Proposals are afoot in Brussels to introduce new cyber security standards, improve the detection of cyber security risks and incidents and introduce new reporting requirements and co-operation mechanisms. The aim? To reduce the high cost to trade and the damaging negative publicity caused by cyber crime.
Unlike existing security breach notification requirements for the telecoms sector, the proposed Cyber Security Directive will require notification of potential security risks. It will also require actual incidents to be reported to cyber security authorities that will be established across Europe.
Organisations that will be effected by the proposed new Cyber Security Directive are:
- public authorities;
- information society service providers, such as providers of e-commerce platforms, social networks, cloud computing services, application stores, internet payment gateways and search engines;
- entities that operate critical infrastructure, including energy suppliers and transport carriers (such as air carriers, rail transport operators and logistics service providers);
- health sector organisations (including private clinics); and
- banking and credit institutions and stock exchanges.
While ultimately the aim of the proposed law is to reduce cyber crime, the European Commission considers that the benefits would be felt much more widely than the organisations caught by the Directive. For example, online retailers' sales are expected by the European Commission to increase significantly as a result of increased confidence in online security.
Organisations caught by the Directive may face disproportionately high costs in the overall scheme of things. While the European Commission has given some indication that it will seek to keep the burden on SMEs proportionate, this provides little comfort for others affected by the Directive (including those who may or may not be able to pass on the costs to the wider online community).
A new cyber security strategy
Earlier this year the European Commission published a Cyber Security Strategy, including a proposed Cyber Security Directive to improve Network and Information Security (NIS) standards across the EU.
The strategy aims to create an open, safe and secure cyberspace and combat cybercrime by introducing minimum requirements for NIS standards across Europe.
The European Commission believes NIS standards are vitally important to create a reliable environment for worldwide trade. In the past few years inadequate internet security has undermined users' confidence in banking and purchasing over the internet, which in turn has affected online trade.
How will the new regime work?
The European Commission proposes to ensure all Member States meet certain minimum security standards by implementing a Cyber Security Directive to:
- establish a public authority in every Member State to manage NIS standards (competent authority);
- ensure cooperation between the competent authorities to enable secure and effective coordination of the NIS strategy; and
- stimulate investment and cooperation from the private sector so it develops its own resilience capabilities and shares best practice.
The Cyber Security Directive gives Member States a degree of flexibility to implement the Directive in their own national legislation to ensure the Member State's essential security interests are protected.
At the heart of the Cyber Security Directive is the establishment of a NIS competent authority in each Member State and the implementation of a Europe-wide cooperation network for the exchange of NIS information.
Each Member State's competent authority will play a pivotal role in providing early warnings to other competent authorities through the cooperation network. The cooperation network will enable Member States to share information relating to circumstances which have:
- a potential effect on security (referred to as "risks" in this note); and
- had an actual adverse effect on security (referred to as "incidents" in this note).
Who is affected?
The Cyber Security Directive requires, and is reliant on, public authorities and 'market operators' feeding information relating to incidents into the cooperation network. The term 'market operators' is wide and includes:
- information society service providers, such as:
- providers of e-commerce platforms;
- social networks;
- cloud computing services;
- application stores;
- internet payment gateways (e.g. WorldPay); and
- search engines.
- operators of critical infrastructure, such as:
- energy suppliers;
- transport carriers (such as air carriers, rail transport operators and logistics service providers);
- health sector organisations including private clinics, banking and credit institutions and stock exchanges.
Therefore, the Cyber Security Directive will have a direct impact on key players and stakeholders in the World Wide Web including global technology brands such as Microsoft, Facebook and Google. It will also directly impact SMEs that fall within the definition of market operators.
Cost of implementation
Although the European Commission's strategy is reliant on proactive and reactive input from the private sector, it has given little thought to the private sector's cost of compliance with the Cyber Security Directive. The European Commission has commented that the costs for the private sector would be limited "since many of the entities concerned are already supposed to comply with existing security requirements".
SMEs should be afforded some relief as the European Commission has commented that:
- NIS requirements should be proportionate to the risk presented by the network or information system concerned;
- NIS requirements are not intended to be overly burdensome to SMEs; and
- some obligations will not apply to micro enterprises.
The exemption for micro enterprises will provide limited relief as micro enterprises are defined as organisations which employ fewer than ten people and whose annual turnover does not exceed €2 million. Other SMEs are not exempted and will be required to comply with the Cyber Security Directive in full.
In practice, the competent authority will be provided with limited resources to police compliance with the Cyber Security Directive and, as such, enforcement action will generally be taken against large and high-profile organisations.
Network and Information Security v Data Protection Regulation
There is some overlap between the Cyber Security Directive and the proposed draft Data Protection Regulation published by the European Commission in January 2012.
Under the draft Data Protection Regulation, all personal data breaches, no matter how small, must be notified to the relevant data protection authority without undue delay and where feasible within 24 hours of the data controller becoming aware of it. If the data controller does not comply with this obligation it could receive a hefty fine of up to 2% of global annual turnover.
If the Cyber Security Directive and the draft Data Protection Regulations are both implemented in their current form, market operators will be required to bring incidents that relate to personal data to the attention of both the Information Commissioners Office (ICO) and the UK's NIS competent authority. Failure to make full and accurate disclosure could lead to sanction from both the ICO and the UK's NIS competent authority.
Opinion of the European Data Protection Supervisor
On 14 June, the European Data Protection Supervisor (EDPS), an independent supervisory authority appointed by the European Parliament and the European Council, issued an opinion criticising both the European Commission's strategy and the Cyber Security Directive. Alongside this it proposed practical changes to make the Directive more effective.
The EDPS welcomes that the EU has put forward a strategy on increasing internet security; however, in its detailed opinion it raises a number of issues including the following:
- the European Commission's strategy and the Directive do not sufficiently reference or recognise existing and proposed legislation, including the proposed draft Data Protection Regulations. Accordingly, the strategy fails to provide a comprehensive and holistic view of cyber security;
- the European Commission's strategy and the Directive do not sufficiently recognise the role and involvement of current national data protection authorities such as the ICO;
- it is not clear how personal data will be safeguarded as it is exchanged within the cooperation network;
- various key definitions are undefined or remain unclear, including the meaning of 'market operators', 'incident', and 'cybercrime'; and
- there is a lack of clarity around the circumstances of when a notification is required.
At this stage the Cyber Security Directive is still a proposal. The European Commission will continue to assess its cyber strategy with a view to finalising and adopting the Cyber Security Directive as European law. The European Commission will presumably take the EDPS's opinion into account before issuing an updated version of the Cyber Security Directive.
When implemented, the Cyber Security Directive will impact us all. It is likely to have direct financial implications for the public sector and market operators, but the financial cost and operational changes required to comply with the Cyber Security Directive cannot be quantified at this stage.