A New European Cyber Security Strategy – Part II

May 10, 2016

Earlier we introduced the new European Cyber-security strategy and the impetus behind the changes. In 2013 the European Commission announced it had proposed a new directive aiming at ensuring a high common level of network and information security across the EU. The directive aims to do so by improving the security of the internet and the private networks and information systems underpinning the functioning of our societies and economies.

On 7 December 2015, the European Parliament and the Luxembourg Presidency of the EU Council of Ministers announced that they had agreed the text of the directive. Although the text has not yet been published, the draft proposals provide us with a good idea as to the aims and function of the directive.

The Proposed Directive

One of the key provisions of the draft directive is a requirement for member states to adopt a national Network and Information System (“NIS”) strategy defining the strategic objectives and concrete policy and regulatory measures to achieve and maintain a high level of network and information security. Additionally, each member state will designate a national competent authority on the security of network and information systems, to prevent, handle and respond to any network information security risks and incidents. A computer emergency response team should be established under the national competent authority’s supervision. The competent authorities will also monitor the application of the directive at national level and contribute to its consistent application throughout the European Union.

Each national competent authority and the European Commission are to form a co-operation network, to cooperate against risks and incidents affecting network and information systems. This will operate an early warning system for certain incidents, including those that could grow rapidly in scale, exceed national response capacity or affect more than one member state. The national competent authorities should also publish on a website information about early warning on incidents and co-ordinated responses.

Each member state will also ensure public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. A market operator is defined as:

  1. Provider of information society services which enable the provision of other information society services, (a non-exhaustive list of is set out in Annex II of the directive);
  2. Operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health, (a non-exhaustive list of is set out in Annex II of the directive).

The measures should guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems. Public administrations and market operators will be required to notify to the competent authority incidents having a significant impact on the security of the core services they provide. The competent authority may inform the public, or require the public administrations and market operators to do so, where it determines that disclosure of the incident is in the public interest.

The competent authorities should report any incidents of a suspected serious criminal nature to law enforcement authorities. They will also work with personal data protection authorities when addressing incidents that have resulted in personal data breaches.

Whilst the proposed text does not set out any specified technical standards, member states are encouraged to use standards and specifications relevant to networks and information security.

Finally, member states must adopt rules on sanctions applicable to infringements of the national provisions adopted pursuant to the directive and must take all measures necessary to ensure that they are implemented. The sanctions provided for must be effective, proportionate and dissuasive.


Related pages:

Cyber Security more

icons Addthis Print Contact Register

Contact

tel: +44 (0) 20 7628 2000
10 Finsbury Square, London, EC2A 1AF
View map


For more information

 image

Nigel Miller
Partner
Direct dial: +44 (0)20 7614 2504
nmiller@foxwilliams.com

 image

Madeleine Croydon
Associate
Direct dial: +44 (0)20 7614 2572
mcroydon@foxwilliams.com

Accreditations

  • Top Ranked Chambers UK 2014 - Leading Firm
  • Ranked in Chambers Europe 2013 - Leading Individual
  • Ranked in Chambers Global 2014 - Leading Firm
  • Legal 500 - Leading Firm
  • The Lawyer UK 200 - Listed Firm
  • The Law Society Excellence Awards 2012 - Shortlisted
  • Investors in People - Bronze