Europe has typically been seen as the world’s leader in protecting privacy (for good or ill). But it has generally lagged behind the US when it comes to cybersecurity. Last month, it began playing catch-up when the European Commission put forth a cybersecurity strategy as well as a proposed Directive on network and information security (NIS). The strategy presents a broad overview of how the EU plans to prevent and respond to cyberattacks over the long-term. The proposed Directive gets down in the weeds, and would require certain companies that have activities or systems in the EU to manage risks and report significant cyberattacks to national authorities, even if the companies are not headquartered in the EU.
The “Cybersecurity Strategy of the European Union: An Open, Safe and Security Cyberspace” sets out five long-term priorities:
i) “achieve cyber resilience” by creating a framework for the public and private sectors to cooperate effectively and develop capable cyber defenses;
ii) “drastically reduce cybercrime” by enacting stronger legislation on both the EU and Member State levels;
iii) develop “cyberdefense policy and capabilities related to the Common Security and Defense Policy (CSDP)” by creating an EU-wide cyberdefense policy framework for networks within CSDP operations;
iv) “develop the industrial and technological resources of cyberspace” by promoting common security standards and cybersecurity products; and
v) “establish a coherent international cyberspace policy for the European Union to promote core EU values” by promoting a unified EU policy internationally.
The proposed Directive would introduce three categories of measures:
Measures Affecting Member-States: The Directive would establish common minimum requirements for network and information security among Member States. It would require Member States to designate a competent national authority capable of preventing and responding to NIS incidents (an idea first implemented in the US in the form of the National Infrastructure Protection Center 15 years ago). States would also have to create a Computer Emergency Response Team responsible for the cybersecurity of the Member State.
Measures Affecting the EU-Member State Relationship: The Directive would create an information-sharing cooperation mechanism between the Commission and the Member States to share information on cyberattacks, and coordinate detection and response practices at an EU level. It would also empower the Commission to adopt a unified NIS cooperation plan.
Measures Affecting Companies: The Directive would extend the obligation to report significant cyberattacks to entities in the following sectors: key Internet services (e.g., e-commerce platforms, search engines, social networks, and large cloud providers); banking and stock exchange; energy; transportation; health; and public administration. The Directive would require these companies to disclose to the competent national authorities “incidents having a significant impact on the security of the core services they provide.” Under existing EU Directives, reporting requirements extend only to telecommunications companies and Internet service providers. The Directive would also require such companies to introduce risk management and cybersecurity practices. Last, although the Directive would not require public disclosures of cyberattacks, each Member State could still require it.