Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

EU Cybersecurity Directive Update

By Andr' Bywater and Jonathan Armstrong
June 01, 2016

Cyber attacks and IT security breaches are being constantly reported (the “Panama Papers” being the most recent spectacular example), and almost certainly represent just the tip of the iceberg. No one can doubt that cybersecurity is a very significant global issue with cybercrime a major international menace ' any statistics about these issues always make for grim reading.

In the European Union (EU) a number of EU Member States already have some sort of national cybersecurity rules in place, but there is nothing uniform at an EU-wide level and so the EU is introducing new rules aimed at redressing this gap in the form of the (European Commission proposed) “Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the European Union” (EU Cybersecurity Directive, sometimes also referred to as the NIS Directive).

At the end of last year, high-level EU political agreement was reached on these rules and their finalization is now awaited. This article sets out in brief the main features of these forthcoming rules.

Why Should Businesses Be Concerned?

The EU Cybersecurity Directive is mainly aimed at EU Member States in that it requires them to improve both their national cybersecurity capabilities and cooperation between them on cybersecurity. But, the new rules will also affect businesses because appropriate security measures will need to be put in place and incidents will have to be reported to national regulatory authorities by providers of critical services, and of certain digital services. It must be emphasized that these new rules do not impose breach notification obligations on everyone, unlike the recently published EU General Data Protection Regulation (GDPR) (to be fully applied from late May 2018), which imposes mandatory breach notification to a regulator (within 72 hours) on all organizations.

What Are the Components of the New Rules?

The forthcoming rules can in effect be divided into the following three components.

First, EU Member States will have to adopt a “Network and Information Security” (NIS) strategy and designate a national NIS regulatory authority, which must be adequately resourced, to be able to prevent, handle and respond to NIS risks and incidents, and, set up “Computer Security Response Teams” to handle incidents and risks.

Second, an EU cooperation mechanism will be set up between the EU Member States and the European Commission to share early warnings on risks and incidents through a secure infrastructure, which will include a network of “Computer Security Incident Response Teams.”

Third, affected organizations will be required to assess the risks they face and adopt appropriate and proportionate measures, and, report to regulators major security incidents on their core services.

What Sectors Will Be Affected?

Two categories of sectors will be affected.

First, organizations in the following “Operators of Essential Services” sectors will be covered under the EU Cybersecurity Directive: energy (electricity, oil, and gas); transport (air, rail, water and roads); banking (credit institutions); financial market infrastructures (trading venues and central counterparties); health (healthcare providers); water (drinking water supply and distribution); digital infrastructure (Internet exchange points (which enable interconnection between the Internet's individual networks), domain name system service providers, and top level domain name registries).

It will be up to the EU Member States themselves to identify these operators specifically (upon implementation of the EU Cybersecurity Directive into national laws) on the basis of specific criteria, significantly for example, whether the service is essential for the maintenance of critical societal or economic activities.

Second, key digital businesses, called “Digital Service Providers,” also fall under the EU Cybersecurity Directive, in the following areas: Online marketplaces, which allow businesses to set up business on the marketplace in order to make their products and services available online; cloud computing services; and search engines. In contrast to “Operators of Essential Services,” Member States will not designate particular businesses as “Digital Service Providers.” The new rules will apply to all entities falling within the definition of “Digital Service Providers” set out in the EU Cybersecurity Directive, throughout the EU.

It appears that, on the one hand, “Operators of Essential Services” will be required to ensure that systems that they use to provide their critical services are “robust enough to resist cyberattacks,” while on the other hand, “Digital Service Providers” will only be required to ensure that their infrastructures are “secure.”

Both “Operators of Essential Services” and “Digital Service Providers” will, however, be required to report major security breaches to the EU Member State regulators in question.

Please note that the sectors involved still need to be confirmed under the final version of the EU Cybersecurity Directive ' micro and small digital companies, and, social networks, will likely be exempt. It still remains to be seen in the final version of the EU Cybersecurity Directive to what extent the new rules will apply in the same way or differently to “Operators of Essential Services” and “Digital Service Providers.”

These FAQs also state that the regulatory national authority in question may also require that the public is informed about incidents ' public announcement is not mandatory under the EU Cybersecurity Directive, but this will need to be confirmed in the final agreed version.

Are Internet Service Providers or Network Owners Affected?

These organizations are already reporting incidents under the risk management and incident reporting obligations under other EU rules, namely the so-called EU Telecoms Framework Directive.

Who Is Exempted from the Reporting Obligations?

Hardware manufacturers and software developers are exempted from the risk management and reporting obligations. The same applies to specific sectors or sub-sectors, for example insurance, and, food supply.

Will Every Incident Have to Be Reported?

No, according to the European Commission FAQs issued with the original proposed EU Cybersecurity Directive in 2013. This states that only incidents that have “a significant impact on the security of core services provided by market operators and public administrations will have to be reported to the competent national [regulatory] authority.” By way of examples, the FAQs provide the following: “an electricity outage caused by an NIS incident and having a detrimental effect on businesses; the unavailability of an online booking engine that prevents users from booking their hotels or of a cloud service provider that inhibits users to get access to their content; the compromise of air traffic control due to an outage or a cyber attack.”

Will Incidents Have to Be Reported to 28 EU Member States' Systems?

According to the European Commission FAQs issued with the original proposed EU Cybersecurity Directive, common reporting systems will be developed through implementing measures for the EU Cybersecurity Directive. Specific templates might also be developed by the EU agency the European Network and Security Agency (ENISA), whose general objective is to improve network and information security in the EU, and which has already brought together national regulators to develop harmonized national measures for risk management and incident reporting as part of the EU telecoms rules.

What Are the Next Steps?

The EU Council and the European Parliament need to formally approve the new rules, which may occur before this summer.

Once the EU Cyber-Directive is finally adopted at the EU level, EU Member States will then have to adopt it into national legislation within 21 months, and, as mentioned, also officially identify “Essential Services Operators” from the sectors in question within a further six months. The EU Member States will also have discretion as to what sanctions to apply for breach of the EU Cybersecurity Directive as implemented under national rules. The original version of the EU Cybersecurity Directive stated that when there is a security breach involving personal data, the sanctions for infringing it must be in line with sanctions imposed under the GDPR. As mentioned above, the GDPR has now been published and the financial sanctions are set at a very high rate (maximum '20 million or 4% of total worldwide annual turnover), so it will be important to see if this aspect of the EU Cybersecurity Directive will be maintained.

Despite the aim of having EU-wide rules in place, because the legislative format being used is a Directive, there will inevitably be a degree of divergence on some aspects, possibly such as indicated above concerning public announcements about incidents. This said, divergence might be mitigated at least as regards risk management and incident reporting for “Digital Service Providers” as it expected that this work will probably be developed by ENISA, with the involvement of stakeholders, at a later stage.

What Preparation Is Needed?

Those businesses that are likely be asked in the individual EU Member States to take part in a consultation before the EU Cybersecurity Directive is implemented into national law. Those businesses that are likely to fall under the new rules could start to prepare by undertaking the following actions: alert the Board about the incoming EU cybersecurity regime and plan resources to address it; set up procedures to address risk assessment, crisis management response, internal investigation (guided by legal counsel), and, incident reporting; update and/or revise policy documentation; undertake training; re-evaluate and/or prepare a press strategy in the event of an IT security breach; and; either reassess existing cyber insurance or take out a new policy. Also, businesses doing business with “Essential Service Operators” and key “Digital Service Providers” will have to consider how to factor in any possible downstream effects on them.


Andr' Bywater and Jonathan Armstrong are commercial lawyers with Cordery in London, UK, where they focus on regulatory compliance, processes and investigations. Reach them at [email protected] and [email protected].

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.