The European Commission has published its proposal for legislation that will ensure a common level of network and information security across the EU, alongside its cybersecurity strategy.
The proposal is subject to approval by both the European Parliament and Council, but its main aspects include:-
1. The adoption of a national strategy for network and information security, with the designation of a national authority for each country to prevent, handle and respond to network information security risks and incidents.
2. Provisions for businesses to manage security risks and report security incidents to the new regulatory authority. This will apply to "market operators", defined as "a provider of information society services which enable the provision of other information society services", and includes e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services and app stores. Being defined as a market operator will place the service operator under an obligation to notify the regulatory authority of incidents having a "significant impact on the security of the core services they provide". It will then be for the authority to decide whether it informs or requires the operator to inform the public if the disclosure of the incident is in the public interest. This change may mean implementing reporting policies and procedures to ensure compliance with its obligaitons. But more significantly, any security risks or incidents being made public has the potential to damage reputation as a secure market operator.
3. A provision that each country should encourage the use of standards and specifications relevant to networks and information security.
4. Sanctions for breaches of the legislation. The Commission has, however, stated that it will be for each member state to determine the exact sanctions following implementation of the legislation, which are to be "effective, proportionate and dissuasive"; and
5. A cybersecurity strategy, which sets out the Commission's five strategic priorities of achieving cyber resilience; drastically reducing cybercrime; developing cyberdefence policy and capabilities; developing the industrial and technological resources for cyber security; and establishing a coherent internationl cyberspace policy for the EU and promoting core EU values.
Comment
If the legislation goes ahead as planned, there will almost certainly be an increased administrative and regulatory burden in ensuring compliance which may well impact on the commercial model of many operators.
Loretta Maxfield is a specialist IP, IT and Media Solicitor. If you need advice on cybersecurity please contact Loretta on 01382 229111 or email lmaxfield@thorntons-law.co.uk.