In December 2015, the European Union concluded two long and important negotiations, reaching political agreement on the Network and Information Security Directive (NIS Directive) and the EU Data Protection Reform. The two legislative initiatives are to be formally adopted by the European Parliament and Council at the beginning of 2016. A two-year transition period for the Member States will follow.
The Directive harmonises cyber security requirements across the EU Member States by including in its scope the operators of essential services such as energy, transport, banking, financial market infrastructures, health, water and digital infrastructure providers. However, Member States have been left with some room to decide which digital infrastructure providers (such as internet exchange points, domain name system service providers, and top level domain name registries) should be included under their national laws, depending on their criticality to society or the economy.
The Directive’s scope is widened even further by including digital service providers (DSPs), which will be under strict obligations to take appropriate security requirements and notify incidents to the competent authorities. DSPs include online marketplaces, cloud computing services and search engines.
Looking at the specific regulatory areas, the Directive is divided into three pillars. Firstly, it aims to establish minimum levels of national capabilities, such as determining competent national authorities who monitor the application of NIS, setting up Computer Emergency Response Teams (CERTs) and requiring Member States to adopt NIS strategies.
Secondly, it establishes a cooperation network between the competent authorities of the Member States based on an NIS Cooperation plan of the Union. A secure information-sharing system is to be set up, under which a system for early warning of risks and incidents is to be shared and coordinated responses are to be ensured.
Thirdly, the Directive requires that the entities that fall within the scope of this Directive need to implement state-of-the-art security measures that guarantee a level of security appropriate to the risk. One of the most important changes that the Directive introduces is the requirement to report incidents to the central authority if those incidents could significantly impact the continuity of services. The competent authority will decide whether public disclosure is necessary for the purposes of public awareness. Notification must be made without undue delay (24-72 hours) following the discovery of the breach.
Looking forward, the European Commission announced in its Digital Single Market Strategy that a contractual public-private partnership (PPP) in cyber security, in the area of technologies and solutions for online network security, will be launched in the first half of 2016. These are interesting developments and the role and precise scope of such a PPP remains to be seen.
EU Data Protection Reform
The Reform, replacing the current data protection Directive and the Council Framework Decision on police cooperation in criminal matters and protection of personal data, consists of two legislative initiatives, namely the General Data Protection Regulation, which lays down rules relating to the protection of individuals with regard to the processing of personal data, and the Data Protection Directive, which relates to the processing of data for law enforcement purposes. It aims at strengthening citizens’ fundamental rights in the digital age and simplifies rules for companies in the Digital Single Market.
The new rules try to give more power to individuals with more control over their personal data by: laying down rules that give information about data processing to the individual; allowing data to be transferred between providers; allowing the individual to have their data deleted (the right to be forgotten); and requiring notifications of serious data breaches by companies and organisations.
One of the aims of the Reform is to take forward the goals of the Digital Single Market Strategy by unifying the rules on data protection in order to create business opportunities and encourage innovation. This will be achieved through the creation of one set of rules across the EU and the creation of one leading supervisory authority; non-EU companies will also have to apply these rules when operating in the EU. Further, the Reform encourages a risk-based approach and up-take of privacy-by-design methods.
Small and medium-size enterprises (SMEs) are given some leeway: they do not have to appoint a data protection officer; they can charge a fee for accessing data which is excessive; they do not have to go through an impact assessment unless there is a high risk; and they do not have to notify the supervisory authorities.
Data protection and fundamental rights in the field of police cooperation and law enforcement have also been strengthened. The Reform allows for more efficient and effective information exchange between Member States in the fight against terrorism and other serious crime. At the same time, it aims at protecting individuals’ personal data by respecting the principles of necessity, proportionality and legality, as well as providing all the appropriate safeguards such as supervision and effective judicial remedies. Furthermore, it outlines more detailed rules on the transfer of personal data to third countries.
As much as these new rules have been welcomed, some approach them with caution, due to concerns over increased workload and doubting whether the regulatory overlap is going to be removed with this upcoming legislation. This could mean that investors might become discouraged from investing in Europe and turn elsewhere instead.
Mari Kert-Saint Aubyn
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.