BRUSSELS--Some 42,000 companies in designated “critical” sectors in the
European Union would be required to better protect their information networks
and report systemic data breaches to regulators, under a proposed cybersecurity
directive made public Feb. 7 by the European Commission.
The proposed cybersecurity directive does not cover breaches of personal
data, but rather systemic cyber-attacks that compromise data systems, the
The proposal would greatly expand the data security and system breach notice
obligations that are already in place for telecommunications companies under the
2009 amendments to the EU e-Privacy Directive (2009/136/EC) (8 PVLR 1721,
12/7/09). The new directive would not, however, expand the e-Privacy Directive's
requirement that telecoms, including internet service providers, notify
officials and affected individuals of breaches of their personal data.
The e-Privacy personal data breach notice provision is the only EU-wide data
breach notice mandate currently in place. A general obligation for data
controllers to report personal data breaches to supervisory authorities and
individuals is included in the EC's proposed data protection regulation, which
was released in January 2012 (11 PVLR 178, 1/30/12).
The draft directive would not make it mandatory for cybersecurity breaches to
be made public, but it said that the “competent national authority may require
that the public be informed.”
Jörg Hladjk, an attorney with Hunton & Williams, Brussels, told BNA Feb.
7 that “the proposed framework will close a gap with regard to data that is
compromised and does not constitute personal data.” He cited an information and
communications technology outage at a power company as an example of a breach
that would be covered by the proposed directive.
“The proposal can be considered as a starting point to protect critical
infrastructures against global cyber-attacks and to help reduce corporate losses
that have been in the billions during the last couple of years,” Hladjk added.
He cautioned, however, that if adopted as proposed, the directive would force
cloud services and online payment providers “to deal with significant
obligations and challenges.”
The Commission, the EU’s executive arm, said in a statement announcing the
release of the proposed directive that the expanded obligation would affect “key
internet companies,” such as cloud computing services providers, internet search
engines, social networks, as well as energy, financial services, health, and
transportation providers. Public sector institutions would also fall within the
scope of the proposed directive.
Companies and services affected by the draft directive would include
Amazon.com, Apple iTunes, Cisco, eBay, Facebook, Google, IBM, Microsoft, PayPal,
Skype, and Yahoo!, according to an impact assessment
accompanying the proposed directive.
Monika Hohlmeier, a German center-right member of the European Parliament,
who is the Parliament’s rapporteur, or lead negotiator, on a separate 2010
Commission proposal for a directive on attacks against information systems, said
in a Feb. 7 statement that “there is going to have to be a thorough debate on
what type of companies should be obliged to file and what kind of attacks it
should be about.”
“We must avoid over-centralized reporting requirements which would run the
risk of affecting the companies’ economic development,” Hohlmeier added.
The affected companies would be required to “adopt risk management practices
and report major security incidents on their core services,” the Commission
said, although it left the definitions of terms such as “risk management
practices” and “major security incidents” vague. The text of the draft directive
noted that “the definition of circumstances in which public administrations and
market operators are required to notify incidents” would be left to
supplementary legislation to be adopted once the main directive is in place.
Even if the proposed directive is approved, each of the 27 EU member states
would have to transpose the directive into their own national laws.
The draft directive would also require EU member states that have not done so
to adopt a network and information security strategy and to establish a
competent authority for cybersecurity. The proposed directive would also create
a European “cooperation mechanism” for EU member states and the Commission to
share information on cybersecurity threats.
The draft directive was published alongside an official communication to
the European Parliament and European Council outlining a cybersecurity strategy
for the European Union.
The strategy paper said that the European Union should make its economic,
military, and political systems secure against cyber-attacks by achieving “cyber
resilience,” combating cybercrime, developing policies for cyberdefense,
boosting its cybersecurity industry by promoting research and development, and
promoting EU cybersecurity policy in international forums.
European Commission Vice-President for the Digital Agenda Neelie Kroes said
in the EC statement that a coherent EU strategy is necessary because of the
growing prevalence of cyber-attacks on networks and information systems, and
that the data security and breach reporting provisions in the proposed directive
were needed to help prevent critical infrastructure failures.
She noted a case in the Netherlands involving DigiNotar, a digital
certificate provider, that was compromised in 2011 by hackers who issued forged
digital certificates. The company was slow to repair the security breach and
notify users, and it has since filed for bankruptcy, she said.
The risk management and reporting obligations for companies in the draft
cybersecurity directive would “ensure companies take the measures needed,” Kroes
said. “The more we depend on the online world, the more we depend on it to be
secure. One bad data breach can lead to huge financial costs and
The European Network and Information Security Agency, an EU agency that works
with member state governments, the Commission, and the private sector to prevent
and address network and information security problems, has long called for
legislative updates to create a unified EU cybersecurity plan (11 PVLR 1352,
The Commission noted that ENISA said that telecommunications companies
reported 51 cybersecurity incidents in 2011 under current legislation but that
reports of “10 times more incidents” were expected for 2012 because EU “member
states now have more mature national incident reporting schemes compared to
By Stephen Gardner (Brussels)with additional reporting by Jabeen
Full text of the “Proposal for a Directive of the European Parliament and of
the Council concerning measures to ensure a high common level of network and
information security across the Union” is available at http://op.bna.com/pl.nsf/r?Open=dapn-94pmqy.
Full text of the “Joint Communication to the European Parliament, the
Council, the European Economic and Social Committee and the Committee of the
Regions--Cybersecurity Strategy of the European Union: An Open, Safe and Secure
Cyberspace” is available at http://op.bna.com/pl.nsf/r?Open=dapn-94pmql.
Full text of the 160-page “Commission Staff Working Document Impact
Assessment Accompanying the document Proposal for a Directive of the European
Parliament and of the Council Concerning measures to ensure a high level of
network and information security across the Union” is available at http://op.bna.com/pl.nsf/r?Open=dapn-94pmrt.
Full text of the 7-page executive summary of the impact statement is available