EC Proposes Expanding Security, Breach Notice Obligations to EU Critical Sectors

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

BRUSSELS--Some 42,000 companies in designated “critical” sectors in the European Union would be required to better protect their information networks and report systemic data breaches to regulators, under a proposed cybersecurity directive made public Feb. 7 by the European Commission.  

The proposed cybersecurity directive does not cover breaches of personal data, but rather systemic cyber-attacks that compromise data systems, the Commission said.

The proposal would greatly expand the data security and system breach notice obligations that are already in place for telecommunications companies under the 2009 amendments to the EU e-Privacy Directive (2009/136/EC) (8 PVLR 1721, 12/7/09). The new directive would not, however, expand the e-Privacy Directive's requirement that telecoms, including internet service providers, notify officials and affected individuals of breaches of their personal data.

The e-Privacy personal data breach notice provision is the only EU-wide data breach notice mandate currently in place. A general obligation for data controllers to report personal data breaches to supervisory authorities and individuals is included in the EC's proposed data protection regulation, which was released in January 2012 (11 PVLR 178, 1/30/12).

The draft directive would not make it mandatory for cybersecurity breaches to be made public, but it said that the “competent national authority may require that the public be informed.”

Jörg Hladjk, an attorney with Hunton & Williams, Brussels, told BNA Feb. 7 that “the proposed framework will close a gap with regard to data that is compromised and does not constitute personal data.” He cited an information and communications technology outage at a power company as an example of a breach that would be covered by the proposed directive.

“The proposal can be considered as a starting point to protect critical infrastructures against global cyber-attacks and to help reduce corporate losses that have been in the billions during the last couple of years,” Hladjk added. He cautioned, however, that if adopted as proposed, the directive would force cloud services and online payment providers “to deal with significant obligations and challenges.”

Range of Well-Known Companies Affected

The Commission, the EU’s executive arm, said in a statement announcing the release of the proposed directive that the expanded obligation would affect “key internet companies,” such as cloud computing services providers, internet search engines, social networks, as well as energy, financial services, health, and transportation providers. Public sector institutions would also fall within the scope of the proposed directive.

Companies and services affected by the draft directive would include, Apple iTunes, Cisco, eBay, Facebook, Google, IBM, Microsoft, PayPal, Skype, and Yahoo!, according to an impact assessment accompanying the proposed directive.

Monika Hohlmeier, a German center-right member of the European Parliament, who is the Parliament’s rapporteur, or lead negotiator, on a separate 2010 Commission proposal for a directive on attacks against information systems, said in a Feb. 7 statement that “there is going to have to be a thorough debate on what type of companies should be obliged to file and what kind of attacks it should be about.”

“We must avoid over-centralized reporting requirements which would run the risk of affecting the companies’ economic development,” Hohlmeier added.


“The proposal can be considered as a starting point to protect critical infrastructures against global cyber-attacks and to help reduce corporate losses that have been in the billions during the last couple of years.”  


Jörg Hladjk, Associate,
Hunton & Williams LLP, Brussels

The affected companies would be required to “adopt risk management practices and report major security incidents on their core services,” the Commission said, although it left the definitions of terms such as “risk management practices” and “major security incidents” vague. The text of the draft directive noted that “the definition of circumstances in which public administrations and market operators are required to notify incidents” would be left to supplementary legislation to be adopted once the main directive is in place.

Even if the proposed directive is approved, each of the 27 EU member states would have to transpose the directive into their own national laws.

The draft directive would also require EU member states that have not done so to adopt a network and information security strategy and to establish a competent authority for cybersecurity. The proposed directive would also create a European “cooperation mechanism” for EU member states and the Commission to share information on cybersecurity threats.

Draft Cybersecurity Strategy Also Released

The draft directive was published alongside an official communication to the European Parliament and European Council outlining a cybersecurity strategy for the European Union.

The strategy paper said that the European Union should make its economic, military, and political systems secure against cyber-attacks by achieving “cyber resilience,” combating cybercrime, developing policies for cyberdefense, boosting its cybersecurity industry by promoting research and development, and promoting EU cybersecurity policy in international forums.

European Commission Vice-President for the Digital Agenda Neelie Kroes said in the EC statement that a coherent EU strategy is necessary because of the growing prevalence of cyber-attacks on networks and information systems, and that the data security and breach reporting provisions in the proposed directive were needed to help prevent critical infrastructure failures.

She noted a case in the Netherlands involving DigiNotar, a digital certificate provider, that was compromised in 2011 by hackers who issued forged digital certificates. The company was slow to repair the security breach and notify users, and it has since filed for bankruptcy, she said.

The risk management and reporting obligations for companies in the draft cybersecurity directive would “ensure companies take the measures needed,” Kroes said. “The more we depend on the online world, the more we depend on it to be secure. One bad data breach can lead to huge financial costs and bankruptcy.”

The European Network and Information Security Agency, an EU agency that works with member state governments, the Commission, and the private sector to prevent and address network and information security problems, has long called for legislative updates to create a unified EU cybersecurity plan (11 PVLR 1352, 9/3/12).

The Commission noted that ENISA said that telecommunications companies reported 51 cybersecurity incidents in 2011 under current legislation but that reports of “10 times more incidents” were expected for 2012 because EU “member states now have more mature national incident reporting schemes compared to 2011.”

By Stephen Gardner (Brussels)
with additional reporting by Jabeen Bhatti (Berlin)

Full text of the “Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union” is available at

Full text of the “Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions--Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace” is available at

Full text of the 160-page “Commission Staff Working Document Impact Assessment Accompanying the document Proposal for a Directive of the European Parliament and of the Council Concerning measures to ensure a high level of network and information security across the Union” is available at Full text of the 7-page executive summary of the impact statement is available at

Request Bloomberg Law: Privacy & Data Security