European Union: EU Network And Information Security Directive: Is It Possible To Legislate For Cyber Security?

Last Updated: 27 October 2014
Article by Pearse Ryan
Most Read Contributor in Ireland, October 2018

INTRODUCTION

The Network and Information Security Directive, commonly known as the Cybersecurity Directive (the "Directive"), was approved by the European Parliament (the "Parliament") on the 13 March 2014 with a strong majority of 521 votes for to only 22 against1. This approval comes after the Directive was significantly amended by the Parliament's Internal Market and Consumer Protection Committee ("IMCO"). The Directive is the European Union's first comprehensive attempt to establish a set of minimum cybersecurity standards that would apply across the continent.

This latest version will now move to the Council of the EU (the "Council") for negotiation, where interests of Member States will be brought to bear on the text. As a result, the extent of the reforms to be put in motion by the final Directive remains uncertain, as further amendments are expected. It is anticipated that the Directive will be adopted by 2015, leaving Member States eighteen months to transpose it into national law.

The Directive takes a multi-layered approach and places new obligations on a variety of actors. Member States would be required to appoint a competent central authority and develop a national cybersecurity strategy, along with other baseline security measures. Market operators responsible for critical national infrastructure would be subject to a series of new incident reporting requirements. The Directive contains a non-exhaustive list of such operators, which include operators in the energy, banking, health, transport and financial services sectors. The revised Directive has also included Internet exchange points (the physical infrastructures through which Internet traffic is exchanged between network providers) and the food supply chain within its scope. In addition, Member States will have a choice whether to subject public administrators to the Directive.

This Briefing discusses certain key aspects of the Directive and considers issues associated with attempting to legislate in the cybersecurity area. The area is not new and cyber threats have been with us for quite some time, but attempting to legislate, whether on a regional, national or international basis, is new. It remains to be seen whether or not this legislative approach will succeed in raising the EU's common security baseline, with many Member States favouring a more voluntary approach to boosting cooperation and preparedness.

BACKGROUND

The Directive was originally published by the European Commission (the "Commission") in February 2013. A strategy outlining the Commission's plans to ensure a common level of network security across Europe was published alongside the Directive (the "Strategy")2. The Strategy aims to reduce cybercrime and improve network resilience by raising awareness of the issues surrounding cybersecurity, developing an internal market for cybersecurity products and increasing research and development investment.

The Directive is the principle mechanism to achieve the Strategy's objectives. Its main aims are:

  • to ensure that Member States and private sector bodies providing certain critical infrastructure within the European Union ("EU") take appropriate steps to deal with cybersecurity threats; and
  • to facilitate information sharing about cybersecurity threats between the public and private sectors across Member States.

The Directive also sets out in general the standards and obligations that Member States must impose on the private sector.

THE NEED FOR LEGISLATIVE INTERVENTION

The threat posed by cybercrime, online industrial espionage and attacks on critical infrastructure is growing. It is estimated that 823 million individual data breaches occurred in 2013, up from 264 million in 2012.3 Last year in the UK, 93% of large corporations and 87% of small businesses experienced a cybersecurity breach, with estimated losses of £450,000 to £850,000.4 In Ireland a recent report estimated the cost of responding to a data breach "to be in the region of ¤194k".

The annual cost to the global economy from cybercrime and cyberespionage is estimated at over $400 billion. With information and communication technology now forming the backbone of the European economy, the growing prevalence of cybercrime has negative implications for both national security and economic stability.

The European Commission asserts that, in this context, lack of effective sharing of data on threats and incidents is hindering the EU's response to cybersecurity challenges. It claims that the existing, mostly voluntary and ad hoc, nature of information-sharing between businesses, governments and Member States results in "uncoordinated regulatory interventions, incoherent strategies and divergent standards, leading to insufficient protection against NIS across the EU."5 The Commission expressed similar sentiments as far back as 2001,6 though regulatory measures to combat cybercrime since then have been largely sectoral and fragmented in nature.7 This has led to gaps in cybersecurity regulation. The Directive seeks to address these concerns by creating a cross-sectoral legislative framework within and across Member States, in which information-sharing no longer takes place on a purely voluntary basis.

Whether this shift in approach will work in practice is the subject of considerable debate. Concerns have been raised by certain Member States and business operators, who fear that more stringent, top-down regulation at European level will hinder business growth and competition. They argue that new reporting requirements could impose significant administrative burdens and become "a factor of reputational risk"8 for businesses (particularly for SMEs, which may not have the resources required to meet the new standards). It is also claimed that moving from a voluntary to a legislative approach risks creating a "static compliance approach" that could "divert scarce security resources from areas requiring greater investment towards areas with lower priority [and] decrease Europe's collective security."9 Many argue that a voluntary, industry-led set of standards, similar to those used in the United States, is a preferable approach.

ESTABLISHING A NATIONAL STRATEGY AND COMPETENT AUTHORITIES

Chapter II of the Directive requires Member States to ensure the security of the network and information systems in their territory. Member States must:

  • establish a national Network Information Security ("NIS") strategy and establish regulatory measures to achieve network security;
  • establish a competent authority ("NCA") to monitor and ensure the consistent application of the Directive in their territory and across Member States. The latest version of the Directive permits Member States to appoint several NCAs so long as one "national single point of contact" remains responsible and accountable; and
  • establish a Computer Emergency Response Team ("CERT") responsible for handling incidents and risk. As is the case with the establishment of NCAs, the text approved by the European Parliament allows for "at least one" national CERT.

These are positive measures as Member States will have an accountable authority to monitor compliance with the Directive, promote a NIS strategy and receive, collate and share information about cybersecurity threats across the EU in an efficient manner. These bodies will also help Member States develop minimum security requirements and encourage businesses to create ICT security plans.

However, the Directive is unclear in some circumstances. For example, no practical guidance is provided as to how a NCA will ensure the consistent application of the Directive in their territory and across Member States. The Directive also fails to elaborate on what a NCA must do when they receive a cyber-threat warning. These limitations might reduce the effectiveness of the Directive.

Furthermore, the European Network Information Security Agency ("ENISA") revealed only seventeen Member States currently have national cybersecurity strategies.10 This could reflect the different views of Member States as to the best approach to cybersecurity regulation. For example, the UK favours a non-regulatory approach whereas Germany favours regulation. The lack of consensus could undermine the overall effectiveness of national strategies, the consistent application of the Directive across Member States and any co-ordinated attempts to deal with cyber threats.

COOPERATION NETWORK BETWEEN COMPETENT AUTHORITIES

Chapter III of the Directive provides that NCAs and the Commission will form a cooperation network to coordinate against risks and incidents affecting network and information systems ("Cooperation Network"). The Cooperation Network will (amongst other things):

  • circulate early warnings about cyber threats. Member States must report to the Cooperation Network cyber threats that (a) grow rapidly in scale; or (b) exceed national response capacity; or (c) affect more than one Member State. The Cooperation Network must ensure a co-ordinated response across Member States to these threats;
  • publish non-confidential information on on-going early threat warnings and coordinated responses on a common website; and
  • exchange information and best practices with participants in the Cooperation Network.

The Strategy highlights the borderless nature of cybercrime and the importance of involving all actors, both the private and public sectors within and across Member States, when dealing with cyber threats and sharing information. The establishment of a Cooperation Network will address these issues. It will also support the creation of a coherent EU cybersecurity policy.

The Directive and subsequent measures will need to deal with a number of changes and consider a number of issues, which include the following:

  • the criteria used to determine when a NCA should report risks to the Cooperation Network is vague, meaning that Member States might apply different reporting thresholds in practice;
  • the Directive does not provide any guidance to deal with situations where Member States cannot agree on a co-ordinated response to a cyber-threat. As we will see, there is considerable resistance from some Council members to mandatory sharing of information between Member States;
  • the Directive does not address concerns that having to seek agreement from each Member State might slow down an effective response; and
  • a co-ordinated response across different Member States might be complicated as security levels differ and many nuances exist on aspects such as operator obligations and code-sharing.

Finally, there are a number of bodies already working on different aspects of European cybersecurity. These include ENISA, the European Public–Private Partnership for Resilience ("EP3R") and CERT-EU. The Directive does not specify exactly how this range of organisations is to cooperate, or how the Cooperation Network is intended to complement their functions. Caution must be exercised to ensure that it is understood who talks to whom and how coordination and co-operation is achieved when responding to a cyber-threat in order to avoid uncertainty.11

INFORMATION SHARING AND INCIDENT NOTIFICATIONS

Chapter IV of the Directive provides for mandatory security breach and incident notification requirements. This provision applies to market operators who provide critical infrastructure "the disruption or destruction of which would have a significant impact on a Member State". The Directive contains a non-exhaustive list of such operators, which includes operators in the energy, banking, health, transport and financial services sectors.

This test could be difficult to apply in practice and further guidance may be needed to clarify exactly which sectors are subject to the Directive. Indeed, Chapter IV obligations have been the subject of rigorous debate during the legislative process.

In the European Commission's original proposal, "key Internet enablers", such as e-commerce platforms, social networks, search engines, cloud services and app stores, came within the scope of the Directive's mandatory reporting requirements. However, the IMCO elected to exclude these actors from its version of the Directive, limiting breach and incident notification obligations to operators of critical infrastructure "essential for the maintenance of vital economic and societal activities".12 It is also interesting to note that Internet exchange points, the organisations which provide network operators with Internet traffic exchange facilities, were added by the IMCO to the Directive's list of critical infrastructure operators. This is a significant addition that takes account of the centrality of electronic communications to national infrastructure.

Importantly, Member States can decide exactly how "critical" an operator of critical infrastructure is, and therefore whether it should be covered by the Directive. Alongside this greater level of discretion, the Directive also allows more flexibility with regard to information-sharing between companies and national authorities, leaving open more avenues for voluntary means of cooperation.

The exclusion of Internet enablers could significantly water down the effect of the Directive, as such operators are central to the online world and the economy as a whole. Critical infrastructure operators engage with software developers, cloud storage providers, e-commerce platforms and others to a growing extent as more of their functions become digitised, making it increasingly difficult to draw a clear distinction between the categories set out in the Directive.

Member States also now have a choice whether to impose Chapter IV obligations on public administrators after the original draft automatically included them. This amendment could again undermine the effectiveness of the Directive, as the Strategy noted the importance of all relevant stakeholders, whether public authorities or private sector, taking action to strengthen cybersecurity.

While the Parliament's version of the Directive reduces the scope of companies affected by reporting requirements, it also defines the conditions under which a report should be made more precisely. The revised Directive attempts to set out exactly what constitutes an incident with "significant impact" that would warrant notification, after a report by the Economic and Scientific Policy Department (the "Report") highlighted a lack of clarity in this regard.13 Whether an incident has a significant impact will depend on, inter alia, the number of users of the core services who are affected, the duration of the incident and the geographical area affected by the incident.

In addition, the revised Directive provides that if an incident affects services in more than one Member State, upon notification a NCA will pass on relevant information to the NCA of any other affected Member States. This measure has addressed previous concerns that multiple notifications of the same incident would be required. It remains to be seen how effective incident notification by market operators will be in practice. The Report highlighted that "large discrepancies" were found in how prepared businesses across all sectors and Member States are to deal with cybersecurity incidents.14

PUBLICATION OF INCIDENT REPORTS BY NATIONAL AUTHORITIES

The Directive provides that a NCA can inform the public, or require market operators (or public administrators if applicable) to do so, where it believes the publication of an incident is in the public interest. The NCA is also required to submit an annual report of notifications received and any subsequent action taken to the Cooperation Network. Publication of notifications will help raise awareness of cyber threats but there were concerns that it could result in reputational damage to the market operator or result in a breach of any confidentiality obligations. Moreover, there were data protection concerns about treating the practice of publishing notifications containing personal data as necessary and legitimate.15

The revised Directive attempts to address some of these concerns. It now provides that the NCA must consult with the market operator and give them a chance to be heard before making its decision whether to publish information about a security incident. In the event that the NCA decides to publish information it must act to ensure it is made as "anonymous as possible".

ENFORCEMENT AND SANCTION

The Directive provides that Member States must ensure a NCA has all the necessary powers to scrutinise and investigate any non-compliance with Chapter IV obligations. Market operators will be required to provide all information that is necessary to assess the security of their networks and to undergo security audits. The Directive further provides for the imposition of effective, proportionate and dissuasive sanctions. It is expected that offending market operators will be fined a certain percentage of their revenue.

Effective enforcement and sanctions mechanism are important to ensure the objectives of the Directive are achieved. Commissioner Kroes pointed out that only 26% of companies in the EU had formally-defined ICT security policies. The threat of audit and subsequent sanction should ensure companies take network security more seriously.16 In addition, the revised Directive has made a number of welcome amendments to the enforcement and sanction provisions. NCA's will now be permitted to tailor the level of scrutiny a market operator is placed under depending on how critical its systems are judged rather than applying a standardised level. Furthermore, market operators will only be subject to penalties for non-compliance with Chapter IV obligations where they arise as a result of intent or gross negligence.

PARALLEL INTERNATIONAL DEVELOPMENTS

In the United States a Presidential Executive Order (the "Order") was published in February 2013 that encouraged the United States government to work with owners and operators of critical infrastructure17 to share information about cyber threats and implement minimum cybersecurity standards. In February 2014 the National Institute for Standards and Technology issued a framework to achieve these objectives (the "Framework"). It provides common security standards to identify and report security risks, measures to recover from attacks and methods to protect against security threats. The Framework resists the mandatory approach adopted in the EU and instead provides a non-regulatory system with incentives to comply with the standards. The different approach adopted by the US could undermine the effectiveness of the Directive. Cybercrime by nature is a global issue and a failure to align with the U.S. could result in gaps in the global cybersecurity framework or slow down responses to threats. It might be sensible for the US and EU to adopt a joint policy position on global cybersecurity threats.

TIMELINE

Having been approved by the European Parliament, the Directive now needs to be agreed by the Council of EU telecommunications ministers. The next meeting of this Council configuration is due to take place on 27 November 2014. Between now and then, the text will continue to be debated in trialogue meetings18 between representatives from the European Parliament, Commission and the Italian Presidency, as well as between Member States' Permanent Representatives.

The Council came to what the Italian Presidency called a "general convergence of views" on the Parliament's text in its most recent meeting on 5/6 June 2014.

However, Member States remained divided on a number of key questions, including whether or not cloud providers should be covered by the legislation, and the extent to which the Directive should dictate operational cooperation between different agencies. A number of Member States expressed a preference for more general guidelines for information exchange between national authorities in the final text, rather than the more prescriptive "cooperation network" envisaged by the Parliament's version. These concerns could result in a weaker compromise text at the November Council.

A change of personnel in the EU institutions could also have a significant bearing on the Directive's final shape. A new European Commission, set to take office on 1 November 2014, is likely to give added impetus to trialogue negotiations following a period of uncertainty and institutional transition. The Digital Single Market ("DSM") has been highlighted as a priority for the new Commission, and a new Commission Vice President, former Estonian Prime Minister Andrus Ansip, has been appointed to lead work towards its completion.

Ansip will lead a "project team" of Commissioners working on different aspects of the DSM, which includes a Commissioner for Digital Economy and Society who is tasked with making the EU "a leader in cybersecurity preparedness and trustworthy ICT".19 In his confirmation hearing before the European Parliament Ansip stated that it is "extremely important" to make the Directive a reality, echoing the view of the European Council that "the timely adoption of [...] the Cybersecurity Directive is essential for the completion of the DSM by 2015."20

There is, therefore, a good deal of political impetus behind the Directive and the new European Commission will be eager to mark its completion as an early success. Time is fast running out before the 27 November Council meeting, however, and it remains to be seen if this momentum will be enough to overcome remaining disagreements between Member States. If the Council is to approve the Directive in its next meeting, it is likely that additional compromises will need to be found in the Parliament's text.

Looking further ahead, Member States will have eighteen months to transpose the Directive into national law once it is adopted.

CONCLUSION

The Directive represents an ambitious and timely attempt to legislate for the prevention of cybercrime in the EU. If adopted, its proposals would help ensure market operators of critical infrastructure, Member States and the EU are all adequately prepared to deal with cyber threats by providing a common baseline of shared standards. The latest version of the Directive has made welcome amendments that have provided guidance to key elements such as the definition of "significant impact" and what constitutes an operator of critical infrastructure.

Nevertheless a significant degree of uncertainty remains on certain key issues, such as how to co-ordinate EU wide responses and exactly which companies are to be subject to the Directive. In spite of the widespread acknowledgement that better frameworks for information exchange are required, there is still considerable resistance to mandatory models of reporting and cooperation. With time running out before the November Council meeting, the final shape of the Directive and how it will be transposed by Member States remains uncertain. It is likely that further compromises will be required before the Parliament's text is approved by the Council, and the final version will have to strike a careful balance between stimulating better exchange of information and adding unnecessary burdens to businesses. Legislating for cybersecurity is a relatively new and untested approach. In this context, the EU's first attempts to shift away from a purely voluntary model of cooperation will be a fascinating test case for future legislative actions in Europe and beyond.

Footnotes

1. Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union (2013/0027(COD)), 13 March 2014 (http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0244

2. Resolution on a Cybersecurity Strategy of the European Union: an open, safe and secure cyberspace (2013/2606(RSP)), 12 September 2013 (http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2013-376

3. Risk Based Security/Open Security Foundation, "2013 Data Breach Trends", February 2014 (https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf)

4. The Department for Business Innovation & Skills, "2014 Information Security Breach Survey" (http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)

5. Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union [COM/2013/048 final - 2013/0027 (COD)], February 2013 (http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52013PC0048&from=EN)

6. The European Commission, "Communication Network and Information Security: Proposal for A European Policy Approach" COM(2001) 298.

7. For example, the Markets in Financial Instruments Directive (Directive 2004/39/EC) requires those in the financial services industry to adopt certain reporting and network security risk measures. Telecommunications companies are required to report cybersecurity incidents under the risk management and incident-reporting obligations set out in the revised EU Telecom Framework Directive (Directive 2009/140/EC)

8. AmCham EU's response to the European Commission's Consultation on Network and Information Security (NIS), 15 October 2012 (http://ec.europa.eu/digital-agenda/en/news/consultation-network-and-information-security-publication-individual-responses)

9. Information Technology Industry Council (ITIC) Position Paper on the Directive, 24 June 2013 (http://www.itic.org/dotAsset/a748f2f7-7d73-4d62-8ea0-b5ad35e3af27.pdf)

10. http://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world

11. http://www.europarl.europa.eu/RegData/etudes/note/join/2013/507476/IPOL-ITRE_NT(2013)507476_EN.pdf

12. http://www.europarl.europa.eu/oeil/popups/summary.do?id=1342725&t=e&l=en

13. Ibid at 24

14. Ibid at 16

15. http://ico.org.uk/~/media/documents/consultation_responses/response-to-eu-directive-on-network-and-information-security-call-for-evidence-responses-to-consultations-and-inquiries.pdf

16. http://europa.eu/rapid/press-release_SPEECH-13-51_en.htm

17. The Order defines critical infrastructure as, "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters".

18. The European Parliament's Committee for Internal Market and Consumer Protection ("IMCO") voted to give a mandate to its Rapporteur, Andreas Schwab MEP, to enter trialogue discussions on 6 October 2014.

19. European Commission Mission Letter to Commissionerdesignate Günther Oettinger, 10 September 2014 (http://ec.europa.eu/about/juncker-commission/docs/oettinger_en.pdf)

20. European Council Conclusions, 25 October 2013 (https://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/ec/139197.pdf)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions