Efforts to coordinate and enhance cybersecurity across the European Union (“EU”) have taken a step forward with the publication on 19 July 2016 of the new Network and Information Security Directive (2016/1148/EU) (the “Directive”) in the Official Journal of the European Union. Member States will have until 9 May 2018 to transpose the Directive into their national laws.
The key objectives of the Directive are: (1) to introduce a set of minimum cybersecurity standards for network and information systems maintained by operators of essential services and digital service providers; (2) to ensure each Member State has in place strategies and resources relating to cybersecurity; and (3) to enhance cooperation amongst EU Member States for the prevention, detection and response to cyber-attacks. The Directive will have a direct impact on organisations that fall within the categories of “operators of essential services” and “digital service providers” both of which are given a particular meaning by the Directive.
Operators of Essential Services and Digital Service Providers
The Directive applies to operators of essential services and digital service providers. An operator of an essential service is considered to be an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities, the provision of which relies on network and information systems, and in respect of which a cyber incident would have a significant disruptive effect on the provision of the service. Digital service providers are defined as organisations providing online marketplaces, online search engines and/or cloud computing services.
Security and Notification Obligations
Since the impact of disruption to operators of essential services are potentially more serious for the social and/or economic activities of the EU, the Directive draws a distinction between operators of essential services and digital service providers, imposing less strict obligations on the latter. The Directive permits Member States to adopt measures to achieve higher security standards for operators of essential services but not digital service providers (subject to each Member State’s right to safeguard their essential state functions, for example national security).
Implementation and Enforcement
The Directive also takes a differentiated approach to enforcement against operators of essential services and digital service providers. As one of the recitals explains, digital service providers should be subject to a light-touch, “reactive” supervisory approach. Therefore competent authorities will take action, if necessary, if they receive evidence that a digital service provider has not met the requirements. In contrast, competent authorities will have the power to initiate assessments of the security measures applied by operators of essential services. They can request information and evidence of effective implementation of security measures, including the results of security audits. Binding instructions may be issued to remedy any deficiencies identified. It will be up to Member States to set appropriate penalties for any failure by either operators of essential services or digital service providers to comply with the national rules implementing the Directive.
Click here to read the full Mayer Brown Legal Update on the Network and Information Security Directive.
This article was originally published on AllAboutIP – Mayer Brown’s blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.