New law on data system security

The Security of Networks and Information Systems Law, Number 17(I) of 2018, implements articles 8 and 9 of EU Directive 2016/1148 on measures to achieve a high common level of security of network and information systems throughout the EU. It designates the Commissioner for Electronic Communications and Postal Regulation (Commissioner), appointed under article 5 of the Regulation of Electronic Communications and Postal Services Law 112(I) of 2004, as the national competent authority for the purposes of article 8 of the directive, with responsibility for coordinating the implementation of the cyber-security strategy and monitoring the application of the directive at national level.

Article 3 of the new law establishes a National Digital Security Authority (NDSA) to implement the law under the auspices of the Commissioner. The NDSA is to be headed by an Assistant Commissioner who will advise and assist the Commissioner in exercising his powers and discharging his responsibilities under the new law. The National Computer Security Incident Response Team (CSIRT), required by article 9 of Directive 2016/1148 as a resource for responding directly to network and information security incidents, will be part of the NDSA.

The NDSA will be funded by service providers (categorised as critical information infrastructure operators, key service providers, electronic communications providers and digital service providers) in accordance with a methodology to be prescribed in secondary legislation, with temporary funding provided by the government as an interim measure.

The NDSA is required to promote the achievement of a high level of security of networks and information systems, including all government information services and digital service providers based in Cyprus. It must act impartially and independently, applying the general policy framework for digital security agreed from time to time between the Commissioner and the Minister of Transport, Communications and Works.

The NDSA will be the single national contact point for the security of networks and information systems and will liaise with its counterparts in other EU member states as required to achieve the objectives set out in articles 11 and 12 of Directive 2016/1148. It is required to assess service providers’ compliance with their obligations and their impact on the security of networks and information systems, to ensure that they take appropriate and proportionate technical and organizational measures to manage the risks related to network and system security and to prevent and minimize the impact of incidents affecting security of networks and information systems.

The NDSA must ensure that service providers promptly notify incidents and events that may adversely affect the services they provide, and will cooperate with the Privacy Commissioner to deal with incidents that lead to violations of personal data. It has the power to require service providers to make available the information it needs and to impose administrative fines in the event of any breach of the law.  Its staff will be authorised to enter any non-domestic premises used to provide digital services for the purposes of the law.

For further information on this matter please contact Nicholas Ktenas and Michael Ioannou or your usual contact at Elias Neocleous & Co LLC.