Dec 152015

Agreement has been reached on the first EU-wide cybersecurity legislation

William RM Long and Francesca Blythe
, , ,

In 2013, the European Commission put forward a proposal for a Network and Information Security Directive (the “NIS Directive”) as part of the EU’s Cyber Security Strategy. The European Parliament and Council of Ministers recently reached political agreement on the NIS Directive on 7 December 2015, which includes data breach notification obligations.

According to the Commission’s press release published on 8 December 2015, the NIS Directive will improve the cybersecurity capabilities of and cooperation between EU Member States. The Commissioner for the Digital Economy and Society further explained that this improved cooperation will assist the EU in its fight against increasing numbers of cyber attacks, commenting that “cybersecurity is essential in today’s European digital economy and society – and it remains a permanent challenge.

The key elements of the NIS Directive include:

  • a requirement for “operators of essential services” in critical infrastructure sectors (e.g. energy, transportation, healthcare and banking) and digital service providers (e.g. search engine operators, cloud computing services and ecommerce platforms) to implement appropriate technical and organisational measures to manage security risks and to notify the national competent authority of serious incidents.
  • the adoption by Member States of a national strategy to include policies and measures to maintain a level of network and information security;
  • the designation of a national competent authority to implement and enforce the NIS Directive and create Computer Security Incident Response Teams (“CSIRT”) responsible for investigating data security incidents and cybersecurity risks; and
  • the creation of a Cooperation Group to support and facilitate strategic cooperation and information exchange between Member States and a CSIRT Network to “promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.”

The NIS Directive will now have to be formally approved by the Council and the Parliament. After that, EU Member States will have 21 months to implement the NIS Directive into their national laws.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.