May 202016

Council Adopts EU-wide Cybersecurity Directive

Cameron F. Kerry, William RM Long and Francesca Blythe
, , , , , , , , ,

On May 17, 2016, the European Council formally adopted the Network and Information Security Directive (the “NIS Directive“) at first reading. According to the Council press release, the NIS Directive is meant to increase cooperation among EU Member States on the vital issues of cybersecurity.

The NIS Directive was first proposed by the European Commission in 2013 as part of the EU’s Cyber Security Strategy. The formal adoption of the NIS Directive by the Council follows on from the political agreement reached in December 2015.  It must now be approved by the Parliament at second reading. The NIS Directive is expected to enter into force in August 2016, after which Member States will have 21 months to implement it into their national laws.

The key elements of the NIS Directive include:

  • a requirement for “operators of essential services” in critical infrastructure sectors (e.g. energy, transportation, healthcare and banking) and digital service providers (e.g. search engine operators, cloud computing services and ecommerce platforms) to implement appropriate technical and organisational measures to manage security risks and to notify the national competent authority of serious incidents;
  • the adoption by Member States of a national strategy to include policies and measures to maintain a level of network and information security;
  • the designation of a national competent authority to implement and enforce the NIS Directive and create Computer Security Incident Response Teams (“CSIRT”) responsible for investigating data security incidents and cybersecurity risks; and
  • the creation of a Cooperation Group to support and facilitate strategic cooperation and information exchange between Member States and a CSIRT Network to “promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.”

Preparations for the implementation of the NIS Directive are underway and the CSIRT network has already held two informal meetings.

Cameron F. Kerry

ckerry@sidley.com

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.