Gibson Dunn explains the New EU-Wide Rules on Cybersecurity

On July 6, 2016, the European Parliament officially adopted the Network and Information Security (NIS) Directive[1] which is expected to fully enter into force in May 2018.  The NIS Directive is the first set of cybersecurity rules to be implemented on the EU level, adding to an already complex array of laws which companies have to comply with when implementing security and breach response plans.  The Directive aims to set a minimum level of cybersecurity standards and to streamline cooperation between EU Member States at a time of growing cybersecurity breaches.

The final text (which took the EU and the Member States more than three years to iron out) sets out separate cybersecurity obligations for essential service and digital service providers.  Essential service providers include actors in the energy, transport, banking, financial markets, as well as health, water and digital infrastructure[2] sectors.  Digital service providers will include online marketplaces, search engines and cloud services (with an exemption for companies under 50 employees) but not social networks, app stores or payment service providers.  In terms of geographic scope, the Directive aims to address the potential incidents taking place “within the [European] Union”[3] and will apply to all entities providing the above services[4] within the EU territory/to EU residents, regardless of their physical location.  In particular, all digital service providers that are not established in the EU, but offer services covered by the Directive within the EU, are required to designate an EU-based representative.[5]

Companies covered by the NIS Directive will have to ensure that their digital infrastructure is robust enough to withstand cyber-attacks and may need to report major security incidents to the national authorities.  For many organizations, the Directive constitutes the first breach reporting requirement in the EU.  Businesses will also be required to apply procedures which demonstrate effective use of security policies and measures.

Digital Service Providers

Digital service providers will be obliged to report all incidents which have a “substantial impact” on their services (in terms of the duration, geographic spread and the number of users affected of the incident).  It will be up to regulators to decide whether to inform the public about these incidents after consulting the company involved.  The European Commission will have until August 2017 to clarify the EU-wide security and reporting obligations for digital service providers, including on which occasions they must notify cyber incidents to national watchdogsDigital service providers will surely watch this space with particular interest. 

As a practical matter, the Directive states that jurisdiction over a digital service provider should be attributed to the Member State in which it has its main EU establishment, which in principle corresponds to the place where the provider has its head office in the EU.[6]  Digital service providers not established in the EU, shall be deemed to be under the primary jurisdiction of the Member State where their EU representative has been appointed.[7]

Notably, where the incident involves personal data, there may be an additional requirement to report to data protection authorities, under the upcoming General Data Protection Regulation (GDPR)[8], which will come into effect on May 25, 2018.  The GDPR will also have a reporting provision for data breaches, although the notification obligation will focus on the protection of personal information, in contrast to the NIS Directive’s data reporting requirement which is aimed at improving computer and information technology systems overall.  Thus, it is possible that a single cybersecurity breach will need to be notified to more than one authority in each EU Member State affected.

Member State Obligations

The Directive itself is not directly applicable and will have to first be implemented by the Member States under national law, during 21 months (starting from August 2016) when they will, e.g., designate the competent national authorities, identify operators of essential services, indicate which types of incidents they must report and establish sanctions for failure to notify.[9]  Companies in question will have the right to appeal the decisions in accordance with the respective national rules.[10]

In addition, each Member State is to adopt a national strategy to maintain the security of network and information systems and will designate one or more national competent authorities to monitor the application of the Directive.  They are also to designate one or more Computer Security Incident Response Teams (CSIRTs) responsible for monitoring and responding to incidents, and providing early warnings about risks.

Uniform EU-wide rules?

For operators of essential services, Member States will identify the relevant operators and may impose stricter requirements than those laid down in this Directive (in particular with regard to matters affecting national security).  In contrast, Member States should not identify digital service providers (as the Directive applies to all digital service providers within its scope) and, in principle, may not impose any further obligations such entities.[11]  In addition, the competent authorities will be able to exercise supervisory activities only when provided with evidence that a digital service provider is not complying with its obligations under the Directive.  In this respect, the Directive and the implementing acts to be adopted by the European Commission should ensure a high level of harmonization for digital service providers with respect to security and notification requirements.  It is expected they will be developed with the involvement of the European Agency for Network and Information Security (ENISA) and stakeholders and will enable digital service providers to be treated in a uniform way across the EU.  This “fine print” (to be drawn up over the next 12 months) is sure to have a significant impact on the day to day operations of any EU-based digital business.

Another tool for coordination will be the envisaged “Cooperation Group” bringing together the relevant national authorities and the European Commission.  Similar to the “Article 29 Working Party” operating under the 1995 Data Privacy Directive (who will soon serve as the European Data Protection Board under the upcoming GDPR), the Cooperation Group will bring together regulators from very different legal cultures who hold different approaches to IT and security matters (e.g., affecting national security).  Hopefully, the Commission will play an active role in building trust and consensus among the Cooperation Group members with a view of providing meaningful and clear guidance to businesses.

ENDNOTES

   [1]   Directive of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (not yet published in the Official Journal).  See European Commission Press Release, July 6, 2016, available at http://europa.eu/rapid/press-release_STATEMENT-16-2424_en.htm.

   [2]   E.g., domain name systems (DNS) providers and top level domain (TLD) registries, see Article 4, NIS Directive.

   [3]   Article 1(1), NIS Directive.

   [4]   With regard to essential services, the Directive will apply to all entities identified by the respective national authorities as “essential” providers of such services in that Member State, see Article 5(2), NIS Directive.

   [5]   Article 18(2), NIS Directive.

   [6]   Article 18(1), NIS Directive.  This criterion will not depend on whether the network and information systems are physically located in a given place. See Recital 64, NIS Directive.

   [7]   Article 18(2), NIS Directive.

   [8]   REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 59/2016, L 119/1.

   [9]   Member States will have an additional 6 months after the transposition into national law to identify operators of essential services (i.e., a total of 27 months), see Article 5(1), NIS Directive.

[10]   These should respect the fundamental rights of the effective remedy and the right to be heard, see Recital 75, NIS Directive.

[11]   Article 16 (10), NIS Directive.

This post comes to us from Gibson Dunn & Crutcher LLP It is based on their memorandum, “New EU-Wide Rules on Cybersecurity: Watch the Fine Print,” published July 22, 2016, and available here.