The draft EU Cybersecurity Directive

On February 2013, the EU Commission presented the Proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union (COM(2013) 48 final.

The aim of the proposed Directive is to ensure a high common level of network and information security (NIS) across the EU. Ensuring NIS is vital to boost trust and to the smooth functioning of the EU internal market. Regulatory obligations are required to create a level playing field and close existing legislative loopholes.

According to this proposal:

·        Member States will have to put in place a minimum level of national capabilities by establishing NIS national competent authorities, by setting up well-functioning Computer Emergency Response Teams (CERTs), and by adopting national NIS strategies and national NIS cooperation plans;

·        NIS national competent authorities will have to exchange information and to cooperate so as to counter NIS threats and incidents;

·        operators of critical infrastructure (such as energy, transport, banking, stock exchange, healthcare), key Internet enablers (e-commerce platforms, social networks, etc) and public administrations will be required to assess the risks they face and to adopt appropriate and proportionate measures to ensure NIS. These entities will also be required to report to competent authorities incidents with a significant impact on core services provided.

On 13 March 2014 the European Parliament adopted its report on the proposed Directive, in which it made amendments to the Commission’s text, such as:

·        the removal of “public administrations” and “internet enablers” (e.g. e-commerce platforms or application stores) from the scope of key compliance obligations;

·        the exclusion of software developers and hardware manufacturers;

·        the inclusion of a number of parameters to be considered by market operators to determine the significance of incidents and thus whether they must be reported to the NCA;

·        the enabling of Member States to designate more than one NCA;

·        the expansion of the concept of “damage” to include non-intentional force majeure damage;

·        the expansion of the list of critical infrastructure to include, for example, freight auxiliary services; and

·        the reduction of the burden on market operators including that they would be given the right to be heard or anonymised before any public disclosure and sanctions would only apply if they intentionally failed to comply or were grossly negligent.

Consequently, the Directive was disucssed bu the Council in May-October 2014 and thenthe Commission, Parliament and Council started talks, but without an agreement.

Although there is political desire to adopt the Directive, its adoption is still pending.

See also: A. de Gaye/M. Brown, Progress update on the draft EU Cybersecurity Directive,

in: http://privacylawblog.fieldfisher.com/2015/progress-update-on-the-draft-eu-cybersecurity-directive

EU Press release: EU Cybersecurity plan to protect open internet and online freedom and opportunity

FAQ: http://europa.eu/rapid/press-release_MEMO-13-71_en.htm