June 8, 2015
This regulation, issued by the European Commission,
- specifies which elements digital service providers must take into account in identifying and adopting measures to ensure a level of security of the networks and information systems used in the context of offering their services defined in the NIS directive
- specify the parameters to be taken into consideration in order to determine whether an accident has a significant impact on the provision of such services.
It should be noted that the NIS is a directive in that, by its nature, it leaves room for the discretion of individual countries to adopt a national strategy on network security and information systems; the elements and parameters to be taken into consideration in determining the severity of an accident are subtracted from the discretion of the various countries by means of a directive.
Security elements. The 2 article takes into consideration:
- The security of systems and systems understood as the security of networks and information systems and their physical environment
- accident handling and the measures taken by the digital service provider
- business continuity understood as the ability of an organization to maintain or, if necessary, restore the provision of services to predefined levels
- Monitoring, auditing and testing
giving further details on the procedures intended to carry out security requirements.
FSDs must make the documentation available to allow the competent authority to verify compliance with the wording of the article.
I Parameters to be taken into consideration in order to determine the relevance of an accident, as per the 3 article, are the following:
- the number of users affected by an accident. In particular, users who depend on the service for the provision of their services, the digital service provider must be able to estimate:
- the number of interested natural and legal persons with whom a service supply contract has been concluded, or
- the number of interested users who have used the service in particular based on previous traffic data
- The duration of the accident, understood as the period between the disturbance of the regular performance of the service in terms of availability, authenticity, integrity or confidentiality and the time of recovery.
- The geographical spread relative to the area affected by the accident. The digital service provider must be able to determine if the incident affects the provision of its services in certain member states.
- The extent of the disruption of the operation must be measured by one or more of the following characteristics compromised by the accident: availability, authenticity, integrity or confidentiality of the data or related services.
- The extent of the impact on economic and social activities. The FSD must be able to deduce if the accident caused significant material or immaterial losses for users based on indications such as:
- the nature of his contractual relations with the customer
- or the potential number of interested users
- if the accident was the cause of significant material or immaterial losses for users, for example in relation to health and safety or material damage.
Of particular interest is the evaluation of significant impact of an accident, as per the 4 article.
An accident is considered to have a significant impact if at least one of the following situations occurs:
- the service provided by an FSD was not available for more than 5 000 000 of user hours, where user hours are defined as the number of users interested in the Union for a duration of sixty minutes
- the incident caused a loss of integrity, authenticity or confidentiality of the data stored, transmitted or processed or related services offered or accessible through a network and an information system of the digital service provider that involved more than 100 000 users in the Union;
- the incident generated a risk to public safety, public safety or in terms of loss of life;
- the incident resulted in material damage exceeding 1 000 000 € for at least one user in the Union.
These thresholds can be reviewed periodically by the Commission.