Locke Lord QuickStudy: EU Cyber Security Directive (CSD) Introduces Cross Sector Data Breach Notification

The European Parliament, the Council and the Commission have agreed on the first EU-wide legislation on cybersecurity. Under the new measure, internet companies such as Google, Amazon, eBay and Cisco, but not social networking platforms like Facebook, will be required to report serious cyber incidents to national authorities, which in turn will be able to impose sanctions on companies that fail to do so. The CSD also suggests that market operators will be liable regardless of whether or not they carry out the maintenance of their network internally or if they outsource it. Under the CSD, all EU Member States are required to adopt network and information security strategies and set up teams to respond to incidents. 

Computing resources such as networks and databases that enable essential services, businesses and the internet to function are affected by an increasing number of cyber security incidents. Whilst the various EU bodies involved in drafting the CSD recognise that these incidents can have different origins, including technical failures, unintentional mistakes, natural disasters or malicious attacks, their concern (and the underlying ration d’etre for the legislation) centres around the disruption these incidents could have on the supply of essential services such as electricity, water, healthcare, or transport services.

The Commission has stated that it is a priority for it to assist in preventing these incidents, and in the event that they occur, to provide the most efficient response. This was one of the main reasons for the 2013 Commission proposal for a Directive to ensure a high common level of Network and Information Security (NIS) in the EU. On December 7, 2015, the European Parliament and the Luxembourg Presidency of the EU Council of Ministers reached an agreement on the rules which will improve cybersecurity capabilities in Member States, improve Member States’ cooperation on cybersecurity and require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services (like search engines and cloud computing), to take appropriate security measures and report incidents to the relevant national authorities. Firms in these sectors will have to ensure that the digital infrastructure they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber attacks.

Next steps
The presidency of the European Council is due to present the agreed text for approval by the member states’ ambassadors at the Permanent Representatives Committee on December 18, 2015. After that it will be published in the EU Official Journal and will officially enter into force. Member States will have 21 months to implement this Directive into their national laws and a further 6 months to identify operators of essential services.

The Commission has stated that it intends to maintain the momentum it has achieved by the agreement on the CSD by launching a public-private partnership on cybersecurity in 2016.