Enter to open, tab to navigate, enter to select
European Commission publishes cybersecurity strategy and draft directive: IP and IT issues
Practical Law UK Legal Update 3-524-0890 (Approx. 5 pages)
European Commission publishes cybersecurity strategy and draft directive: IP and IT issues
by PLC IPIT & Communications
| Published on 14 Feb 2013 • European Union |
The European Commission has published a proposal for a directive to ensure a high common level of network and information security across the EU and, at the same time, a communication setting out an EU cybersecurity strategy, a key element of which is the directive. (Free access.)
Speedread
The European Commission has published a proposal for a directive to ensure a high common level of network and information security across the EU and, at the same time, a communication setting out an EU cybersecurity strategy, a key element of which is the directive. In the strategy document, the Commission identifies priorities such as cyber-resilience, reducing cybercrime and developing an international policy, and recommends what action should be taken by member states, industry and others. The draft directive includes measures requiring member states to designate a national competent authority to handle network information security risks and incidents, and to create a co-operation mechanism to share early warnings. It also imposes certain obligations to manage risk and report major security incidents on operators of critical infrastructures, enablers of information society services (such as social networks, search engines and cloud computing services) and public administrations. The provisions of the proposed directive and scope of the strategy document highlight the importance the Commission is giving to the issue of cybersecurity. The measures in the directive are ambitious and, while industry will welcome there being more focus on cybersecurity, there are likely to be concerns about the broad scope of some of the provisions, particularly those on the reporting of incidents.
If you don’t yet subscribe to PLC, you can request a free trial by completing this form or contacting the PLC Helpline.
Background
In July 2012, the European Commission launched a public consultation on a new strategy for network and information security (see Legal update, European Commission consults on new cyber security strategy). This found (among other things) that 57% of respondents had experienced security problems over the previous year that had a serious impact on their activities.
Facts
On 7 February 2013, the Commission published a proposal for a directive to ensure a high common level of network and information security across the EU. At the same time, it published, together with the High Representative of the EU for Foreign Affairs and Security Policy (appointed by the European Council to represent the EU in foreign policy negotiations), a Joint Communication setting out an EU cybersecurity strategy, a key element of which is the directive.
The proposed directive will be subject to the ordinary legislative procedure, so that both the European Parliament and the Council will need to approve the final text.
The following is a summary of the main aspects of the directive and the cybersecurity strategy.
Proposed cybersecurity directive
One of the initial provisions in the draft directive is a requirement for member states to adopt a national strategy for network and information security, which should be sent to the Commission within one month of its adoption (Article 4).
The proposed directive also contains measures requiring member states to designate a national competent authority to prevent, handle and respond to network information security risks and incidents. It specifies that a computer emergency response team should be established under the authority's supervision.
Articles 8 to 13 of the directive concern the setting-up of a co-operation network between competent authorities and the Commission, including an early warning system for certain incidents, including those that may grow rapidly in scale or affect more than one member state. Competent authorities should regularly publish on a dedicated website information about ongoing early warnings on incidents and on co-ordinated responses. They should also have in place a secure information-sharing infrastructure to allow for the exchange of sensitive and confidential information within the co-operation network.
Article 14 contains provisions for businesses to manage security risks and report security incidents to the competent authority. These provisions apply to "public administrations" and "market operators" providing services within the EU. A "market operator" is defined as:
- A "provider of information society services which enable the provision of other information society services". Annex II of the directive sets out a non-exhaustive list of such operators, namely: e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services and application stores.
- An "operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health". (Again, annex II provides a non-exhaustive list of such operators.)
Under the proposals, such businesses must notify the competent authority of incidents having a "significant impact on the security of the core services they provide". The authority may then inform the public or require the operator to do so if it considers that disclosure of the incident is in the public interest. (The competent authorities may adopt guidelines on the circumstances in which businesses are required to notify them of incidents.)
The directive provides that the competent authorities should report incidents of a suspected serious criminal nature to law enforcement authorities. They should also work in close co-operation with personal data protection authorities when addressing incidents resulting in personal data breaches. The Commission envisages that, with the assistance of the European Network and Information Security Agency (ENISA), common reporting systems could be developed, avoiding the need for two sets of notifications.
Under Article 17, member states are to set out rules on the sanctions for infringement of the directive's provisions which should be effective, proportionate and dissuasive.
The proposed directive does not impose any specific technical standards or mandate particular technological solutions, but provides that member states should encourage the use of standards and specifications relevant to networks and information security (Article 16).
Cybersecurity strategy
The strategy document outlines the Commission's vision for cybersecurity and the short and long-term action required with the aim of making the EU's online environment the safest in the world. Its vision is set out in five strategic priorities, namely:
- Achieving cyber resilience.
- Drastically reducing cybercrime.
- Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy.
- Developing the industrial and technological resources for cybersecurity.
- Establishing a coherent international cyberspace policy for the EU and promoting core EU values.
In the strategy document, the Commission invites other parties including member states, industry, ENISA, as well as the European Parliament, to take certain action and stresses the need to work in partnership. Among other things, it asks:
- The European Parliament and Council to swiftly adopt the proposed directive.
- ENISA to assist member states in developing strong national cyber resilience capabilities by, in particular, building expertise on security and resilience of industrial control systems, transport and energy infrastructure.
- ENISA to develop (together with the relevant competent authorities (as referred to in the proposed directive) and other parties) technical guidelines and recommendations for network and information security standards and good practices in the public and private sector.
- Member states to step up national efforts on education and training in this area.
Among the actions the Commission outlines for itself are to:
- Launch in early 2013 an EU-funded pilot project on fighting botnets and malware, to provide a framework for co-ordination and co-operation between member states, private sector organisations (such as internet service providers) and international partners.
- Support the recently established European Cybercrime Centre as the EU focal point in the fight against cybercrime (see Legal update, European Council endorses European Commission's proposals on EU cybercrime centre).
- Build on recent initiatives to continue strengthening the EU's efforts to tackle child sexual abuse online.
- Launch in 2013 a public-private platform for network and information security solutions.
Comment
The provisions of the proposed directive and scope of the strategy document highlight the importance the Commission is giving to the issue of cybersecurity and the need for a unified approach.
It aims through the directive to establish a level playing field for cybersecurity across member states and close any existing legislative loopholes. The approach to cybersecurity across the EU has to date been fragmented and, as the Commission notes, the EU's overall network and information security is weakened by those states with an insufficient level of protection.
The measures in the draft directive are ambitious and, while industry will welcome there being more focus on cybersecurity, there are likely to be concerns about the broad scope of some of the provisions as they are currently drafted, particularly the provision on the reporting of incidents. A wide range of operators, including an indefinite range of internet service providers, are potentially subject to the reporting requirements which will add a further regulatory burden.