Political agreement was recently officially reported by the EU as having been reached at the highest EU level on EU rules on cyber security.
As news headlines are constantly bringing to our attention, IT security breaches and cyber attacks in many shapes and forms have reached a phenomenal level and present a continuing major global threat to businesses. Whilst many EU countries already have some sort of cyber security rules in place, the new rules aim to address the cyber security challenge at an EU-wide level.
The new EU Directive is very much focussed on EU Member States in that it requires them to improve their national cyber security capabilities and improve cooperation between them on cyber security. But, the Directive will also affect businesses as appropriate security measures will need to be put in place and incidents will have to be reported to national authorities by operators of essential services and providers of key digital services.
The latest version of the Directive has yet to be seen but some information about its scope has been released.
Whilst security breach notification rules are on the mind of all organisations, this Directive does not impose breach notification obligations on everyone.
It is focused primarily on operators of critical infrastructure in certain sectors (financial services, transport, energy, water, and, health) – so-called “essential services” – along with enablers of information society services (such as internet payment, cloud computing and search engines).
These definitions are still to be confirmed. Member States will need to identify those essential services in their jurisdiction, and there are ongoing discussions over the scope of digital services which will be included, although micro and small digital companies will likely be exempt.
However, it is understood that, in sum, the Directive maintains the following three key features:
- EU Member States will have to adopt a so-called Network and Information Security (“NIS”) strategy and designate a national NIS authority, that has to be adequately resourced, to be able to prevent, handle and respond to NIS risks and incidents, and, set up Computer Security Response Teams responsible for handling incidents and risks;
- An EU cooperation mechanism will be set up between the EU Member States and the European Commission to share early warnings on risks and incidents through a secure infrastructure, which will include a network of Computer Security Incident Response Teams to cooperate on specific cyber security incidents and information-sharing about risks; and,
- Affected organizations will be required to: assess the risks they face and adopt appropriate and proportionate measures; and, report to regulators major security incidents on their core services.
EU Member States will identify who the specific operators are, based on certain criteria, notably whether the service is essential for the maintenance of critical societal or economic activities.
The original version of the Directive stated that when there is a security breach involving personal data, the sanctions for infringing the Directive must be in line with sanctions imposed under the EU Data Protection Regulation. The Regulation has now been agreed at the political level (which we have reported on here) and the financial sanctions are set at a high rate. So it will be interesting to see if this aspect of the Directive has been kept.
The next steps are, following some intermediate steps, for the EU Council and the European Parliament to formally approve the new rules, which is expected in the first half of next year. EU Member States will then have to adopt the Directive into national legislation within 21 months and also officially identify essential services operators from the sectors in question according to certain criteria within a further 6 months. The EU Member States will also have discretion as to what sanctions to apply for breach of the Directive as implemented under national rules. Despite the aim of having EU-wide rules in place, because the rules are subject to EU Member State national implementation there will inevitably be a degree of divergence on some aspects.
Businesses will likely be asked in the individual Member States to take part in a consultation before the rules are implemented. Businesses who are essential service operators and key digital service providers should therefore take care to ensure that their voice is heard in that process. In the meantime those businesses who are likely to fall under the new rules should:
- Alert the Board about the incoming compliance cyber security regime and plan resources to address it;
- Set up procedures to address risk assessment, response management, internal investigation, and, incident reporting;
- Update and/or revise policy documentation;
- Undertake training and develop internal cyber security advocacy;
- Re-evaluate and/or prepare a press strategy in the event of an IT security breach; and,
- Reassess existing cyber insurance or take out a new policy.
Also, businesses doing business with essential service operators and key digital service providers will have to consider to what extent there will be a downstream effect, i.e whether they will in fact be subject to the same requirements.
Cordery regularly reports on cyber security and related issues, which can be found here.
For more information please contact André Bywater who is a lawyer with Cordery in London where his focus is on compliance issues.
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785