If a German company just like yours suffers a cyber-attack, would you be interested to discover that businesses just like yours are being targeted, and want information as to why? Would you like more understanding on how the breach was perpetrated so you could better protect your own business? Of course you would.
If you're the customer of a large healthcare provider, do you expect them to protect the systems that store details of your health complaints to reasonable standards? Of course you do. That kind of information sharing and cyber-threat prevention informed the thinking behind new EU cyber-security rules agreed this month.
After two years of negotiation, on 7 December 2015 a European Parliament press release reported that EU MEPs had closed a deal on the Network and Information Security Directive ("NIS Directive"). This agreement still needs to be formerly approved by European legislators but it creates the first ever EU rules on cyber-security. The full text is not yet published but that should follow the formal rubber-stamping of the Eurocrats. Assuming all goes to plan, it should be implemented and form new law across the EU by the summer of 2018.
Who will be impacted?
This new cyber-law will catch operators of 'critical infrastructure' like banks, healthcare, transport and energy companies. In addition, and after much lobbying and dissent, digital services (search engines, online marketplaces and cloud providers) will also fall within the NIS Directive's ambit, but there remain some questions about how such digital entities will be identified and whether they will be subject to a framework of simplified rules (almost an 'NIS lite' if you like?). Telecom operators fall outside of its rules and under another regime.
What is required?
The NIS Directive would impose minimum obligations on these market operators as well as public administrations to harmonise and strengthen cyber-security across the EU by:
- Ensuring they establish appropriate security measures to protect their networks and data against cyber-security incidents; and
- By requiring these operators to report serious cyber-breaches to regulators.
In doing this, the NIS Directive aims to bolster the security of Europe's critical infrastructure and build trust ("the very foundations of a digital single market" according to Andrus Ansip, Vice-President for the Digital Single Market). Part of this effort will be to facilitate better cooperation between EU Member States. A network of national Computer Security Incidents Response Teams (CSIRTs) and national competent authorities will be established by each Member State tasked with discussing cross-border security incidents and identifying coordinated responses to cyber-threats. We may potentially see a new 'Cyber Regulator' formed in the UK.
Prevention is better than cure
When NIS incidents occur, they can have a huge impact by compromising services or by interrupting the day-to-day operations of business. It is recognised that with increasing cross-border technological co-dependencies, an NIS incident in one country may have impact across the whole EU and undermine both market and consumer confidence.
By introducing more consistent risk management measures as well as the systematic reporting of incidents, the NIS Directive aims to help sectors dependent on IT systems to be more reliable and stable. The attempts to foster greater cooperation between Member States also seek to ensure a high level of cyber-security resilience throughout the EU. The NIS Directive's strategic cooperation group should exchange information and best practices, draw up guidelines and assist Member States in cyber-security capacity building.
At its inception, Neelie Kroes, then EC Vice-President for the Digital Agenda, emphasised: “The more people rely on the internet the more people rely on it to be secure. A secure internet protects our freedoms and rights and our ability to do business. It's time to take coordinated action - the cost of not acting is much higher than the cost of acting.”
In the meantime – what's the practical consequence?
This is an entirely new obligation for businesses that fall within the NIS Directive's ambit. Those businesses that are caught will need to take a serious look at their preparedness for preventing, managing and responding to a cyber-security breach. This will necessitate system-wide security reviews and the creation of cyber breach management policies, incident response teams and awareness-raising programs. This is of course the reaction the EU is looking for.
The agreement of the NIS Directive represents one step in ongoing changes to wider ongoing regulatory reform around digital platform regulation and data privacy and security rules. Early 2016 will herald a wealth of legal development in this area as final text of the General Data Protection Regulation (GDPR) (reforming the EU's privacy laws) is also expected shortly. Likely to be introduced within a similar timeframe, the GDPR will also lay down new rules to ensure security for personal data processed within the EU as well as introducing a duty to notify data regulators when security breaches involving personal data occur. When it comes to security breaches, some EU businesses will be juggling response obligations across different pieces of legislation and will be reporting issues to both the relevant data protection authority as well as to a national competent authority.
For some time Europe has been considered ahead of the US in terms of data privacy and security, but it's interesting to note that the US already has state-level data breach reporting requirements in most states and an emerging federal level cyber-security strategy.
When it comes to cyber-security preparedness then, the EU is really playing catch-up so the NIS Directive, once finally adopted, will be a welcome development.
Mark Webber, Technology partner advising on EU-based technology transactions at Fieldfisher
Image source: Shutterstock/Nata-Lia