On February 7, 2013, the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, launched their cybersecurity strategy for the European Union (“Strategy”). As part of this Strategy, the European Commission also proposed a draft directive on measures to ensure a common level of network and information security (“NIS”) across the EU (the “Directive”).
The Strategy reflects the EU’s vision on how to safeguard cyberspace, and focuses on five priorities:
- Becoming “cyber resilient” by increasing capabilities, preparedness, cooperation, information exchange and awareness in the field of NIS, for both the public and private sectors at the national and EU level;
- Drastically reducing cybercrime by strengthening the expertise of those in charge of investigating and prosecuting it, adopting a more coordinated approach among law enforcement agencies across the EU, and enhancing cooperation with other players;
- Developing cyberdefense policies and capabilities within the framework of the EU Common Security and Defence Policy (“CSDP”);
- Developing industrial and technological resources for cybersecurity; and
- Establishing a coherent international cyberspace policy for the EU that promotes core EU values.
The proposed Directive is a key component of this Strategy. It introduces a number of measures to enhance cybersecurity, including:
- The requirement for EU Member States to adopt a NIS strategy and to designate national NIS authorities to prevent, handle and respond to NIS risks and incidents;
- The creation of a cooperation network to enable the national NIS authorities, the European Commission and, in certain cases, the European Network and Information Security Agency (“ENISA”) and the Europol Cybercrime Center, to share early warnings on risks and incidents and cooperate on further steps;
- The obligation for (1) operators of “critical” infrastructures in certain sectors (financial services, transport, energy and health), (2) providers of information society services and (3) public administrations to implement appropriate security measures and to report incidents having a “significant” impact on the services they provide (e.g., the unavailability of a cloud computing service as a result of which users cannot access their data). Such incidents would have to be reported to the national NIS authorities, who may then decide to inform the public or require companies and public administrations to do so.
The FAQs that accompany the proposed NIS Directive include examples of companies that would be obliged to report cyber incidents, such as:
- cloud computing service providers;
- search engines;
- e-Commerce platform providers;
- Internet payment service providers;
- providers of VoIP and other communications services;
- social network providers;
- platforms enabling the provision and sharing of videos;
- platforms enabling the provision and sharing of music;
- major online computer games; and
- application stores.
In order for companies to avoid dealing with all 27 EU Member States when reporting cyber incidents, the European Commission has indicated that it will promote the development of common reporting systems by implementing measures for the Directive. Thus far, the European Commission has not commented on the possible interaction between the reporting duty in the proposed Directive and the new data security and breach notification requirements in the proposed General Data Protection Regulation.
The proposed Directive was submitted to the European Parliament and the European Council for their review and adoption. The EU Members States will have 18 months following the adoption to transpose the Directive into their national laws.