Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Stephen Gardner
Jan. 14 — Web services that are established in European Union member states, including Amazon.com Inc. and Google Inc., would be required to submit their cybersecurity procedures to the oversight of EU national authorities under a proposed directive approved by the European Parliament's Internal Market Committee Jan. 14.
The directive, formally known as the Network and Information Security (NIS) Directive, would require EU countries to identify critical service providers that could fall victim to cyberattacks, and to then validate the companies' cybersecurity measures.
The directive would also create a reporting obligation, under which critical service providers would be obliged to notify the authorities of serious cyberattacks on their networks. The directive would cover attacks on systems, rather than data breaches.
Jorg Hladjk, counsel with Hunton & Williams LLP in Brussels, told Bloomberg BNA Jan. 14 that the directive, once finally ratified and implemented by EU countries, might be “very burdensome for business.”
The directive would cover online marketplaces, search engines and cloud computing services, but would exclude from its scope social networks, such as Facebook Inc.
The directive would also apply to companies in seven sectors considered essential to the security of EU countries: energy, transportation, banking, financial markets, health, water utilities and digital infrastructure, which covers Internet exchange points and Internet domain name services.
The directive, which was proposed by the European Commission, the EU's executive arm, in 2013, was provisionally agreed in December 2015 by representatives from the European Parliament and the Council of the EU (14 PVLR 2272, 12/14/15).
To be finalized, the directive must be approved by the European Parliament, and must be formally adopted by EU member states in the council. No dates have been set for final ratification.
EU member states would then have 21 months to implement the provisions of the directive into their national legal codes, and an additional six months to identify “critical” companies and services that would be subject to the oversight and notification requirements.
According to the text of the directive, member state authorities should apply the requirements to companies and services if a cyberattack on their systems could entail “significant disruptive effects” on an economy-wide level. Smaller companies would be excluded from the scope of the directive.
National adoption by each EU member state of their own provisions transposing the directive's minimum standards could “lead to a patchwork of local requirements,” Hladjk said.
Until each country has drawn up its list of critical companies that will be covered by the directive, “legal uncertainty” would persist, Hladjk said.
“The list of security breach reporting requirements gets longer and longer and companies need a strategic plan to comply with this new regime,” he added.
German European Parliament member and leading privacy lawmaker Jan Philipp Albrecht said in a statement Jan. 14 that once it is ratified, EU countries should rapidly adopt the directive “so that vulnerabilities can be quickly eliminated.” Countries also “must share better” information about network security, Albrecht said.
To contact the reporter on this story: Stephen Gardner in Brussels at firstname.lastname@example.org
To contact the editor responsible for this story: Jimmy H. Koo at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)