Operators of essential infrastructure are subject to increasing cyber security threats. The European Union and German legislators reacted on those new threats with the draft EU Directive concerning measures to ensure a high common level of network, information security across the Union (NIS Directive), and the German Act to increase the security of information technology systems (IT Security Act).
The NIS Directive was adopted on 6 July 2016. The Directive will enter into force on the 20th day following publication in the Official Journal of the European Union. The EU Member States will be required to transpose the Directive by 21 months after the date of its entry into force. It affects operators of critical infrastructure in the field of energy providing services within the EU.
The NIS directive lists the following operators in the field of energy:
— Electricity and gas suppliers;
— Electricity and/or gas distribution system operators and retailers for final consumers;
— Natural gas transmission system operators;
— Storage operators and LNG operators;
— Transmission system operators in electricity;
— Oil transmission pipelines and oil storage;
— Electricity and gas market operators;
— Operators of oil and natural gas production; and
— Refining and treatment facilities.
To ensure a high common level of security, operators of critical energy infrastructure have to meet several new compliance obligations. This includes implementation of appropriate technical and organizational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations.
The purpose of those measures is to prevent and minimize the impact of incidents affecting the network and information systems and to ensure the continuity of the services underpinned by the relevant networks and information systems.
Compliance with the requirements will be controlled by the competent national authorities. They can require companies to provide information needed to assess the security of the companies’ systems. Once a year, the competent authority shall submit a summary report to the cooperation network on the notifications received and the action taken.
Furthermore, the affected operators may have to undergo a security audit carried out by a qualified independent body or national authority. If an incident occurs which has a significant impact on the security of the core services a company provides, the affected company must notify the competent authority. Where the competent authority comes to the conclusion that disclosure of the incident is in the public interest, the authority may notify the public.
Member States shall lay down rules on sanctions applicable to infringements of the national provisions adopted pursuant to the NIS Directive.
German IT Security Act
In 2015 the German legislator adopted the so called “IT Security Act” which coincides largely with the requirements of the NIS Directive. Operators of critical infrastructure in the field of energy based in Germany are, with certain transitional periods, subject to the requirements of the IT Security Act. Obligations include:
— Ensure adequate protection of their systems;
— Notify security breaches to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (BSI)); and
— Arrange a point of contact for the BSI.
Any operator of critical infrastructure should undertake a proactive analysis of its systems and processes in order to ensure compliance with these new legal requirements. Such analysis should also include the systems of service providers. Where necessary, contracts and polices should be adopted to properly reflect the new IT security requirements.