Art. 4(12) GDPR.

15 Art. 34(3)(a) GDPR.

16 Art. 34(3)(b) GDPR.

17 See Art. 33(3) GDPR.

18 Art. 33(4) GDPR.

19 Art. 34 GDPR; see also Recital 86.

20 Recital 86.

21 Recital 86.

22 This exception distinguishes between two types of information: information which by law must be kept secret and information which by its nature must be kept secret. Information which by law must be kept secret relates to professional obligations to secrecy which build on a special position and usually relate to psychologists, notaries or lawyers as long as their professional associations have issued binding rules on secrecy. Special official obligations to maintain secrecy relate to obligations that are linked to the exercise of a public office. In assessing whether an information must be kept secret by its nature, due consideration has to be paid to the purpose of the data as such and the purpose of the data processing operation; the obligation to “secrecy” must stem directly from the type of the information (Uwer Citation2020, marginal no. 8). Also, there may be an interest to keep the source of information secret. This exception further requires a balancing of interest of the data subject concerned on being informed about the data breach and the interest to keep the information secret.

If the interests of the data subject, in particular in consideration of impending damage, outweigh the interest in secrecy, the data subject shall be informed.

23 Art. 83(4)(a) GDPR. See also (Art. 29 WP Citation2017).

24 NIST is a U.S. government agency and part of the U.S. Department of Commerce.

25 Recital 62 NIS Directive.

26 Council of Europe, Convention on Cybercrime (CETS No. 185).

27 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (Police Directive), (2016) OJ L 119, 04.05.2016, pp. 89–131.

28 See Art. 13(3) Police Directive.

29 Art. 15(4) NIS Directive.

30 Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive), OJL 108/33, 24.4.2002. Now replaced by Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code, OJ L 321, 17.12.2018, pp. 36–214.

31 Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, OF L 257, 28.08.2014, pp. 73–114.

32 Directive (EU) of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, OJ L 337, 23.12.2015, pp. 35–127.

33 Art. 96(1) Directive (EU) of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, OJ L 337, 23.12.2015, pp. 35–127 (PSD2) requires payment service providers, without undue delay, to notify the competent authority in the home Member State in the case of a major operational or security incident.

34 The ECB Banking Supervision has implemented a cyber-incident reporting framework within the Single Supervisory Mechanism.

35 TARGET2 = Trans-European Automated Real-Time Gross Settlement Express Transfer System is the real-time gross settlement system for the Eurozone.

36 By decentralised, we refer to a multitude of supervisory authorities under sector-specific regulation due to a lex specialis to the NIS Directive or because the Member State opted for a decentralised approach to designate NCAs and single points of contact. 13 Member States (previously 14 including the UK) decided to designate several sectoral authorities.

37 Cf.FN 6.

38 See Art. 8(4) NIS Directive and Recital 31.

Additional information

Funding

The research for this article was funded by the Luxembourg National Research Fund (FNR) C18/IS/12639666/EnCaViBS/Cole, https://www.fnr.lu/projects/the-eu-nis-directive-enhancing-cybersecurity-across-vital-business-sectors-encavibs/.