Mandatory data breach reporting rules finally agreed by EUrocrats
Thou shalt report thy breaches – but to who, exactly?
After five hours of negotiations on 7 December, members of the European Parliament and Council finally settled on the wording of the EU's Network and Information Security (NIS) Directive.
The directive was first proposed in 2013 as a means of forwarding the European Union's cybersecurity strategy. As it is a directive, rather than a regulation, member states will have to meet its demands by passing their own domestic laws.
The Network and Information Security Directive targets critical national infrastructure – or operators in energy, transport, health, and banking – and requires them to report cyber security breaches almost as soon as they are discovered or else risk regulatory fines and other sanctions from national authorities who will be given powers to enforce the rules.
Though the NIS directive's final text has not yet been released, The Register understands it may make its way into the public domain by 18 December – and an EU press release has offered details regarding the "first ever EU rules on cybersecurity".
While ostensibly focused on those using computer networks to manage critical national infrastructures across the EU, the directive will affect digital services such as the cloud, search engines and marketplaces. "Micro and small" services will be exempt from the directive, however.
Phil Lee, partner in the Privacy, Security and Information group at European law firm Fieldfisher, commented: "This is an entirely new obligation for businesses that are within the Directive's ambit. We are highly likely to see companies having a serious look at their preparedness for preventing, managing and responding to a cybersecurity breach, and this will necessitate system-wide security reviews and the creation of cyber breach management policies, incident response teams and awareness-raising programs. This is of course the reaction the EU is looking for.”
The directive appears to cover cloud-based business but how this will work in practice remains more than a little unclear, according to the privacy law expert.
Luke Scanlon, technology lawyer at Pinsent Masons said: "Until now, most businesses have been under no obligation to report incidents of this type, so this legislation will likely expose in more concrete terms the sheer scale of the cyber security issue of which we are all aware."
The new law will introduce mandatory data breach notifications for a range of critical infrastructure companies and is the first EU-wide cybersecurity ruling. Critical infrastructure providing firms will be obliged to ensure that the digital infrastructure used to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand attacks by hackers.
"However, outside of certain identified sectors, it's also reported that the agreement reached will extend the scope of the Directive to cloud-based businesses, and it's unclear quite what is meant by this. The reality is that the vast majority of businesses have a cloud-based element to their services these days,” Fieldfisher's Lee explained.
The US already has state-level data breach reporting requirements in most states and a federal level cybersecurity strategy, so it could be argued that the EU is playing catch-up on data privacy and security regulation. "This is one step in ongoing changes to wider ongoing regulatory reform around digital platform regulation and data privacy rules,” he concluded.
“An EU-wide initiative has been a long time coming,” said Ross Brewer, vice president and managing director for international markets at security tools firm LogRhythm. “The Network and Information Security Directive will further enforce what is now so important; the ability to identify threats as quickly as possible.
“From Vtech to JD Wetherspoons, to the disaster that was TalkTalk, you can pick up any newspaper and see that organisations are still failing when it comes to cyber defences. Perhaps hitting them with eye-watering financial penalties and stricter regulations will help change that,” he added.
Member states will also be required to establish Computer Security Incident Response Teams (CSIRTs), who will be responsible for handling cybersecurity incidents and risks.
Nigel Hawthorn, Skyhigh Networks’ European spokesperson, said the ruling is goof news for consumers because it will boost confidence that firms will have to take measures to protect their information, boosting data privacy in the process.
“For too long businesses have tried to tip-toe their way out of notifying customers about data breaches, worried about the damage it can have on reputation and sales,” Hawthorn commented. “Banks especially have been guilty of trying to keep ‘mum’ whenever they can. While this directive is aimed at critical infrastructure companies, it will still provide customers with greater confidence and, more importantly, raises their expectations of privacy.”
Chris Wysopal, CTO and CISO at secure coding firm Veracode, added: “Any legislation needs to be prescriptive to create a baseline for what’s considered reasonable security, otherwise it will be difficult to drive change. One way to do this would be taking the Network and Information Security Directive one step further and crafting some form of liability to enforce reasonable efforts are being taken to secure systems.”
At national legislatures' discretion, member states will additionally be required to adopt a national NIS strategy establishing cybersecurity objectives, policy, and regulatory measures. As with the Information Commissioner's Office in the UK, which is the national authority for implementing and enforcing the EU data protection regulation, the cybersecurity regulation will likely be enforced by a commissioner in Blighty – though whether that will be an existing commissioner, or whether a new commissioner's office will be established, is unclear. ®