On December 7, 2015, the European Parliament and the Council issued a directive
"concerning measures to ensure a high common level of network
and information security across the Union." This is an
informal agreement on the structure and goals of draft legislation
on cybersecurity in the private sector.
Legislation regulating the approach to cybersecurity taken by
essential services operators and digital service providers will be
developed and put forward by the member states. Essential services
include the energy, transport, finance and health sectors or other
sectors member states deem essential. Companies operating in these
sectors will be required to put in place minimum standards for
cybersecurity and report significant cybersecurity incidents.
The minimum standards that digital service providers, such as
search engines, cloud services and e-commerce platforms such as
PayPal and Amazon will be less onerous. We note that the exact
nature of the obligations to be imposed has yet to be decided.
The driving force behind this directive is the recognition that
in an interconnected economy, private companies provide a number of
essential services that are vulnerable to a cyberattack which could
cause widespread economic disruption.
If passed, each member state will be required to establish a
government authority that is responsible for Network and
Information Security. These government authorities will share
information with each other and work closely with the Computer
Emergency Response Team established in 2012 to coordinate the
prevention, detection, and mitigation of cyber-attacks.
The directive's other goal is to encourage the private
sector to increase its commitment to cyber security and develop
cyber resilience: the ability to better absorb, manage and prevent
cyberattacks. As such, the directive will require mandatory
reporting of significant cybersecurity incidents.
The requirements and obligations that will be imposed are as of
yet unknown. This directive, however, is likely a harbinger of
future legislative developments in Canada and worldwide.
Legislators in Canada are strengthening or imposing mandatory
reporting of privacy breaches. As part of this review of
privacy laws, governments will likely consider whether the private
sector is adequately protecting itself or whether legislation is
required to reduce the impact of cyberattacks on the economy and
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).