As 2015 drew to a close, there was yet another significant development in the global legal regime governing cybersecurity. The European Union (EU) is poised to adopt a cybersecurity directive early in 2016 aimed at improving members’ individual capabilities and cooperation on cybersecurity, and setting minimum standards for the security of companies that provide certain essential and digital services. The EU issued its proposal to the member states on December 18, 2015 and the directive will now go to the full Parliament and Council for approval.
The directive, though divided into five chapters, effectively addresses computer infrastructure at two levels, governmental and in private industry. The first half of the directive is aimed at strengthening EU member states’ national security. It requires member states to: (a) adopt a network and information security (NIS) strategy and establish a computer security incident response team (CIRT), and (b) enter into a cybersecurity information sharing group composed of representatives from the member states, the Commission, and the European Network and Information Security Agency. The directive also establishes a network of CIRTs to “promote swift and effective operational cooperation” on specific cybersecurity threats.
The remainder of the directive is aimed at private companies operating within the Union, regardless of their nationality. This could also include Swiss companies with EU based operations. It requires operators of certain, defined “essential services” to implement and ensure a security level appropriate to the risks facing them. Essential services are defined as including, among other things, providers of services in the energy, transportation, credit, security, healthcare, and digital infrastructure industries. In addition to taking appropriate cybersecurity steps, these providers are obliged to report serious incidents to their applicable national authorities. The directive does not set out the standards to which the essential service providers will be held. That is left to member states to decide and implement in harmony with existing EU law.
The directive does, however, place some concrete restrictions on essential service providers. Firstly, it directs member states to establish or appoint an existing oversight authority with the power to audit essential service providers’ compliance with the security standards. Those authorities will have the power to require essential service providers to produce information needed to assess the security of their networks. The authorities also have the power to demand evidence of “effective implementation” of the companies’ security policies. That evidence may include an audit of their security by an outside auditor, such as PwC. The directive also obliges essential service providers to notify the authority of incidents having a significant impact on the continuity of the services they provide, even when the incident arises at a third-party service provider. The companies are, however, shielded from any additional legal liability arising from their reporting of these incidents.
Digital service providers
The directive imposes similar requirements on what it terms “digital service providers” which include not only ISPs, but online marketplaces, cloud services, and search engines. These services will also be required to adopt certain, undefined, minimum security measures and to report incidents having a substantial impact on the provision of their services. However, in addition to the standards imposed on essential services, digital service providers will have to meet requirements for: (a) system and facility security, (b) incident management, (c) business continuity management, (c) monitoring, auditing and testing, and (d) compliance with unspecified international standards.
2015 – a conclusion
Of course, this EU agreement is just the most recent example during a year full of global policy developments governing cybersecurity. 2015 saw the loss of the EU data security safe haven with the US, and Israel’s elimination of its largely equivalent agreement, a similar safe haven provision. In the United States, they have adopted a new law called the Cybersecurity Act of 2015, which promotes public and private sector sharing of threat intelligence and defensive measures.
Switzerland has already developed a national strategy to develop its defences and protect against cyber risks (NCS). Currently, there is no urgent requirement felt in Switzerland for additional legislation (according to the NCS 2014 annual report). Nevertheless, it is still likely that Switzerland will adopt parts of this EU Cybersecurity Directive in order to continue to participate in the “Digital Common Market” of the EU reflecting the fact that cyber-attacks do not respect legal borders. For some Swiss companies providing critical infrastructure services that are important to the EU or to EU citizens, it will be compulsory to comply with the new EU Cybersecurity Directive (NIS).
2016 – an outlook
Swiss organisations working in the EU will need to consider the legislation and its mandatory requirements. Despite the uncertainty that remains in the legal landscape, 2016 is shaping up as a year full of promise and opportunity. The opportunity exists for nation states to work closely with each other to bolster their cybersecurity. The opportunity exists for businesses to work with each other and their governments to strengthen themselves and help others against increasing cyber threats. There is also the opportunity for all of us to step back and assess where we stand and what more we can go to protect ourselves, our clients, and our critical infrastructure.
We at PwC appreciate the opportunity to help you reach those goals. As a multi-disciplinary cybersecurity practice, we are uniquely placed to help you adjust to new regulatory environments. Our global data protection team includes lawyers, consultants, auditors, technical risk specialists, forensics experts and strategists. Feel free to contact us.
We wish you a happy New Year!