Network
and information systems and services play a vital role in society. Their
reliability and security are essential to economic and societal activities as
well as to the functioning of the internal market.
However,
the frequency and the impact of security incidents are continuously increasing
and they represent the major threat to the functioning of information systems
and services, as well as to the protection of the personal data.
Furthermore,
the different approach of the Member State has led to fragmented regulations
across the Union.
Responding
effectively to the new challenges in the cyber security sector requires a
global approach at Union level, covering common minimum capacity building and
planning requirements, exchange of information, cooperation and common security
requirements for operators.
In order
to accomplish this purpose, the European Union issued, inter alias, the
following acts:
- Directive
2013/40/EU of 12 august 2013, on attacks against information system.
- Directive
2016/1148 of 6 July 2016, concerning measures for a high common level of
security of network and information systems across the Union.
- Regulation
2016/679 of 27 April 2016, on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data.
Directive 2013/40/EU of 12 august 2013, on
attacks against information system
The objectives of this Directive are to
approximate the criminal law of the Member States in the area of attacks
against information systems by establishing minimum rules concerning the
definition of criminal offences and the relevant sanctions and to improve
cooperation between competent authorities, including the police and other
specialised law enforcement services of the Member States, as well as the
competent specialised Union agencies and bodies, such as Eurojust, Europol and
its European Cyber Crime Centre, and the European Network and Information
Security Agency (ENISA).
In fact, there is evidence of a tendency
towards increasingly dangerous and recurrent large-scale attacks conducted
against information systems which can often be critical to particular functions
in the public or private sector. There is also a relevant number of “critical
infrastructures” (infrastructures which are essential for the maintenance of
vital societal functions like health, safety, security and transport), the
disruption or destruction of which would have a significant cross-border
impact.
Furthermore, it is really relevant the
development of increasingly sophisticated methods, such as the creation and use
of so-called ‘botnets’, namely, the act of establishing remote control over a
significant number of computers by infecting them with malicious software
through targeted cyber-attacks. Once created, the infected network of computers
that constitute the botnet can be activated without the computer users’
knowledge in order to launch a large-scale cyber-attack, which usually has the
capacity to cause serious damage.
Hence, the Directive aims to introduce criminal
penalties for: (i) illegal access to
information systems, (ii) illegal system interference, (iii) illegal data interference,
(iv) illegal interception.
In all cases, the criminal act must be
committed intentionally. Instigating, aiding, abetting and attempting to commit
any of the above offences will also be liable to punishment.
The Member States will have to make provision
for such offences to be punished by effective, proportionate and dissuasive
criminal penalties.
Where an offence is committed in the context of
a criminal organisation and causes substantial loss or affects essential
interests, this will be considered an aggravating circumstance. The same
applies if an offence is committed using another person's identity and causes
harm to this person.
The Directive also introduces the liability of
'legal persons' and sets out sanctions that may apply if they are found liable.
Each EU country will assume jurisdiction at
minimum for offences committed on its territory or by one of its nationals
outside its territory. Where several countries have jurisdiction over an
offence, they must cooperate to decide which one will conduct proceedings
against the author of said offence.
In order to fight cybercrime effectively, it is
also necessary to increase the resilience of information systems by taking
appropriate measures to protect them more effectively against cyber-attacks.
Member States should take the necessary measures to protect their critical
infrastructure from cyber-attacks, as part of which they should consider the
protection of their information systems and associated data. Ensuring an
adequate level of protection and security of information systems by legal
persons, for example in connection with the provision of publicly available
electronic communications services in accordance with existing Union
legislation on privacy and electronic communication and data protection, forms
an essential part of a comprehensive approach to effectively counteracting
cybercrime. Appropriate levels of protection should be provided against
reasonably identifiable threats and vulnerabilities in accordance with the
state of the art for specific sectors and the specific data processing
situations. The cost and burden of such protection should be proportionate to
the likely damage a cyber-attack would cause to those affected. Member States
are encouraged to provide for relevant measures incurring liabilities in the
context of their national law in cases where a legal person has clearly not
provided an appropriate level of protection against cyber-attacks.
To fight cybercrime better, the Directive also calls
for greater international cooperation between judicial and law enforcement
authorities.
To this end, EU countries must: (i) have an
operational national point of contact, (ii) use the existing network of 24/7
contact points (iii) respond to urgent requests for help within 8 hours to indicate
whether and when a response may be provided, (iv) collect statistical data on
cybercrime.
This Directive has been implemented by national
laws across the Union.
Directive 2016/1148 of 6 July 2016, concerning
measures for a high common level of security of network and information systems across the Union.
The Directive requires minimum IT security
requirements and a reporting scheme for security incidents to digital service
providers as well as operators of essential services, so called “critical
infrastructures”.
Within the meaning of the Directive, digital
services are: (i) online marketplace; (ii) online search engine; (iii) cloud
computing services. The Directive does not apply to: (i) undertakings providing
public communication networks or publicly available electronic communication
services, within the meaning of Directive 2002/21/EU, which are subject to the
specific security and integrity requirements laid down in that Directive; (ii)
trust service providers within the meaning of Regulation 910/2014/EU which are
subject to the security requirements laid down in that Regulation.
Digital service providers should identify and
take appropriate and proportionate technical and organisational measures to ensure
the security of network and information systems which they use in the context
of offering their services within the Union, as well as to prevent and minimise
the impact of incidents affecting their systems.
Having regard to the state of the art, those
measures shall ensure a level of security of network and information systems
appropriate to the risk posed, and shall take into account the following
elements: (i) the security of systems and facilities; (ii) incident handling;
(iii) business continuity management; (iv) monitoring, auditing and testing;
(v) compliance with international standards. They also should notify the
competent authority without undue delay of any incident having a substantial
impact on the provision of a service. In order to determine whether the impact
of an incident is substantial, the following parameters in particular shall be
taken into account: (i) the number of users affected by the incident, in
particular users relying on the service for the provision of their own
services; (ii) the duration of the incident; (iii) the geographical spread with
regard to the area affected by the incident; (iv) the extent of the disruption
of the functioning of the service; (v) the extent of the impact on economic and
societal activities.
For the purposes of the Directive, a digital
service provider should be deemed to be under the jurisdiction of the Member
State in which it has its main establishment, namely, the head office. If the
digital service provider is not established in the Union but offers services
within the Union, should designate a representative in the Union.
Operators of critical infrastructure are
subject to rules slightly different. Each Member State will determine which operators
in their jurisdiction could be considered as critical infrastructures. The
criteria for the identification should be as follows: (i) an entity provides a
service which is essential for the maintenance of critical societal and/or
economic activities; (ii) the provision of that service depends on network and
information systems; and (iii) an incident would have significant disruptive
effects on the provision of that service.In order
to establish if an incident could have significant disruptive effects, the
Member States should take into account the following factors: (i) the number of
users relying on the service provided by the entity concerned; (ii) the
dependency of other sectors referred to in Annex II on the service provided by
that entity; (iii) the impact that incidents could have, in terms of degree and
duration, on economic and societal activities or public safety; (iv) the market
share of that entity; (v) the geographic spread with regard to the area that
could be affected by an incident; (vi) the importance of the entity for
maintaining a sufficient level of the service, taking into account the
availability of alternative means for the provision of that service. It is also
possible that some entities provide both essential and non-essential services.
Therefore, the operators should be subject to the specify security requirements
only with respect to those services which are deemed to be essential. Furthermore,
for the purpose of the identification process, when an entity provides an
essential service in two or more Member state, those Member States should
engage in bilateral or multilaterals discussions with each other. The
Directive underlines the importance of an international cooperation within the
Union, considering that services and incidents could have cross-border impact.In order
to facilitate cross-border cooperation and communication, each Member State
should designate a national single point of contact responsible for
coordinating issues related to the security of network and information systems
and cross-border cooperation at Union level. EU
countries will have 21 months from the date the directive comes into force to
implement the new EU legislation into national laws, and have a further six
months to identify the operators of critical infrastructures.
Regulation 2016/679 of 27 April 2016, on the
protection of natural persons with regard to the processing of personal data
and on the free movement of such data.
The economic and social integration resulting
from the functioning of the internal market has led to a substantial increase
in cross-border flows of personal data. Furthermore, technological developments
and globalisation have brought new challenges for the protection of personal
data. Hence, those developments require a strong and more coherent data
protection framework in the Union, backed by strong enforcement. In order to
ensure a consistent and high level of protection of natural persons and to
remove the obstacles to flows of personal data within the Union, the level of
protection of the rights and freedoms of natural persons with regard to the
processing of such data should be equivalent in all Member States.
With particular reference to the security of
personal data, the Directive provides that, taking into account the state of
the art, the costs of implementation and the nature, scope, context and
purposes of processing as well as the risk of varying likelihood and severity for
the rights and freedoms of natural persons, the controller and the processor
shall implement “appropriate technical and organisational measures” to ensure a
level of security appropriate to the risk, including as appropriate: (i) the
pseudonymisation and encryption of personal data; (ii) the ability to ensure
the ongoing confidentiality, integrity, availability and resilience of processing
systems and services; (iii) the ability to restore the availability and access
to personal data in a timely manner in the event of a physical or technical
incident; (iv) a process for regularly testing, assessing and evaluating the
effectiveness of technical and organisational measures for ensuring the
security of the processing. This Regulation shall apply from 28 May 2018.