Cybersecurity: the relevant European regulation

Network and information systems and services play a vital role in society. Their reliability and security are essential to economic and societal activities as well as to the functioning of the internal market.

However, the frequency and the impact of security incidents are continuously increasing and they represent the major threat to the functioning of information systems and services, as well as to the protection of the personal data.

Furthermore, the different approach of the Member State has led to fragmented regulations across the Union.

Responding effectively to the new challenges in the cyber security sector requires a global approach at Union level, covering common minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements for operators.

In order to accomplish this purpose, the European Union issued, inter alias, the following acts:

- Directive 2013/40/EU of 12 august 2013, on attacks against information system.

- Directive 2016/1148 of 6 July 2016, concerning measures for a high common level of security of network and information systems across the Union.

- Regulation 2016/679 of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Directive 2013/40/EU of 12 august 2013, on attacks against information system

The objectives of this Directive are to approximate the criminal law of the Member States in the area of attacks against information systems by establishing minimum rules concerning the definition of criminal offences and the relevant sanctions and to improve cooperation between competent authorities, including the police and other specialised law enforcement services of the Member States, as well as the competent specialised Union agencies and bodies, such as Eurojust, Europol and its European Cyber Crime Centre, and the European Network and Information Security Agency (ENISA).

In fact, there is evidence of a tendency towards increasingly dangerous and recurrent large-scale attacks conducted against information systems which can often be critical to particular functions in the public or private sector. There is also a relevant number of “critical infrastructures” (infrastructures which are essential for the maintenance of vital societal functions like health, safety, security and transport), the disruption or destruction of which would have a significant cross-border impact.

Furthermore, it is really relevant the development of increasingly sophisticated methods, such as the creation and use of so-called ‘botnets’, namely, the act of establishing remote control over a significant number of computers by infecting them with malicious software through targeted cyber-attacks. Once created, the infected network of computers that constitute the botnet can be activated without the computer users’ knowledge in order to launch a large-scale cyber-attack, which usually has the capacity to cause serious damage.

Hence, the Directive aims to introduce criminal penalties for:  (i) illegal access to information systems, (ii) illegal system interference, (iii) illegal data interference, (iv) illegal interception.

In all cases, the criminal act must be committed intentionally. Instigating, aiding, abetting and attempting to commit any of the above offences will also be liable to punishment.

The Member States will have to make provision for such offences to be punished by effective, proportionate and dissuasive criminal penalties.

Where an offence is committed in the context of a criminal organisation and causes substantial loss or affects essential interests, this will be considered an aggravating circumstance. The same applies if an offence is committed using another person's identity and causes harm to this person.

The Directive also introduces the liability of 'legal persons' and sets out sanctions that may apply if they are found liable.

Each EU country will assume jurisdiction at minimum for offences committed on its territory or by one of its nationals outside its territory. Where several countries have jurisdiction over an offence, they must cooperate to decide which one will conduct proceedings against the author of said offence.

In order to fight cybercrime effectively, it is also necessary to increase the resilience of information systems by taking appropriate measures to protect them more effectively against cyber-attacks. Member States should take the necessary measures to protect their critical infrastructure from cyber-attacks, as part of which they should consider the protection of their information systems and associated data. Ensuring an adequate level of protection and security of information systems by legal persons, for example in connection with the provision of publicly available electronic communications services in accordance with existing Union legislation on privacy and electronic communication and data protection, forms an essential part of a comprehensive approach to effectively counteracting cybercrime. Appropriate levels of protection should be provided against reasonably identifiable threats and vulnerabilities in accordance with the state of the art for specific sectors and the specific data processing situations. The cost and burden of such protection should be proportionate to the likely damage a cyber-attack would cause to those affected. Member States are encouraged to provide for relevant measures incurring liabilities in the context of their national law in cases where a legal person has clearly not provided an appropriate level of protection against cyber-attacks.

To fight cybercrime better, the Directive also calls for greater international cooperation between judicial and law enforcement authorities.

To this end, EU countries must: (i) have an operational national point of contact, (ii) use the existing network of 24/7 contact points (iii) respond to urgent requests for help within 8 hours to indicate whether and when a response may be provided, (iv) collect statistical data on cybercrime.

This Directive has been implemented by national laws across the Union.

Directive 2016/1148 of 6 July 2016, concerning measures for a high common level of security of network  and information systems across the Union.

The Directive requires minimum IT security requirements and a reporting scheme for security incidents to digital service providers as well as operators of essential services, so called “critical infrastructures”.

Within the meaning of the Directive, digital services are: (i) online marketplace; (ii) online search engine; (iii) cloud computing services. The Directive does not apply to: (i) undertakings providing public communication networks or publicly available electronic communication services, within the meaning of Directive 2002/21/EU, which are subject to the specific security and integrity requirements laid down in that Directive; (ii) trust service providers within the meaning of Regulation 910/2014/EU which are subject to the security requirements laid down in that Regulation.

Digital service providers should identify and take appropriate and proportionate technical and organisational measures to ensure the security of network and information systems which they use in the context of offering their services within the Union, as well as to prevent and minimise the impact of incidents affecting their systems.

Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed, and shall take into account the following elements: (i) the security of systems and facilities; (ii) incident handling; (iii) business continuity management; (iv) monitoring, auditing and testing; (v) compliance with international standards. They also should notify the competent authority without undue delay of any incident having a substantial impact on the provision of a service. In order to determine whether the impact of an incident is substantial, the following parameters in particular shall be taken into account: (i) the number of users affected by the incident, in particular users relying on the service for the provision of their own services; (ii) the duration of the incident; (iii) the geographical spread with regard to the area affected by the incident; (iv) the extent of the disruption of the functioning of the service; (v) the extent of the impact on economic and societal activities.

For the purposes of the Directive, a digital service provider should be deemed to be under the jurisdiction of the Member State in which it has its main establishment, namely, the head office. If the digital service provider is not established in the Union but offers services within the Union, should designate a representative in the Union.

Operators of critical infrastructure are subject to rules slightly different. Each Member State will determine which operators in their jurisdiction could be considered as critical infrastructures. The criteria for the identification should be as follows: (i) an entity provides a service which is essential for the maintenance of critical societal and/or economic activities; (ii) the provision of that service depends on network and information systems; and (iii) an incident would have significant disruptive effects on the provision of that service.In order to establish if an incident could have significant disruptive effects, the Member States should take into account the following factors: (i) the number of users relying on the service provided by the entity concerned; (ii) the dependency of other sectors referred to in Annex II on the service provided by that entity; (iii) the impact that incidents could have, in terms of degree and duration, on economic and societal activities or public safety; (iv) the market share of that entity; (v) the geographic spread with regard to the area that could be affected by an incident; (vi) the importance of the entity for maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service. It is also possible that some entities provide both essential and non-essential services. Therefore, the operators should be subject to the specify security requirements only with respect to those services which are deemed to be essential. Furthermore, for the purpose of the identification process, when an entity provides an essential service in two or more Member state, those Member States should engage in bilateral or multilaterals discussions with each other. The Directive underlines the importance of an international cooperation within the Union, considering that services and incidents could have cross-border impact.In order to facilitate cross-border cooperation and communication, each Member State should designate a national single point of contact responsible for coordinating issues related to the security of network and information systems and cross-border cooperation at Union level. EU countries will have 21 months from the date the directive comes into force to implement the new EU legislation into national laws, and have a further six months to identify the operators of critical infrastructures.

Regulation 2016/679 of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. Furthermore, technological developments and globalisation have brought new challenges for the protection of personal data. Hence, those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement. In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States.

With particular reference to the security of personal data, the Directive provides that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk, including as appropriate: (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. This Regulation shall apply from 28 May 2018.