On July 6, 2016, the European Parliament adopted the Directive on Security of Network Information Systems, which sets the first EU-wide rules on cybersecurity. While the law does not come into effect until May 2018, it will be critical for companies operating in the European Union to understand whether the law applies to them and, if so, what is required to be in compliance.
The Directive has three goals:
- Improving cybersecurity capabilities at the national level: Requiring each EU Member State to craft a cybersecurity strategy and create a national authority to monitor implementation of the Directive and one or more Computer Security Incident Response Teams (CSIRTs) to monitor data breach incidents;
- Increasing EU-level cooperation: Establishing a Cooperation Group to help EU Member States facilitate the exchange of information; and
- Providing risk management and incident reporting obligations for operators of essential services and digital service providers: Requiring digital service providers and companies "that provide a service which is essential for the maintenance of critical societal/economic activities" to ensure a level of security of network and information systems to prevent and minimize the impact of incidents on the IT systems used to provide their services.
The companies defined by the Directive as providing "essential" services include those in the following sectors: energy, transportation, banking, financial services, health care, drinking water supply and distribution and digital infrastructure (such as internet exchange points, domain name system providers and registries). Digital Service Providers (DSPs) include online marketplaces (i.e., Amazon), cloud computing providers (i.e., Microsoft, SalesForce) and search engines (i.e., Google). Micro and small companies, as defined in European Commission Recommendation 2003/361/EC, do not fall under the scope of the Directive.
As to the incident reporting obligations, the Directive does not explicitly define how significant a breach must be to require notification to national authorities, but identifies five parameters in the analysis: (1) the number of users affected, (2) the duration of the incident, (3) the geographic spread, (4) the extent of the disruption and (5) the impact on economic and societal activities. The European Commission will further specify these parameters in the coming months. Once triggered, a reporting obligation requires a company to notify the relevant national competent authority and/or CSIRT. This requirement is in addition to any consumer or user data breach notification obligations that apply to the company in question.
In order to comply with the Directive, companies that are impacted must also take appropriate security measures to ensure the security of their network and information systems and implement an incident response plan to handle data breach incidents.
The European Parliament’s passage of this Directive points up the vital need for companies to keep their cybersecurity measures up-to-date and to create effective incident response plans tailored to the jurisdictions in which they conduct business. Miller & Chevalier can aid companies in preparing for compliance through the following services: (1) identifying sensitive, vital and regulated data and recommending proper cybersecurity measures to ensure that adequate protections are in place; (2) reviewing information technology contracts, particularly cloud computing contracts, for any cybersecurity, communication and oversight issues; and (3) helping create or develop appropriate incident response plans.
The full text of the European Commission press release can be found here.
For more information, please contact:
John C. Eustice, firstname.lastname@example.org, 202-626-1492