Until recently, cybersecurity rules in the EU have by and large been governed by a patchwork of national laws containing cybersecurity requirements applied by different EU member countries. That is changing, with cybersecurity now being addressed more systematically at the EU level, as illustrated by the recent entry into force of the EU General Data Protection Regulation (“GDPR”). EU rules in some cases harmonize national rules and in other cases provide an overlay on top of them. It is up to EU member countries to designate which regulator (national competent authority) deals with cybersecurity rules. This may vary, depending on the specific rules at issue. The designated authority could be a communications regulator, a data protection authority, or a cybersecurity agency.
While most companies have focused their attention on the GDPR, the regulatory framework at the EU level is composed of several different regulations or directives with differing goals and varying scope:
- The GDPR imposes cybersecurity obligations on all companies that process personal data.
- The ePrivacy Directive currently complements the GDPR and provides more specific rules that apply to providers of electronic communications services.
- The planned ePrivacy Regulation, which will replace the ePrivacy Directive once it is finalized and adopted, would no longer contain such rules, since they have been moved to a proposed directive intended to establish a European Electronic Communications Code (“EECC”). A separate directive on network and information systems security (“NIS Directive”) applies to critical infrastructure in specific sectors. The EECC and the NIS Directive cover processing activities generally, not just those involving personal data.
- Finally, the Cybersecurity Act refines the institutional framework for safeguarding cybersecurity in the EU.
We discuss each of these legislative measures in our “8-in-8 Recent Trends in European Law and Policy Alert Series: Cybersecurity and the EU: How to avoid making news in Europe for a data breach?” client alert.