On June 29, 2015, the Council of the European Union (comprised of representatives of the 28 EU Member States) reached a political agreement with the European Parliament on the main principles of the draft Directive on Network and Information Security (NIS Directive) governing cybersecurity issues.1 The draft NIS Directive is an advanced piece of draft legislation in the EU that, once adopted, will likely concern a significant number of companies doing business in Europe.2 The final text is expected to be adopted sometime in late 2015, however the ultimate timing will depend on the political developments.
The draft NIS Directive was proposed by the European Commission on February 7, 2013, and is undergoing the EU legislative process which is currently being finalized. It is part of the European Commission’s broader Cybersecurity Strategy which defines core principles and policies for cybersecurity in Europe.3 The commission explains the need to propose a cybersecurity law by stating that:
“Cybersecurity incidents or breaches can have a major impact on individual companies and on Europe’s wider economy. [A] data breach could cost a company anything up to US$58 million, with […] reputational damage, loss of customers and market share.”4
The draft law would introduce the following aspects: (1) an incident notification requirement for companies; (2) an enforcement network comprised of national regulators and the European Commission; (3) regulatory investigations and audits; and (4) security requirements and standards.
What Industries Are Covered?
The draft NIS Directive would most likely affect the following types of companies:
- Critical infrastructure providers, such as companies from the financial, banking, energy, transport and health sectors; and
- A variety of Internet companies (e.g., domain names registries, e-commerce platforms, Internet payment services, social networks, search engines, cloud computing services, app stores).
While the initial Commission proposal included a detailed catalog of Internet industries that would be affected by the new breach notification requirements, the application of the NIS Directive on those industries has been heavily debated during the legislative process. Most likely, the NIS Directive would set out criteria based on which national law would determine what types of Internet companies would be covered.
In any event, once the NIS Directive has been adopted at the EU level, the EU Member States will have to transpose it into their own national law. It cannot be excluded that some national laws might go beyond the minimum requirements set out at the EU level and apply the cybersecurity rules to additional business sectors and/or set out additional requirements, which might lead to divergent cybersecurity laws in Europe.
Mandatory Notification of Cybersecurity Incidents
The draft NIS Directive would require a broad array of companies to notify cybersecurity incidents to national regulators. This would apply to incidents with a “significant impact” on the security of a company’s core services. However, a simplified regime might be introduced regarding Internet companies, the details of which are yet to be finalized.
Alongside the breach notification obligation, the draft NIS Directive also provides minimum security requirements for network and information systems. While the draft NIS Directive sets out these minimum security requirements, EU Member States would not be prevented from adopting a higher level of security, which might have an impact on the types of incidents that would have to be reported at national level.
In addition, the regulator would have the power to inform the public directly about the cybersecurity incident or to require the company to do so. The draft NIS Directive does not describe in details the conditions of this mandatory notification regime, therefore leaving leeway on national law to set out further criteria. However, the draft NIS Directive mandates EU Member States to set out sanctions for non-compliance with the mandatory notification regime.
The Breach Notification Landscape in Europe
The draft NIS Directive builds on the existing EU privacy rules but goes beyond them. Under the existing EU privacy rules, most EU countries do not have a general legal requirement for all sectors to notify data breaches to regulators, except in a limited number of countries.5 Currently, most EU countries only have a sector-specific requirement for telecom providers and Internet Service Providers (ISPs) to notify security breaches to regulators and affected individuals.6 However, this will change in the future with the forthcoming adoption of the draft EU General Data Protection Regulation which will impose a general data breach notification requirement in all EU Member States and for all sectors.7
Adding to this the upcoming breach notification requirement under the NIS Directive, companies will likely be faced with a number of different and potentially conflicting breach notification requirements in Europe. It remains to be seen what the exact area of overlap among the various notification requirements will be and how regulators and companies will work together to have those requirements coexist in practice.
1 See Council’s press release http://www.consilium.europa.eu/en/press/press-releases/2015/06/29-network-information-security/.
2 Proposal for a Directive concerning measures to ensure a high common level of Network and Information Security across the Union, COM(2013) 48 final (February 7, 2013).
4 See FAQ on the proposed Cybersecurity Directive, available at http://europa.eu/rapid/press-release_MEMO-13-71_en.htm (February 7, 2013).
5 For more information see C. Kuner, A. Pateraki, Eye On Privacy newsletter, available at http://www.wsgr.com/publications/PDFSearch/eye-on-privacy/Nov2012/index.html.
6 This is based on the implementation of the EU e-Privacy Directive into national law, Directive 2002/58/EC of 12 July 2002 on privacy and electronic communications, available at http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32002L0058.