The European Union Approves First-Ever Cybersecurity Rules

Kim Roberts
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On July 6, 2016, after more than three years of debate, the European Parliament gave final approval to the Network and Information Security Directive.  It establishes the first set of fundamental cybersecurity and breach reporting obligations applicable specifically in the European Union (“EU”) for companies supplying essential services in industries such as energy, transportation, banking and health, as well as in digital mediums such as search engines and cloud computing.

The new Directive requires providers to implement “technical and organizational measures” that are “appropriate and proportionate” to the cyber risks they face, which will ensure the security of their information systems and prevent and minimize the impact of security incidents.

The Directive is not prescriptive about which entities fall within the meaning of “operators of essential services.”  The Directive lays out a set of criteria that member states should use to decide this.  The analysis requires consideration of whether the service is critical for society and the economy, whether it depends on network and information systems, and whether a security incident could have significant disruptive effects on service or public safety.  Expect household names that are frequently cited in the press in connection with data privacy matters to be included, whereas small digital companies are likely to be outside of the scope.

Also open for interpretation under the Directive is what type of incident must be reported to regulators.  Rather than setting out a specific set of rules and circumstances that require notification, the Directive defines several parameters that should be considered, including the number of users affected, the duration of the incident, and its geographic reach.

With the Parliament’s approval, the new rules will be published in the EU Official Journal and will take effect 20 days after publication.  Member states will then have 21 months to incorporate the Directive into their national laws and six more months to identify operators of essential services.

Please click here for a copy of the Network and Information Security Directive.

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide