A Great Leap Forward: EU Soon to Have Broad Rules on Cybersecurity and Incident Reporting

December.15.2015

On December 7, 2015, more than two and a half years after the first draft, the European Union Council finally reached an important, informal agreement with the Parliament on an important network and information security agreement ("NIS-Directive") affecting companies across the EU. The culmination of the European Commission's Cybersecurity strategy effort that began in February 2013 with the European Commission's proposed draft directive on measures to ensure a common level of network and information security. Final adoption of the NIS-Directive will have several important consequences, including increased focus by Boards of Directors of cybersecurity risk, the need for companies to increase their investment in information security, to prepare and implement cybersecurity incident response plans, to conduct internal comprehensive investigations into the circumstances of a cybersecurity event in order to comply with forthcoming reporting obligations.

I. Background

As initially proposed by the Parliament on March 13, 2014, the NIS-Directive would, for the first time, set out various cybersecurity and reporting obligations for digital service providers and also for operators of essential services, as well as form a strategic cooperation network to facilitate information sharing. The agreed text will be presented to the member states' representatives on December 18, 2015, and then need to be formally adopted by the Council and Parliament. The member states will then have 21 months to adopt the necessary national provisions once the NIS-Directive enters into force and they will have an additional six months to identify their operators of essential services.

II. Brief overview of the NIS-Directive

The NIS-Directive introduces a number of measures aimed at generally improving the state of cybersecurity across the EU, with emphasis on establishing a high level of network and information security through improved cooperation between the member states and between public and private sectors and the establishment of computer security incident response teams.

Although the specific language of the recently approved draft NIS-Directive is not yet publicly available, the following features are widely expected to be included:

Implementation of clearly defined consistent cybersecurity standards for companies in "critical" sectors (sometimes referred to as critical infrastructure), such as energy, transport, banking, health care and water supply, as well as some providers of online marketplaces, search engines and cloud platforms, much like the U.S. has already done in the context of National Institute of Standards and Technology (NIST).
Mandatory reporting to national authorities of cybersecurity incidents and data breaches in critical infrastructure.
Creation of a cooperation network between the competent authorities and the Commission to share information and tactics to better understand and address cybersecurity risk, which could facilitate sharing of early warnings on risks, threat indicators, cybersecurity intelligence, and best practices on protecting networks.
Establishment of Computer Security Incident Response Teams, national competent authorities on cybersecurity with adequate technical, financial, and human resources, which would be responsible for consulting, cooperating, and coordinating with the relevant law enforcement national authorities and data protection authorities.
Requirement that member states establish rules imposing sanctions on organizations that fail to comply with national provisions adopted pursuant to the NIS-Directive, and requiring member states to take measures necessary to ensure that the sanctions are implemented. The sanctions provided for must be effective, proportionate and dissuasive.

III. Impact on Businesses

The NIS-Directive will not only require critical infrastructure and companies that are digital service providers to take actions aimed at improving their networks' ability to resist cyber-attacks, but organizations will now have to consider establishing a compliance function around the new requirements. Accordingly, many organizations – specifically cloud service providers, online search engine providers, online marketplaces and other internet service providers – will need to actively assess the security and integrity of their network resources.

The reporting obligations also mean that companies should strongly consider conducting post-attack investigations, directed by legal counsel, to identify the extent of reporting obligations, especially given the likelihood of significant fines and penalties from national authorities for companies that do not comply with these obligations. Moreover, given that companies will no longer be able to remain silent in the event of a security breach, they should strongly consider proactively planning for how they will manage brand and reputation after an incident. These complicated considerations are best handled through preparation and incident response planning.

IV. Special Considerations in Germany

In July 2015, the new Act to Increase the Security of Information Technology Systems ("IT Security Act") came into force in Germany. This IT Security Act affects companies in the sectors energy, transportation, health, water utilities, telecommunication, finance and insurance ("critical infrastructure"). The respective companies have two years to introduce necessary cybersecurity measures to ensure that the functionality and availability of their services will not get jeopardized by cyber-attacks. They also have to report major incidents and/or security breaches. Fines up to EUR 100,000 can be imposed if the companies do not follow these regulations.

Guidelines for companies are already available for some services, helping companies to avoid making mistakes while offering their digital services. For example, in July 2015, the German Federal Government IT Advisory Committee issued new cloud computing service criteria for all prospective vendors to German Federal Agencies (see Orrick's client Alert German Federal IT Committee Issues New Restrictions for Cloud Service Providers).

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.