Europe’s new cyber security directive
March 2016 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
In December 2015, after two years of negotiations, the European Parliament, the Council and the Commission agreed on the first cyber security directive for the European Union. The directive seeks to ensure a common level of network and information security (NIS) throughout the EU Member States given the varying and fragmented approaches to NIS that currently exist across the Union. The directive sets out EU-wide cyber security obligations for operators of essential services and digital service providers (DSPs), but the two categories will be subject to different regimes. For many such organisations, the directive constitutes the first breach reporting requirement in Europe.
Who is covered by the directive?
The directive includes requirements for operators of essential services, DSPs and Member States. The directive calls on Member States to improve their cyber security capabilities, including through the establishment of a network of national Computer Security Incident Response Teams (CSIRTs), to discuss cross-border security incidents and identify coordinated responses.
The directive imposes obligations on operators in essential service sectors to take appropriate security measures designed to manage cyber risks and to report major security incidents. Essential service sectors are limited to energy, transport, banking, financial market, health, water supply & distribution and digital infrastructure. Each Member State will determine which entities are deemed to be operators of essential services within their borders (taking into account criteria set out in the directive).
In addition, the directive requires DSPs to take appropriate security measures and report specific incidents to the appropriate authorities. DSPs regulated by the directive are limited to providers of three categories of digital services: ‘online marketplaces’, ‘online search engines’, and ‘cloud computing services’ (each term being defined in general terms in the directive). ‘Social networks’, included in the initial draft, are no longer within the directive’s scope. DSPs that provide any of the three specified categories of digital services are automatically subject to the directive. Micro and small enterprises (i.e., organisations with less than 50 employees) are generally exempt from the directive’s requirements.
What does the directive mean for DSPs?
The directive is likely to have an impact on how affected DSPs conduct their business throughout the world. Even though the directive provides that the “security requirements for DSPs should be lighter” than for operators of essential services, it is highly likely that organisations will have to invest significant sums on IT and internal policies to comply with new security standards and notification requirements. The directive requires that DSPs, in establishing ‘appropriate and proportionate’ security measures, take into account the following elements: (i) security of systems and facilities; (ii) incident management; (iii) business continuity management; (iv) monitoring, auditing and testing; and (v) compliance with international standards.
DSPs will be required to report any incident that qualifies as having a ‘substantial impact’ on the services they provide. In determining whether an incident qualifies as having a ‘substantial impact’, the directive provides the following guidelines to take into account: (i) the number of users affected by the incident, in particular users relying on the service for the provision of their own services; (ii) the duration of the incident; (iii) the geographical spread with regard to the area affected by the incident; (iv) the extent of the disruption of the functioning of the service; and (v) the extent of the impact on economic and societal activities. In addition, the directive provides for the possibility that incidents will be disclosed to the public – either by the Member States or by the DSP itself – where it is determined that such disclosure is in the public interest.
These requirements require organisations to not only enact specified internal policies, but also designate and train employees to ensure regulatory compliance. Where a Member State’s competent authority determines that an organisation has not met these requirements, the directive calls for Member States to “take action, if necessary, through ex post supervisory authorities”. The directive leaves open the question of what penalties will exist for noncompliance with these requirements.
An interesting caveat to the directive’s approach to DSPs is that the exercise of jurisdiction will be limited to the Member State in which a provider “has its main establishment”. For those DSPs that are not established within the European Union, the directive calls for such DSPs to designate a representative in a Member State where the DSP offers services (thus creating jurisdiction over the DSP in that Member State).
Does the directive establish a new global security standard for DSPs?
Online marketplaces, search engines and cloud computing services are inherently global in nature and cross borders with the mere touch of a button. As a result, the directive likely will have a global impact on how affected DSPs approach security, especially for organisations based in jurisdictions that currently lack cyber security standards enshrined in law. For example, many DSPs currently have only a general obligation to employ commercially reasonable security and to not engage in deceptive or unfair practices. Furthermore, organisations may find it unreasonable or impractical to segment off their operations subject to the directive from other global operations, thus requiring application of the new security standards enterprise-wide. To comply with the new requirements within the Union, DSPs worldwide may have to make changes to their current security policies and practices on a global level.
The incident notification requirements are similarly novel and likely will require DSPs worldwide to assess their incident response plans and approaches. Currently, many DSPs may have certain notification requirements when, for example, an incident compromising personal data occurs. The directive, however, creates incident notification obligations for organisations without regard to whether personal data was impacted, instead focusing on whether the incident had a ‘substantial impact’ on the service. This subjective, multifactor test will require DSPs to establish processes to evaluate incidents against the directive’s criteria and, akin to US breach notification laws, may require legal analysis and review before a notification decision can be made. Organisations also may face pressure to notify regulators in other jurisdictions where an incident triggers notification obligations pursuant to the directive and, thus, may lead to a de facto global notification standard.
The European Parliament was keen to secure legal clarity through ‘implementing acts’, thereby ensuring that Member States won’t be able to take different approaches to cyber security risk management and incident reporting for DSPs. It is expected that this work will be developed by the European Agency for Network and Information Security (ENISA) with the involvement of additional stakeholders after the draft rules have been drawn up.
The provisionally agreed text was endorsed by the Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives in December 2015. Once the agreed text has undergone technical finalisation, it needs to be formally approved first by the Council and then by the Parliament. After the directive has entered into force, the Commission will have 12 months in which to adopt ‘implementing acts’ and EU Member States will have 21 months in which to adopt the necessary national provisions. Following this period, Member States will have another six months to identify the essential services operators established in their territory subject to the directive.
Conor Ward is a consultant, Paul Otto is a senior associate and Cristin Morneau is a senior associate at Hogan Lovells. Mr Ward can be contacted on +44 (0)20 7296 2034 or by email: firstname.lastname@example.org. Mr Otto can be contacted on +1 (202) 637 5887 or by email: email@example.com. Ms Morneau can be contacted on +1 (415) 374 2349 or by email: firstname.lastname@example.org.
© Financier Worldwide
Conor Ward, Paul Otto and Cristin Morneau