by David Burg and Douglas Bloom. As 2015 drew to a close, there was yet another significant development in the global legal regime governing cybersecurity. The European Union (EU) is poised to adopt early this year a cybersecurity Directive aimed at improving members’ individual capabilities and cooperation on cybersecurity, and, most significantly for those here in the United States, setting minimum standards for the security of companies that provide certain essential and digital services. The EU issued its proposal to the member states on December 18, 2015 and the Directive will now go to the full Parliament and Council for approval.
The Directive, though divided into five chapters, effectively addresses computer infrastructure at two levels: the government and private industry. The first half of the Directive is aimed at strengthening EU member states’ national security. It requires member states to: (a) adopt a Network and Information Security (NIS) strategy and establish a Computer Security Incident Response Team (CIRT); and (b) enter into a cybersecurity information sharing group composed of representatives from the member states, the Commission, and the European Network and Information Security Agency. The Directive also establishes a network of CIRTs to “promote swift and effective operational cooperation” on specific cybersecurity threats.
The remainder of the Directive is aimed at private companies operating within the Union, regardless of their nationality. It requires operators of certain defined “essential services” to implement and ensure a security level appropriate to the risks facing them. Essential services are defined to include, among other things, providers of services in the energy, transportation, credit, securities, healthcare, and digital infrastructure industries. In addition to taking appropriate cybersecurity steps, these providers are obligated to report serious incidents to their applicable national authorities. The Directive does not set out what standards to which the essential service providers will be held. That is left to member states in concert with existing EU law.
The Directive does, however, place some concrete restrictions on essential service providers. First, it directs member states to establish or appoint an existing oversight authority with the power to audit essential service providers’ compliance with the security standards. Those authorities will have the power to require essential service providers to produce information needed to assess the security of their networks. The authorities also have the power to demand evidence of “effective implementation” of the companies’ security policies. That evidence may include an audit of their security by an outside auditor, such as PwC. The Directive also obligates essential service providers to notify the authority of incidents having a significant impact on the continuity of the services they provide, even when the incident arises at a third-party service provider. The companies are, however, shielded from any additional legal liability arising from their reporting of these incidents.
The Directive imposes similar requirements on what it terms “digital service providers” which include not only ISPs, but online marketplaces, cloud services, and search engines. These services will also be required to adopt certain undefined minimum security measures and to report incidents having a substantial impact on the provision of their services. However, in addition to the standards placed on essential services, digital service providers will have to meet requirements for: (a) system and facility security; (b) incident management; (c) business continuity management; (c) monitoring, auditing and testing; and (d) compliance with unspecified international standards.
Of course, this EU agreement is just the most recent in a year full of global policy developments governing cybersecurity. In the United States, we’ve had President Obama’s executive order promoting Information Sharing and Analysis Organizations and the signing into law of the Cybersecurity Act of 2015, which promotes public and private sector sharing of threat intelligence and defensive measures. Overseas, we saw the loss of the EU data security safe harbor, and Israel’s elimination of its largely equivalent safe harbor provision.
Despite the uncertainty that remains in the legal landscape, 2016 is shaping up as a year full of promise and opportunity. The opportunity for nation states to work closely with each other to bolster their cybersecurity. The opportunity for businesses to work with each other and their governments to strengthen themselves and help others against increasing cyberthreats. And the opportunity for all of us to step back and assess where we stand and where we can go to protect ourselves, our clients, and our critical infrastructure. We at PwC appreciate the opportunity to help you reach those goals. We wish you a happy and healthy New Year.