This is the sixth issue of WilmerHale’s 8-in-8 Recent Trends in European Law and Policy Alert Series. Our attorneys will share insights on current and emerging issues affecting companies doing business in Europe and across the Atlantic. Attorneys from across various practice groups at the firm will offer their take on issues ranging from Brexit to Big Data to EU energy market regulation. WilmerHale has offices in key European capitals, including Brussels, Berlin, Frankfurt and London, as well as lawyers qualified in a range of European countries. With one of the leading European law and policy practices in the world, we follow and work on a broad range of EU legal and policy issues, including data protection and privacy, competition, trade, technology, intellectual property, financial services, and a range of other EU and transatlantic regulatory and policy challenges that our clients face. Read all issues in this series and our other recent publications.
Until recently, cybersecurity rules in the EU have by and large been governed by a patchwork of national laws containing cybersecurity requirements applied by different EU member countries. That is changing, with cybersecurity now being addressed more systematically at the EU level, as illustrated by the recent entry into force of the EU General Data Protection Regulation (“GDPR”). EU rules in some cases harmonize national rules and in other cases provide an overlay on top of them. It is up to EU member countries to designate which regulator (national competent authority) deals with cybersecurity rules. This may vary, depending on the specific rules at issue. The designated authority could be a communications regulator, a data protection authority, or a cybersecurity agency.
While most companies have focused their attention on the GDPR, the regulatory framework at the EU level is composed of several different regulations or directives with differing goals and varying scope:
- The GDPR imposes cybersecurity obligations on all companies that process personal data.
- The ePrivacy Directive currently complements the GDPR and provides more specific rules that apply to providers of electronic communications services.
- The planned ePrivacy Regulation, which will replace the ePrivacy Directive once it is finalized and adopted, would no longer contain such rules, since they have been moved to a proposed directive intended to establish a European Electronic Communications Code (“EECC”). A separate directive on network and information systems security (“NIS Directive”) applies to critical infrastructure in specific sectors. The EECC and the NIS Directive cover processing activities generally, not just those involving personal data.
- Finally, the Cybersecurity Act refines the institutional framework for safeguarding cybersecurity in the EU.
We discuss each of these legislative measures below. Companies should carefully consider what cybersecurity obligations they have in the EU, based both on current legislation in force and soon-to-be adopted measures.
Current EU legislation
1. The GDPR (our previous alert on the GDPR is available here);
2. The NIS Directive (Directive concerning measures for a high common level of security of network and information systems across the EU, available here);
3. The ePrivacy Directive (Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector, available here);
Upcoming EU legislation
4. The ePrivacy Regulation (Regulation concerning the respect for private life and the protection of personal data in electronic communications – the EU Council’s latest draft version of the proposal is available here) to replace the ePrivacy Directive;
5. The EECC (Directive establishing the European Electronic Communications Code – the European Commission’s proposal is available here);
6. The Cybersecurity Act (Regulation on ENISA – the European Commission’s proposal is available here).
1. Cybersecurity in the GDPR. The GDPR took effect on May 25, 2018. It requires all companies that process personal data to implement appropriate technical and organizational measures to ensure a level of security that is appropriate to the risk. The GDPR also requires companies to notify a security breach that is likely to result in a “risk” to the rights and freedoms of the individuals concerned to the national data protection authority within 72 hours or, if this is not feasible, as soon as possible. With certain exceptions, companies must also disclose a breach directly to the individuals concerned without undue delay where that breach is likely to result in a “high risk” to the individual’s rights and freedoms. Companies that process personal data on behalf of another company must notify any breach to their customer.
The European Data Protection Authorities have already published some guidelines (available here) to help companies understand the breach notification requirements. In particular, these guidelines recommend that companies take into account specific criteria when assessing whether there is a risk or a high risk. These criteria include the type of breach, the nature, sensitivity and volume of personal data, how easy it is to identify individuals, the severity of consequences of the breach for individuals, special characteristics of the individual concerned and the company in question and the number of affected individuals. The guidelines also specify when a data controller or processor should be deemed to be aware of a breach, since that triggers the countdown to the deadline for notifying the breach, if required. Non-compliance with these obligations in the GDPR is subject to a maximum fine of up to €10 million or 2% of a company’s total worldwide annual turnover, whichever is higher. In practice, though, Data Protection Authorities will have to consider the gravity of and reaction to any data breach in order to ensure that the fines they impose are proportionate.
2. Cybersecurity in the NIS Directive. The NIS Directive took effect on May 10, 2018. Although EU Member States had to transpose the Directive into national law by that day, some of them have not met that deadline (e.g., France has only partially transposed the Directive, while transposition is still in progress in Ireland and Spain – the state-of-play of the transposition of the Directive can be found here). In contrast to the GDPR, the NIS Directive imposes cybersecurity obligations on only two categories of companies: (1) operators of essential services (“OES”); and (2) digital service providers (“DSPs”), irrespective of whether they process personal data.
More specifically, the NIS Directive applies to OES in specific sectors, including energy, transportation, banking, financial market infrastructure, healthcare, water supply and distribution, and digital infrastructure (e.g., internet exchange points, domain name system service providers and top-level domain name registries). DSPs include online marketplaces, online search engines, and cloud computing services. The Directive does not apply to companies providing public communications networks or publicly available electronic communications services, since these infrastructures are covered by the ePrivacy Directive and will be covered in the future by the EEEC.
Under the NIS Directive, companies must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This implies a comprehensive risk assessment as a starting point. Also, companies must notify incidents that impact their services, such as a cyber attack, without undue delay (i.e., as soon as possible, unless there is a justified reason for a delay) to the national competent authority. Each EU member country is responsible for designating this authority, which is generally an agency that oversees network and IT security (e.g. the Agence Nationale de la Sécurité des Systèmes d’Information in France or the Bundesamt für Sicherheit in der Informationstechnik in Germany). OES must notify incidents having a “significant” impact on the continuity of their services to the authority, while DSPs must notify incidents having a “substantial” impact on their services. The Directive only provides very general criteria to determine whether an incident is significant or substantial; further guidance is expected.
It is up to EU member states to determine the fines for non-compliance with the obligations in the NIS Directive. Although they will likely vary, given the importance of the infrastructure at issue, they can be expected to be significant. For example, the UK NIS Regulations (available here) provide that fines could be as much as £17 million or 4% of global turnover.
3. Cybersecurity in the ePrivacy Directive. The 2002 ePrivacy Directive, which is still in force, was drawn up to complement the Data Protection Directive (the predecessor of the GDPR, adopted in 1995). It also provides more specific rules regarding the processing of personal data in the context of electronic communications services provided to the public. The ePrivacy Directive requires providers of publicly available electronic communications services to adopt appropriate security measures. They must notify all personal data breaches to the national competent authority designated to that end within 24 hours and to their subscribers or other affected individuals without undue delay, where the breach is “likely to adversely affect” their personal data or privacy. The competent authority can be the data protection authority, as in France (the Commission Nationale de l’Information et des Libertés) or a communications or network regulator as in Germany (Bundesnetzagentur). A Commission implementing regulation (available here) specifies that this trigger should be assessed by taking into account the nature and content of the personal data concerned, the likely consequences of the personal data breach for the individual concerned, and the circumstances of the personal data breach.
The e-Privacy Directive also requires service providers to inform subscribers of a “particular risk” of a breach of network security, even where this is not under the control of the service provider, with an indication of the measures that can be taken to protect against this risk. For example, service providers that offer publicly available electronic communications services over the Internet should inform users and subscribers of measures they can take to protect the security of their communications, for instance by using specific types of software or encryption technologies.
4. Cybersecurity in the ePrivacy Regulation. On January 10, 2017, the European Commission published its proposal to replace the ePrivacy Directive with an ePrivacy Regulation. The regulation will have the force of law without requiring national implementing measures. It is intended to complement the GDPR and provide further tailored regulation for electronic communications service providers.
Currently, it is still unclear when the final text will be adopted. The draft ePrivacy Regulation would extend the application of e-privacy rules to ‘over-the-top’ content providers, such as VoIP, text messaging including through social media, and email providers. The initial draft Regulation maintained the ePrivacy Directive rules on data security and breach notification. However, the European Parliament has proposed to eliminate these provisions, since it views them as adding little to the framework provided by the GDPR, the EECC and the NIS Directive. The proposal for an ePrivacy Regulation as amended by the European Parliament no longer includes these rules. The legislation is now in the hands of the European Council for final adoption or further amendment, prior to trilogue negotiations between the Commission, Parliament and the Council to produce a final text of the regulation.
5. Cybersecurity in the EECC. The European Parliament and the Council reached a political agreement to update EU telecommunications regulation on June 6, 2018. The EECC would set out, in a single unified text rather than in differing regulations with varying scope that exist now, the rules that apply to companies providing public communications networks or publicly available electronic communications services, including over-the-top services, irrespective of whether they process personal data. The EECC provides that EU member countries should ensure that such companies take appropriate technical and organizational measures to appropriately manage the risks posed to the security of their networks and services. They must also guarantee the integrity of their networks to ensure continuity of service provided over these networks.
EU member countries must ensure that companies providing public communications networks or publicly available electronic communications services notify the national competent authority without undue delay of a breach of security that has had a significant impact on the operation of their networks or services. The competent authority concerned may inform the public or require companies to do so where it determines that disclosure of the breach is in the public interest. It is for each EU member country to decide which national authority will be responsible (e.g., the communications regulator or the data protection authority).
6. The EU Cybersecurity Act. On June 8, 2018 the European Council adopted its negotiating position on a proposal for an EU Cybersecurity Act, for negotiations with the European Parliament on a final text. The proposed Act would upgrade the existing European Union Agency for Network and Information Security (“ENISA”) into a permanent EU agency for cybersecurity, while it currently operates on a fixed-term mandate that would otherwise require periodic renewal. The Act would also create an EU-wide certification framework for information and communications technology products and services.
The Agency would get more resources, both in terms of staff numbers and budget, and take on additional responsibilities, such as organizing annual pan-European cybersecurity exercises; advising Member States on implementation of the NIS Directive, and supporting and promoting EU policy on cybersecurity certification. The Agency is intended to be a center of excellence and resource for cybersecurity in the EU.
The new European cybersecurity certification schemes for ICT products, services and processes are intended to increase trust and security by attesting compliance with specified cybersecurity requirements. These certification schemes are also meant to address barriers in the single market caused by the existence of different national certification processes. The details of these certification schemes and requirements will be important to network and data service operators, including cloud computing service providers.
Conclusion. The EU is building a more comprehensive regulatory framework for cybersecurity. Specific instruments (the NIS Directive, the EECC and the ePrivacy Directive / Regulation) will coexist with the GDPR, which provides the general basis for requiring cybersecurity requirements for personal data in the EU. The EU Cybersecurity Act will beef up ENISA, providing added institutional resources and expertise.
A number of different legislative requirements may apply to the same company, particularly to providers of critical infrastructure and digital networks and services. For example, a communications operator should analyze its cybersecurity obligations both under the GDPR and the ePrivacy Directive regarding the processing of personal data and under the EECC for non-personal data. An air carrier and a financial institution would have to do the same under the GDPR and the NIS Directive. Companies should gain a comprehensive understanding of the EU’s cybersecurity regulatory framework in order to design and implement their compliance programs accordingly.