In a blog earlier this year we commented on the status of the European Union ("EU") Cybersecurity Strategy. Given that the Strategy's flagship piece of legislation, the draft EU Cybersecurity Directive, was not adopted within the proposed institutional timeline of December 2014 and the growing concerns held by EU citizens about cybercrime, it seems that an update on EU legislative cybersecurity developments is somewhat overdue.
As more of our lives are lived in a connected, digital world, the need for enhanced cybersecurity is evident. The cost of recent high-profile data breaches in the US involving Sony Pictures, JPMorgan Chase and Home Depot ran into hundreds of millions of dollars. A terrorist attack on critical infrastructure such as telecommunications or power supplies would be devastating. Some EU Member States have taken measures to improve cybersecurity but there is wide variation in the 28 country bloc and little sharing of expertise.
These factors gave rise to the European Commission's (the "Commission") publication in February 2013 of a proposed Directive 2013/0027 concerning measures to ensure a high common level of network and information security across the Union (the “proposed Directive”). The proposed Directive would impose minimum obligations on "market operators" and "public administrations" to harmonise and strengthen cybersecurity across the EU. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority ("NCA").
Where do things stand in the EU institutions on the proposed Directive?
On 13 March 2014 the European Parliament (the "Parliament") adopted its report on the proposed Directive. It made a number of amendments to the Commission's original text including:
- the removal of "public administrations" and "internet enablers" (e.g. e-commerce platforms or application stores) from the scope of key compliance obligations;
- the exclusion of software developers and hardware manufacturers;
- the inclusion of a number of parameters to be considered by market operators to determine the significance of incidents and thus whether they must be reported to the NCA;
- the enabling of Member States to designate more than one NCA;
- the expansion of the concept of "damage" to include non-intentional force majeure damage;
- the expansion of the list of critical infrastructure to include, for example, freight auxiliary services; and
- the reduction of the burden on market operators including that they would be given the right to be heard or anonymised before any public disclosure and sanctions would only apply if they intentionally failed to comply or were grossly negligent.
In May-October 2014 the Council of the European Union (the "Council") debated the proposed Directive at a series of meetings. It was broadly in favour of the Parliament's amendments but disagreed over some high-level principles. Specifically, in the interests of speed and efficiency, the Council preferred to use existing bodies and arrangements rather than setting up a new cooperation mechanism between Member States.
In keeping with the Council's general approach to draft EU legislation intended to harmonise practices between Member States, the institution also advocated the adoption of future-proofed flexible principles as opposed to concrete prescriptive requirements. Further, it contended that Member States should retain discretion over what information to share, if any, in the case of an incident, rather than imposing mandatory requirements.
In October-November 2014 the Commission, Parliament and Council commenced trilogue negotiations on an agreed joint text. The institutions were unable to come to an agreement during the negotiations due to the following sticking points:
- Scope. Member States are seeking the ability to assess (to agreed criteria) whether specific market operators come within the scope, whereas the Parliament wants all market operators within defined sectors to be captured.
- Internet enablers. The Parliament wants all internet enablers apart from internet exchanges to be excluded, whereas some Member States on the Council (France and Germany particularly) want to include cloud providers, social networks and search engines.
- There was also disagreement on the extent of strategic and operational cooperation and the criteria for incident notification.
What is the timetable for adoption of the proposed Directive?
There is political desire on behalf of the Commission to see the proposed Directive adopted as soon as possible. The Council has also stated that "the timely adoption of … the Cybersecurity Directive is essential for the completion of the Digital Single Market by 2015".
Responsibility for enacting the reform now lies with the Latvian Presidency of the Council. On 30 January 2015, Latvian Transport Minister Anrijs Matiss stated that further trilogue negotiations would be held in March 2015, with the aim of adopting the proposed Directive by July 2015.
Once adopted, Member States will have 18 months to enact national implementing legislation so we could expect to see the proposed Directive come into force by early 2017.
How does the proposed Directive interact with other EU data privacy reforms?
In our previous blog we highlighted the difficulties facing market operators of complying with the proposed Directive in view of the potentially conflicting notification requirements in the existing e-Privacy Directive and the proposed General Data Protection Regulation (the "proposed GDPR").
Although the text of the proposed Directive does anticipate the proposed GDPR, obliging market operators to protect personal data and implement security policies "in line with applicable data protection rules", there has still been no EU guidance issued on how these overlapping or conflicting notification requirements would operate in practice.
Furthermore, any debate over which market operators fall within the scope of the breach notification requirements of the proposed Directive would seem to become superfluous once the proposed GDPR, with mandatory breach notifications for all data controllers, comes into force.
Rather unsurprisingly, the Commission's broad reform has been somewhat diluted in Parliament and Council. This is a logical result of Member States seeking to impose their own standards, protect their own industries or harbouring doubts regarding the potential to harmonise practices where cybersecurity/infrastructure measures diverge markedly in sophistication and scope.
Nonetheless, the proposed Directive does still impose serious compliance obligations on market operators in relation to cybersecurity incident handling and notification.
At the risk of sounding somewhat hackneyed, for organisations, cyber data breaches are no longer a question of "if" but "when" for private and public sector bodies. Indeed, there is an increasing awareness that a high level of security in one link is no use if this is not replicated across the chain. Whether the proposed Directive meets its aim of reducing weak links across the EU remains to be seen.