Background
On 28 February 2014, the European Commission hosted a "High Level Conference on the EU Cybersecurity Strategy" in Brussels. The conference provided an opportunity for EU policy-makers, industry representatives and other interested parties to assess the progress of the EU Cybersecurity Strategy, which was adopted by the European Commission on 7 February 2013.
Keynote speech by EU Digital Agenda Commissioner Neelie Kroes
The implementation of the EU Cybersecurity Strategy comes at a time when public and private actors face escalating cyber threats. During her keynote speech at the conference, Commissioner Kroes reiterated the dangers of weak cybersecurity measures by asserting that "without security, there is no privacy."
She further highlighted the reputational and financial impact of cyber threats, commenting that over 75% of small businesses and 93% of large businesses have suffered a cyber breach, according to a recent study. However, Commissioner Kroes also emphasised that effective EU cybersecurity practices could constitute a commercial advantage for the 28 MemberState bloc in an increasingly interconnected global marketplace.
Status of the draft EU Cybersecurity Directive
The EU Cybersecurity Strategy's flagship legal instrument is draft Directive 2013/0027 concerning measures to ensure a high common level of network and information security across the Union ("draft EU Cybersecurity Directive"). In a nutshell, the draft EU Cybersecurity Directive seeks to impose certain mandatory obligations on "public administrations" and "market operators" with the aim of harmonising and strengthening cybersecurity across the EU. In particular, it includes an obligation to report security incidents to the competent national regulator.
The consensus at the conference was that further EU institutional reflection is required on some aspects of the draft EU Cybersecurity Directive, such as (1) the scope of obligations, i.e., which entities are included as "market operators"; (2) how Member State cooperation would work in practice; (3) the role of the National Competent Authorities' ("NCAs"); and (4) the criminal dimension and notification requirement to law enforcement authorities by NCAs. The scope of obligations is a particularly contentious issue as EU decision-makers consider whether to include certain entities, such as software manufacturers, hardware manufacturers, and internet platforms, within the scope of the Directive.
The next few months will be a crucial period for the legislative passage of the draft law. Indeed, the European Parliament voted on 13 March 2014 in the Plenary session to adopt its draft Report on the Directive. The Council will now spend March – May 2014 working on the basis of the Parliament's report to achieve a Council "common approach". The dossier will then likely be revisited after the European Parliament elections in May 2014. The expected timeline for adoption remains "December 2014" but various decision-making scenarios are possible depending on the outcome of the elections.
Once adopted, Member States will have 18 months to transpose the Directive into national law (meaning an approximate deadline of mid-2016). As a minimum harmonisation Directive, Member States could go beyond the provisions of the adopted Directive with their national transpositions, for instance, by reinstating internet platforms within the definition of a “market operator”.
One of the challenges for organizations will be achieving compliance with possibly conflicting notification requirements between the draft EU Cybersecurity Directive (i.e., obligation to report security incidents to the competent national regulator), the existing ePrivacy Directive (i.e., obligation for telecom operators to notify personal data breaches to the regulator and to individuals affected) and, if adopted, the EU Data Protection Regulation (i.e., obligation for all data controllers to notify personal data security breaches to the regulator and to individuals affected). So far, EU legislators have not provided any guidance as to how these legal requirements would coexist in practice.
Industry's perspective on the EU Cybersecurity Strategy
During the conference, representatives from organisations such as Belgacom and SWIFT highlighted the real and persistent threat facing companies. Calls were made for international coordination on cybersecurity standards and laws to avoid conflicting regulatory requirements. Interventions also echoed the earlier sentiments of Commissioner Kroes in that cybersecurity offers significant growth opportunities for EU industry.
Business spoke of the need to "become paranoid" about the cyber threat and implement "security by design" to protect data. Finally, trust, collaboration and cooperation between Member States, public and private actors were viewed as essential to ensure EU cyber resilience.
On 28 February 2014, the European Commission hosted a "High Level Conference on the EU Cybersecurity Strategy" in Brussels. The conference provided an opportunity for EU policy-makers, industry representatives and other interested parties to assess the progress of the EU Cybersecurity Strategy, which was adopted by the European Commission on 7 February 2013.
Keynote speech by EU Digital Agenda Commissioner Neelie Kroes
The implementation of the EU Cybersecurity Strategy comes at a time when public and private actors face escalating cyber threats. During her keynote speech at the conference, Commissioner Kroes reiterated the dangers of weak cybersecurity measures by asserting that "without security, there is no privacy."
She further highlighted the reputational and financial impact of cyber threats, commenting that over 75% of small businesses and 93% of large businesses have suffered a cyber breach, according to a recent study. However, Commissioner Kroes also emphasised that effective EU cybersecurity practices could constitute a commercial advantage for the 28 MemberState bloc in an increasingly interconnected global marketplace.
Status of the draft EU Cybersecurity Directive
The EU Cybersecurity Strategy's flagship legal instrument is draft Directive 2013/0027 concerning measures to ensure a high common level of network and information security across the Union ("draft EU Cybersecurity Directive"). In a nutshell, the draft EU Cybersecurity Directive seeks to impose certain mandatory obligations on "public administrations" and "market operators" with the aim of harmonising and strengthening cybersecurity across the EU. In particular, it includes an obligation to report security incidents to the competent national regulator.
The consensus at the conference was that further EU institutional reflection is required on some aspects of the draft EU Cybersecurity Directive, such as (1) the scope of obligations, i.e., which entities are included as "market operators"; (2) how Member State cooperation would work in practice; (3) the role of the National Competent Authorities' ("NCAs"); and (4) the criminal dimension and notification requirement to law enforcement authorities by NCAs. The scope of obligations is a particularly contentious issue as EU decision-makers consider whether to include certain entities, such as software manufacturers, hardware manufacturers, and internet platforms, within the scope of the Directive.
The next few months will be a crucial period for the legislative passage of the draft law. Indeed, the European Parliament voted on 13 March 2014 in the Plenary session to adopt its draft Report on the Directive. The Council will now spend March – May 2014 working on the basis of the Parliament's report to achieve a Council "common approach". The dossier will then likely be revisited after the European Parliament elections in May 2014. The expected timeline for adoption remains "December 2014" but various decision-making scenarios are possible depending on the outcome of the elections.
Once adopted, Member States will have 18 months to transpose the Directive into national law (meaning an approximate deadline of mid-2016). As a minimum harmonisation Directive, Member States could go beyond the provisions of the adopted Directive with their national transpositions, for instance, by reinstating internet platforms within the definition of a “market operator”.
One of the challenges for organizations will be achieving compliance with possibly conflicting notification requirements between the draft EU Cybersecurity Directive (i.e., obligation to report security incidents to the competent national regulator), the existing ePrivacy Directive (i.e., obligation for telecom operators to notify personal data breaches to the regulator and to individuals affected) and, if adopted, the EU Data Protection Regulation (i.e., obligation for all data controllers to notify personal data security breaches to the regulator and to individuals affected). So far, EU legislators have not provided any guidance as to how these legal requirements would coexist in practice.
Industry's perspective on the EU Cybersecurity Strategy
During the conference, representatives from organisations such as Belgacom and SWIFT highlighted the real and persistent threat facing companies. Calls were made for international coordination on cybersecurity standards and laws to avoid conflicting regulatory requirements. Interventions also echoed the earlier sentiments of Commissioner Kroes in that cybersecurity offers significant growth opportunities for EU industry.
Business spoke of the need to "become paranoid" about the cyber threat and implement "security by design" to protect data. Finally, trust, collaboration and cooperation between Member States, public and private actors were viewed as essential to ensure EU cyber resilience.