European Union: 8-In-8 Recent Trends In European Law And Policy Alert Series: Cybersecurity And The EU: How To Avoid Making News In Europe For A Data Breach?

This is the sixth issue of WilmerHale's 8-in-8 Recent Trends in European Law and Policy Alert Series. Our attorneys will share insights on current and emerging issues affecting companies doing business in Europe and across the Atlantic. Attorneys from across various practice groups at the firm will offer their take on issues ranging from Brexit to Big Data to EU energy market regulation. WilmerHale has offices in key European capitals, including Brussels, Berlin, Frankfurt and London, as well as lawyers qualified in a range of European countries. With one of the leading European law and policy practices in the world, we follow and work on a broad range of EU legal and policy issues, including data protection and privacy, competition, trade, technology, intellectual property, financial services, and a range of other EU and transatlantic regulatory and policy challenges that our clients face. Read all issues in this series and our other recent publications.

Until recently, cybersecurity rules in the EU have by and large been governed by a patchwork of national laws containing cybersecurity requirements applied by different EU member countries. That is changing, with cybersecurity now being addressed more systematically at the EU level, as illustrated by the recent entry into force of the EU General Data Protection Regulation ("GDPR"). EU rules in some cases harmonize national rules and in other cases provide an overlay on top of them. It is up to EU member countries to designate which regulator (national competent authority) deals with cybersecurity rules. This may vary, depending on the specific rules at issue. The designated authority could be a communications regulator, a data protection authority, or a cybersecurity agency.

While most companies have focused their attention on the GDPR, the regulatory framework at the EU level is composed of several different regulations or directives with differing goals and varying scope:

  • The GDPR imposes cybersecurity obligations on all companies that process personal data.
  • The ePrivacy Directive currently complements the GDPR and provides more specific rules that apply to providers of electronic communications services.
  • The planned ePrivacy Regulation, which will replace the ePrivacy Directive once it is finalized and adopted, would no longer contain such rules, since they have been moved to a proposed directive intended to establish a European Electronic Communications Code ("EECC"). A separate directive on network and information systems security ("NIS Directive") applies to critical infrastructure in specific sectors. The EECC and the NIS Directive cover processing activities generally, not just those involving personal data.
  • Finally, the Cybersecurity Act refines the institutional framework for safeguarding cybersecurity in the EU.

We discuss each of these legislative measures below. Companies should carefully consider what cybersecurity obligations they have in the EU, based both on current legislation in force and soon-to-be adopted measures.

Current EU legislation

  1. The GDPR (our previous alert on the GDPR is available here);
  2. The NIS Directive (Directive concerning measures for a high common level of security of network and information systems across the EU, available here);
  3. The ePrivacy Directive (Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector, available here);

Upcoming EU legislation

  1. The ePrivacy Regulation (Regulation concerning the respect for private life and the protection of personal data in electronic communications – the EU Council's latest draft version of the proposal is available here) to replace the ePrivacy Directive;
  2. The EECC (Directive establishing the European Electronic Communications Code – the European Commission's proposal is available here);
  3. The Cybersecurity Act (Regulation on ENISA – the European Commission's proposal is available here).

1. Cybersecurity in the GDPR. The GDPR took effect on May 25, 2018. It requires all companies that process personal data to implement appropriate technical and organizational measures to ensure a level of security that is appropriate to the risk. The GDPR also requires companies to notify a security breach that is likely to result in a "risk" to the rights and freedoms of the individuals concerned to the national data protection authority within 72 hours or, if this is not feasible, as soon as possible. With certain exceptions, companies must also disclose a breach directly to the individuals concerned without undue delay where that breach is likely to result in a "high risk" to the individual's rights and freedoms. Companies that process personal data on behalf of another company must notify any breach to their customer.

The European Data Protection Authorities have already published some guidelines (available here) to help companies understand the breach notification requirements. In particular, these guidelines recommend that companies take into account specific criteria when assessing whether there is a risk or a high risk. These criteria include the type of breach, the nature, sensitivity and volume of personal data, how easy it is to identify individuals, the severity of consequences of the breach for individuals, special characteristics of the individual concerned and the company in question and the number of affected individuals. The guidelines also specify when a data controller or processor should be deemed to be aware of a breach, since that triggers the countdown to the deadline for notifying the breach, if required. Non-compliance with these obligations in the GDPR is subject to a maximum fine of up to €10 million or 2% of a company's total worldwide annual turnover, whichever is higher. In practice, though, Data Protection Authorities will have to consider the gravity of and reaction to any data breach in order to ensure that the fines they impose are proportionate.

2. Cybersecurity in the NIS Directive. The NIS Directive took effect on May 10, 2018. Although EU Member States had to transpose the Directive into national law by that day, some of them have not met that deadline (e.g., France has only partially transposed the Directive, while transposition is still in progress in Ireland and Spain – the state-of-play of the transposition of the Directive can be found here). In contrast to the GDPR, the NIS Directive imposes cybersecurity obligations on only two categories of companies: (1) operators of essential services ("OES"); and (2) digital service providers ("DSPs"), irrespective of whether they process personal data.

More specifically, the NIS Directive applies to OES in specific sectors, including energy, transportation, banking, financial market infrastructure, healthcare, water supply and distribution, and digital infrastructure (e.g., internet exchange points, domain name system service providers and top-level domain name registries). DSPs include online marketplaces, online search engines, and cloud computing services. The Directive does not apply to companies providing public communications networks or publicly available electronic communications services, since these infrastructures are covered by the ePrivacy Directive and will be covered in the future by the EEEC.

Under the NIS Directive, companies must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This implies a comprehensive risk assessment as a starting point. Also, companies must notify incidents that impact their services, such as a cyber attack, without undue delay (i.e., as soon as possible, unless there is a justified reason for a delay) to the national competent authority. Each EU member country is responsible for designating this authority, which is generally an agency that oversees network and IT security (e.g. the Agence Nationale de la Sécurité des Systèmes d'Information in France or the Bundesamt für Sicherheit in der Informationstechnik in Germany). OES must notify incidents having a "significant" impact on the continuity of their services to the authority, while DSPs must notify incidents having a "substantial" impact on their services. The Directive only provides very general criteria to determine whether an incident is significant or substantial; further guidance is expected.

It is up to EU member states to determine the fines for non-compliance with the obligations in the NIS Directive. Although they will likely vary, given the importance of the infrastructure at issue, they can be expected to be significant. For example, the UK NIS Regulations (available here) provide that fines could be as much as £17 million or 4% of global turnover.

3. Cybersecurity in the ePrivacy Directive. The 2002 ePrivacy Directive, which is still in force, was drawn up to complement the Data Protection Directive (the predecessor of the GDPR, adopted in 1995). It also provides more specific rules regarding the processing of personal data in the context of electronic communications services provided to the public. The ePrivacy Directive requires providers of publicly available electronic communications services to adopt appropriate security measures. They must notify all personal data breaches to the national competent authority designated to that end within 24 hours and to their subscribers or other affected individuals without undue delay, where the breach is "likely to adversely affect" their personal data or privacy. The competent authority can be the data protection authority, as in France (the Commission Nationale de l'Information et des Libertés) or a communications or network regulator as in Germany (Bundesnetzagentur). A Commission implementing regulation (available here) specifies that this trigger should be assessed by taking into account the nature and content of the personal data concerned, the likely consequences of the personal data breach for the individual concerned, and the circumstances of the personal data breach.

The e-Privacy Directive also requires service providers to inform subscribers of a "particular risk" of a breach of network security, even where this is not under the control of the service provider, with an indication of the measures that can be taken to protect against this risk. For example, service providers that offer publicly available electronic communications services over the Internet should inform users and subscribers of measures they can take to protect the security of their communications, for instance by using specific types of software or encryption technologies.

4. Cybersecurity in the ePrivacy Regulation. On January 10, 2017, the European Commission published its proposal to replace the ePrivacy Directive with an ePrivacy Regulation. The regulation will have the force of law without requiring national implementing measures. It is intended to complement the GDPR and provide further tailored regulation for electronic communications service providers.

Currently, it is still unclear when the final text will be adopted. The draft ePrivacy Regulation would extend the application of e-privacy rules to 'over-the-top' content providers, such as VoIP, text messaging including through social media, and email providers. The initial draft Regulation maintained the ePrivacy Directive rules on data security and breach notification. However, the European Parliament has proposed to eliminate these provisions, since it views them as adding little to the framework provided by the GDPR, the EECC and the NIS Directive. The proposal for an ePrivacy Regulation as amended by the European Parliament no longer includes these rules. The legislation is now in the hands of the European Council for final adoption or further amendment, prior to trilogue negotiations between the Commission, Parliament and the Council to produce a final text of the regulation.

5. Cybersecurity in the EECC. The European Parliament and the Council reached a political agreement to update EU telecommunications regulation on June 6, 2018. The EECC would set out, in a single unified text rather than in differing regulations with varying scope that exist now, the rules that apply to companies providing public communications networks or publicly available electronic communications services, including over-the-top services, irrespective of whether they process personal data. The EECC provides that EU member countries should ensure that such companies take appropriate technical and organizational measures to appropriately manage the risks posed to the security of their networks and services. They must also guarantee the integrity of their networks to ensure continuity of service provided over these networks.

EU member countries must ensure that companies providing public communications networks or publicly available electronic communications services notify the national competent authority without undue delay of a breach of security that has had a significant impact on the operation of their networks or services. The competent authority concerned may inform the public or require companies to do so where it determines that disclosure of the breach is in the public interest. It is for each EU member country to decide which national authority will be responsible (e.g., the communications regulator or the data protection authority).

6. The EU Cybersecurity Act. On June 8, 2018 the European Council adopted its negotiating position on a proposal for an EU Cybersecurity Act, for negotiations with the European Parliament on a final text. The proposed Act would upgrade the existing European Union Agency for Network and Information Security ("ENISA") into a permanent EU agency for cybersecurity, while it currently operates on a fixed-term mandate that would otherwise require periodic renewal. The Act would also create an EU-wide certification framework for information and communications technology products and services.

The Agency would get more resources, both in terms of staff numbers and budget, and take on additional responsibilities, such as organizing annual pan-European cybersecurity exercises; advising Member States on implementation of the NIS Directive, and supporting and promoting EU policy on cybersecurity certification. The Agency is intended to be a center of excellence and resource for cybersecurity in the EU.

The new European cybersecurity certification schemes for ICT products, services and processes are intended to increase trust and security by attesting compliance with specified cybersecurity requirements. These certification schemes are also meant to address barriers in the single market caused by the existence of different national certification processes. The details of these certification schemes and requirements will be important to network and data service operators, including cloud computing service providers.

Conclusion. The EU is building a more comprehensive regulatory framework for cybersecurity. Specific instruments (the NIS Directive, the EECC and the ePrivacy Directive / Regulation) will coexist with the GDPR, which provides the general basis for requiring cybersecurity requirements for personal data in the EU. The EU Cybersecurity Act will beef up ENISA, providing added institutional resources and expertise.

A number of different legislative requirements may apply to the same company, particularly to providers of critical infrastructure and digital networks and services. For example, a communications operator should analyze its cybersecurity obligations both under the GDPR and the ePrivacy Directive regarding the processing of personal data and under the EECC for non-personal data. An air carrier and a financial institution would have to do the same under the GDPR and the NIS Directive. Companies should gain a comprehensive understanding of the EU's cybersecurity regulatory framework in order to design and implement their compliance programs accordingly.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions