Cybersecurity is a strategic issue for European businesses which are increasingly gathering and monetising data but are at risk of significant cyber-attacks. Such attacks have led to substantial reputational damage, negative media coverage and diminished customer confidence and trust. Whilst preparing for the EU General Data Protection Regulation (GDPR), businesses have perhaps paid less attention to the EU Directive on security of network and information systems (the NIS Directive).
The NIS Directive is the first EU-wide cybersecurity legislation, aiming to realise a high common level of security of network and information systems within the European Union. To that end, the NIS Directive requires Member States in the first place to adopt a national strategy on the security of network and information systems, establish one or more national computer security incident response teams and designate other national competent authorities on the security of network and information systems.
The NIS Directive furthermore obliges Member States to impose security and incident notification requirements on operators of essential services and digital service providers. “Essential services” are services considered to be essential for the maintenance of critical societal or economic activities, the provision of which depends on network and information systems. The Member States are required to determine a list of these essential services and designate providers of such services within their respective territories in a number of sectors, including energy, transport, health, water supply and distribution, banking, financial market infrastructures, and digital infrastructures. Digital service providers (DSPs are broadly defined as providers of online search engines, online marketplaces and cloud computing services. It should be noted that Member States are given some discretion to determine the level of regulatory fines that may apply to a failure of providers to comply with the obligations imposed. In the Netherlands, for example, these fines can reach up to €5 million per breach, and in the UK fines up to £17 million can be imposed.
With businesses increasingly moving all or part of their operations to the cloud, it is comforting to know that cloud service providers are within the ambit of the NIS Directive’s application. Nevertheless, and even though security concerns like data leaks, attacks and availability disruptions apply to on-premise IT systems and cloud systems alike, the security concerns in relation to the cloud may be exacerbated by the feeling of “having no control” over where your systems and data sit and how their security is organised. From a legal perspective, there are various issues to address specifically in respect of cloud security. We would call out three of those issues:
Type of cloud solution
The initial choice to use the cloud at all and, if you do, which type of cloud environment, may already be dictated by the extent to which your organisation is subject to strict privacy and security compliance requirements. In that context, it should be taken into account that a public cloud involves a multi-tenant set-up, in which the level of security of your data and operations may be affected by the behaviour of other tenants. There are certainly ways to isolate yourself technologically (for instance by seeking encryption at a data level) but if you are, say, a provider of essential services as meant in the NIS Directive, a private cloud or hybrid cloud solution may be the way to go. Generally, using the cloud may increase the potential avenues of attack, given that a cloud environment is often a highly connected environment and may inevitably involve a higher of degree of data-in-transit than in a fully dedicated on-premise solution.
Allocating responsibility
If a cloud solution is for you, it doesn’t mean that solution will absolve you from all security responsibilities. Security of data and operations is no stronger than the weakest link, and in the context of your agreement with a cloud provider it should be absolutely clear where the cloud provider’s responsibility ends and your responsibility kicks in. This calls for a vision on which applications and data to relegate to the cloud (and which not to), a risk assessment in respect of the level of security to implement in respect of access, and the alignment of your internal policies and procedures to reflect the cloud set-up.
Retaining insight and control
Most businesses are comfortable about knowing where their business-critical data is sitting at any given time and being able to continuously assess (and even audit) the security level in respect of that data and the manner in which it is stored and processed. That will certainly be true for businesses subject to regulatory “in-control” requirements, such as many financial service organisations, and it may generally be required under GDPR rules with regard to your personal data processing. The agreement you enter into with a cloud provider should accord you the transparency and powers of control required to meet your business and regulatory requirements. That includes insight into the occurrence and resolution of security breaches, and a measure of control over any notifications to regulatory authorities and the public. Agreeing acknowledged cloud security standards may provide comfort as to the level of security, but does little to secure your own (and your regulator’s) required level of insight in and control over the ultimate security of your data and operations, which should be dealt with specifically in the agreement.
The cloud offers its own challenges with regard to security, but is by no means per definition less secure than on-premise solutions. Professional cloud suppliers are well-aware that security is front and centre in the minds of their corporate users, and may be better equipped than your existing IT department and service providers to ensure state-of-the-art security. And, as mentioned, the NIS Directive may bring about some helpful regulatory pressure to make sure they get it right.
Jaap Tempelman and Andrei Mikes are lawyers in the Tech Group of Clifford Chance. This group comprises a global, integrated team of over 400 lawyers delivering advice across all legal areas on technology issues, including IT contracting, antitrust and data, M&A and investments, intellectual property and litigation, AI, FinTech, data protection, and cybersecurity.