A lack of agreement over the EU Cyber Security Directive is causing uncertainty in the market
In recent months there have been numerous high-level security breaches across the globe that have impacted internet service providers (ISPs) as well as the financial and retail sectors.
The last piece of significant legislation on data protection dates back to 1998, but with data processing technology advancing at a record pace and the increased sophistication and evolvement of cyber attacks, the current legislation is no longer fit for purpose.
The proposal for the Network and Information Security Directive, known as the Cyber Security Directive, was introduced in February 2013 to ensure a high level of network and information security across the EU. The directive, which follows plans for similar legislation in the US, shows a heightened level of concern among the EU states for the potential of cyber attacks directed at critical EU infrastructure.
While obligations similar to those in the directive have previously been imposed in the EU on telecoms companies and ISPs courtesy of the E-Privacy Directive (2002/58/EC), the Cyber Security Directive introduces for the first time security and notification obligations on key providers of information services as well as public administrations and operators of critical infrastructure. These sectors rely heavily on information and communications technology that are essential to the maintenance of vital economic or societal functions.
The original draft of the directive required member states to ensure that when implementing this legislation they required public administrations and market operators providing services within the EU to:
- Take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems that they control and use in their operations.
- Notify the competent authority, established in each member state to deal specifically with network and information security, of any incidents having a significant impact on the security of core services they provide.
- Inform the public where the competent authority determines that disclosure of the incident is in the public interest.
In January, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) published its opinion and a compromise draft of the directive following amendments by MEPs. This draft was approved by the European Parliament on 13 March 2014, and will now be negotiated by the member states in the Council of Ministers, with final agreement anticipated for later this year and implementation anticipated in 2016.
One of the key challenges surrounding the implementation of the directive is that its final form is yet to be agreed, causing lots of uncertainty.
Furthermore, as the legislation is a directive as opposed to a regulation, each member state will be required to enact its own law interpreting and reflecting its provisions.
With the draft directive still only partway through the legislative process, there is still much negotiation to be done.
David Prince is delivery director of cyber security at Schillings