1 Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?
These concepts are generally distinguished by practitioners, although not comprehensively defined by any single legal instrument. Their boundaries are not clearly defined and can overlap.
Cybersecurity: The area of cybersecurity is highly fragmented and definitions are not used consistently throughout EU law or policy. For example:
- ‘cybersecurity' is defined in the Cybersecurity Act (Regulation (EU) 2019/881) to cover "the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats". A ‘cyber threat' is a "potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons";
- the Network and Information Systems (NIS) Directive ((EU) 2016/1148) – which is primarily aimed at improving cybersecurity – does not use these definitions. It covers obligations to manage risks posed to "the security of network and information systems", which is defined as "the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems"; and
- in EU law and policy, ‘cybersecurity' can also cover other matters such as cyber defence policy.
Data protection: Data protection rules create a framework for the processing of personal data. Both ‘processing' and ‘personal data' are broadly defined in the General Data Protection Regulation ((EU) 2016/679) (GDPR), which is the key EU law governing data protection:
- ‘Processing' covers almost anything that might be done with personal data, including collecting, using, anonymising, storing, transferring, accessing and deleting personal data; and
- ‘Personal data' encompasses any information relating to an identified or identifiable individual (a ‘data subject').
The GDPR contains provisions on data security and the notification of personal data breaches. However, it is broader than ‘cybersecurity', in the sense that it more generally sets out rules for companies to follow whenever they process personal data and grants rights to individuals in respect of their personal data.
Cybercrime: Cybercrime is in part regulated by the Cybercrime Directive (2013/40/EU), which covers "attacks against information systems" and prescribes rules in relation to, for example, illegal access to information systems, illegal system interference, illegal data interference and interception. However, EU cybercrime law and policy also cover other crimes where computers or IT systems are a primary tool, such as sexual exploitation of children online and child pornography, and fraud and counterfeiting of non-cash payments.
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
Key laws include the following:
- The e-Privacy Directive (2002/58/EC) covers the processing of personal data and the protection of privacy in the electronic communications sector.
- The Cybercrime Directive (2013/40/EU) is designed to approximate the criminal law of the EU member states in the area of attacks against information systems by – among other things – establishing minimum rules concerning the definition of criminal offences.
- The GDPR (Regulation (EU) 2016/679) is a broad, cross-sectoral law governing the processing of personal data.
- The NIS Directive ((EU) 2016/1148) was the first piece of EU-wide cybersecurity legislation. Its main goal is to enhance cybersecurity across the European Union in key areas. Commission Implementing Regulation (EU) 2018/151 clarifies and complements some of its rules.
- The European Electronic Communications Code (EECC)) (Directive (EU) 2018/1972) requires EU member states to implement cybersecurity rules which, like the e-Privacy Directive, are relevant to the electronic communications sector. The EECC is a recasting of a number of EU directives, including the Framework Directive (2002/21/EC). The Framework Directive established a harmonised framework for the regulation of electronic communications services, electronic communications networks, associated facilities and associated services. It laid down the tasks of national regulatory authorities and established a set of procedures to ensure the harmonised application of the regulatory framework throughout the European Union. The Framework Directive is still technically in force at time of writing – its validity ends on 20 December 2020. EU member states must transpose the EECC into their national laws by 21 December 2020.
- The EU Cybersecurity Act (Regulation (EU) 2019/881) revamps and strengthens the EU Agency for Cybersecurity (ENISA), including by making it a permanent agency for pan-European cybersecurity matters. It also establishes an EU-wide cybersecurity certification framework for digital products, services and processes. Certifications will be voluntary by default, unless otherwise provided for by EU law or EU member state law.
‘Regulations' and ‘directives' operate differently in the EU legal framework:
- A ‘regulation' is a legal act that applies automatically and uniformly to all EU member states as soon as it enters into force, without needing to be transposed into each EU member state's own laws. Regulations are binding in their entirety on all EU member states and on the relevant addressees (eg, companies that process personal data). Regulations such as the GDPR, however, provide for a limited number of areas in which EU member states may derogate from the rules of the regulation.
- A ‘directive' is a legislative act that sets out (policy) goals that all EU member states must achieve. However, it is up to each EU member state to devise its own laws on how to reach those goals. There may therefore be variations across EU member states as to how directives are implemented.
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (e.g., critical infrastructure, national security, financial services, healthcare)?
Yes – in fact most of the rules governing cyber-related topics are sectoral, rather than horizontal.
The NIS Directive creates a framework for cybersecurity requirements in respect of:
- ‘operators of essential services' across the following sectors:
- financial market infrastructure;
- drinking water supply and distribution; and
- digital infrastructure.
Not all operators of services in those sectors fall within the scope of the NIS Directive: EU member states must identify relevant operators of essential services established on their territory according to particular criteria set out by the NIS Directive; and
- digital service providers, which are providers of online marketplaces, online search engines and cloud computing services.
The NIS Directive requires operators of essential services and digital service providers to take appropriate and proportionate technical and organisational measures to manage the risks posed to "the security of network and information systems".
In the telecoms sector, the e-Privacy Directive and the EECC provide for security rules which apply to:
- public (electronic) communications networks; and
- publicly available electronic communications services.
Providers of public electronic communications networks and publicly available electronic communications services must, in particular, take appropriate and proportionate technical and organisational measures to appropriately manage the risks posed to the security of networks and services. Having regard to the state of the art, those measures shall ensure a level of security appropriate to the risk presented. In particular, the relevant providers are required to take measures, including encryption where appropriate, to prevent and minimise the impact of security incidents on users and on other networks and services.
One of the changes brought about by the EECC is that more electronic communications services are in scope of the telecoms rules. As well as traditional telecoms services such as mobile and fixed telephone services, so-called ‘over-the-top' communications services such as Gmail, WhatsApp and Skype are in scope. According to guidance issued by ENISA, the EECC aims to protect consumers, irrespective of the chosen communication tool – it focuses on the functionality rather than on the underlying technology or implementation.
Other sector-specific cyber obligations may arise in relation to the following (for example):
- The eIDAS Regulation ((EU) No 910/2014) targets providers of trust services. ‘Trust services' are electronic services that make electronic business transactions more secure, such as by creating, verifying and validating electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and certificates for website authentication.
- The revised Payment Services Directive ((EU) 2015/2366) requires EU member states to implement cybersecurity rules which apply to payment service providers.
- The new Medical Devices Regulation ((EU) 2017/745) and the In-Vitro Diagnostics Regulation ((EU) 2017/746) provide for rules in the medical devices sector.
(b) Certain types of information (personal data, health information, financial information, classified information)?
Most of the rules highlighted in questions 1.2 and 1.3 apply to particular sectors or providers of particular services. However, the GDPR provides for rules which apply where ‘personal data' is processed, regardless of the sector or industry. It requires companies to implement appropriate technical and organisational measures to ensure a level of data security appropriate to the risk. This must be assessed taking into account:
- the state of the art;
- the costs of implementation;
- the nature, scope, context and purposes of processing; and
- the risks of varying likelihood and severity for the rights and freedoms of individuals.
The e-Privacy Directive aims to protect individuals' privacy and personal data in the electronic communications sector. Additionally, it requires EU member states to protect the following types of information from interception:
- ‘communications', which are defined to include any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service; and
- ‘traffic data', which is defined as "any data processed for the purpose of the conveyance of a communication on an electronic communications network" or for its billing.
Under the e-Privacy Directive, location data other than traffic data must also be protected.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
Yes. The GDPR has explicit extraterritorial reach. It applies to:
- the processing of personal data "in the context of the activities of an establishment" in the European Union (regardless of whether the processing takes place in the European Union). There have been several cases in recent years which expand upon the meaning of this wording to cover companies processing personal data outside the European Union, but which have some form of ‘stable arrangement' in the European Union or whose data processing is ‘inextricably linked' to the activities of an affiliate located in the European Union; and
- the processing of personal data by companies which are not ‘established' in the European Union, but which ‘target' individuals in the European Union by:
- offering them goods or services (irrespective of whether a payment is required); or
- monitoring their behaviour, insofar as it takes place within the European Union.
The NIS Directive also explicitly provides for extraterritorial reach. Digital service providers not established in the European Union, but offering services within the European Union must designate a representative for NIS Directive purposes in a relevant EU member state and are deemed to be under the jurisdiction of the EU member state in which the representative is established.
The intended extraterritorial reach of the e-Privacy Directive is the subject of some debate – the Directive states that it "shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks" in the European Union.
Certain obligations under EU laws addressing cybersecurity may in a sense have extraterritorial reach where the addressee of the cybersecurity law contractually ‘flows down' obligations to other entities established outside the European Union (eg, a service provider), so that the addressee can meet its obligations under the law. This is particularly relevant for companies which are subject to the GDPR's rules on transfers of personal data to third countries or international organisations. One of the ways in which such a transfer can be legitimised under the GDPR is by putting in place ‘standard contractual clauses', which impose data protection obligations on the non-EU recipient of the personal data.
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
Most of the strategic partnerships which the European Union currently has with third countries have a cyber dimension. These include the partnerships with Brazil, Canada, China, Japan, Russia and the United States.
The European Union is also involved in several multilateral cyber initiatives, including, significantly, EU-NATO cooperation.
While individual EU member states are signatories to the Council of Europe Convention on Cybercrime (the ‘Budapest Convention'), the European Union itself is not a signatory. The Budapest Convention provides a model for drafting national cybercrime legislation and a basis for international cooperation.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
The Cybercrime Directive requires EU member states to ensure that certain activities falling into the following categories are publishable under their national laws as criminal offences:
- illegal access to information systems;
- illegal system interference;
- illegal data interference;
- illegal interception;
- production, sale, procurement, making available and similar of certain tools used for committing offences; and
- incitement, aiding and abetting and attempt of the above.
EU member states must determine the corresponding criminal penalties; however, the Cybercrime Directive provides certain minimum penalties:
- The first to fifth offences above must be punishable by a maximum term of imprisonment of at least two years, at least for cases which are not minor.
- The second and third offences above must be punishable by higher maximum terms in certain circumstances. For example, at least a three-year maximum term must be applicable where a significant number of information systems have been affected through the use of a tool (as referred to in the fifth point above) designed or adapted primarily for that purpose, and there is intention. At least a five-year maximum term must be applicable where the offence causes serious damage or is committed against a critical infrastructure information system.
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
In the European Union, cyber statutes and regulations are enforced at EU member state level. This means that in each EU member state, different governmental agencies and authorities are tasked with ensuring compliance and, where needed, sanctioning infringements of cyber statutes and regulations. The precise roles of these agencies and authorities, as well as their powers, vary from member state to member state.
Under the General Data Protection Regulation (GDPR), each EU member state has established one or more supervisory authorities (also referred to as data protection authorities) in charge of monitoring compliance with the GDPR on its territory. They also have jurisdiction over the processing of personal data carried out by a ‘controller' or ‘processor' (as defined below) not established in the European Union that targets individuals residing in their territory.
The GDPR, as well as EU member state law supplementing the GDPR, provides data protection authorities with a wide range of investigation and enforcement powers. They include powers to:
- order a controller or processor to provide information;
- conduct audits;
- access premises and data;
- issue warnings and reprimands;
- order controllers and processors to bring their practices in compliance;
- ban data processing activities (including cross-border data transfers); and
- impose administrative fines.
Administrative fines for GDPR infringements relating to cyber incidents can reach up to €10 million or 2% of the undertaking's worldwide annual revenues of the previous financial year, whichever is higher. Administrative fines can reach up to €20 million or 4% of the undertaking's worldwide annual revenues of the previous financial year if the controller or processor is deemed not to have met its overarching obligation to comply with the GDPR's basic data protection principles, including the ‘integrity and confidentiality' principle.
In addition to these enforcement powers, data protection authorities are empowered to bring GDPR infringements to the attention of judicial authorities and, where appropriate, to commence or engage otherwise in legal proceedings in accordance with national laws and procedures. The GDPR does not explicitly provide for criminal penalties, but some EU member state laws include the possibility of imposing criminal sanctions in case of (serious) infringements of data protection law.
Where cross-border data processing is carried out either through multiple establishments in the European Union or by only a single establishment, the data protection authority for the main or single establishment acts as lead authority in respect of that cross-border processing. However, the lead authority must cooperate with other ‘concerned' authorities, and all authorities are expected to exchange information and reach consensus on possible enforcement action. If the lead authority and the concerned authorities do not agree, the GDPR's consistency and dispute resolution mechanism kicks in. A key role is played here by the European Data Protection Board, which is an independent EU body composed of representatives of the EU member state data protection authorities and the European Data Protection Supervisor. Its main task is to contribute to the consistent application of data protection rules throughout the European Union and promote cooperation between the EU data protection authorities. This includes adopting a binding decision if a lead authority and the concerned authorities cannot reach consensus on the enforcement action to be taken in case of a GDPR infringement.
Pursuant to the Network and Information Systems (NIS) Directive, EU member states are required to designate one or more competent authorities that have the necessary powers and means to assess the compliance of operators of essential services with the NIS Directive's security and incident notification requirements. The NIS Directive further requires that EU member states provide the competent authorities with the power to conduct security audits into the compliance of operators of essential services. They must also be able to issue binding instructions to operators of essential services with a view to remedying any deficiencies identified as a result of a security audit. When addressing cybersecurity incidents that also constitute personal data breaches (as defined in the GDPR), the competent authorities must closely cooperate with the data protection authorities in their jurisdiction.
In addition, the competent authorities are assigned with acting – if necessary, through ex post supervisory measures – against digital service providers that do not meet the security and incident notification requirements imposed by the NIS Directive. Their lack of compliance can also be demonstrated by a competent authority of another EU member state where the digital service is being provided. If a digital service provider has its main establishment or a representative in one EU member state, but its networking information systems are located in another, the competent authority of the EU member state of the main establishment/representative and the competent authority of the other EU member state are required to cooperate and assist each other as necessary. Competent authorities must have the powers and means to require digital service providers to provide any information necessary to assess their compliance and to remedy any non-compliance. Depending on the EU member state, the range of enforcement actions that a competent authority can take include serving information notices, conducting inspections, serving enforcement notices and ultimately issuing monetary penalties.
Civil penalties for violation of NIS Directive requirements are issued against operators of essential services and digital service providers, which are typically legal entities. Whether criminal penalties can also be imposed – potentially against directors, officers or employees – depends on the laws of the EU member state in question.
In terms of territorial reach, digital service providers that are not established in the European Union, but offer their services within the European Union are required to designate a representative for NIS Directive purposes, which must be in an EU member state. In that case, the competent authorities of the EU member state in which the representative is located have jurisdiction over the digital service provider (established outside of the European Union).
The e-Privacy Directive leaves it to EU member states to establish their own penalties, including criminal sanctions, applicable to infringements of e-privacy rules. The e-Privacy Directive requires only that the penalties provided for be effective, proportionate and dissuasive, and that they be applied to cover the period of any infringement, even where the infringement has subsequently been rectified. Each EU member state has designated a competent national authority in charge of monitoring compliance measures taken and promoting best practices among providers of publicly available electronic communications services. The competent national authorities have the power to order the cessation of e-privacy infringements. They can be assisted by other national bodies with the necessary investigative powers and resources to obtain any relevant information needed to monitor and enforce provisions adopted by the EU member state pursuant to the e-Privacy Directive. The e-Privacy Directive further encourages regulatory authorities at EU member state level to adopt measures to ensure effective cross-border cooperation in the enforcement of the e-privacy rules and to create harmonised conditions for the provision of electronic communications services involving cross-border data flows.
The principles of security supervision and enforcement under the European Electronic Communications Code (EECC) are a continuation of the e-privacy rules; however, there will be a number of important changes once the EU member states have transposed the EECC into their national laws (by the end of 2020). Pursuant to the EECC, EU member states will have to ensure that their national competent authorities have the power to receive assistance from national computer security incident response teams (CSIRTs). These national competent authorities will also have to consult and cooperate with other authorities, such as law enforcement, authorities under the NIS Directive and data protection authorities under the GDPR. In addition, telecoms authorities at EU member state level shall have the power to require that providers of public electronic communications networks or publicly available electronic communications services mitigate significant threats and take preventive measures within a certain timeframe (even before an actual security accident has occurred).
According to the EU Agency for Cybersecurity (ENISA), enforcement vis-à-vis ‘over-the-top' (OTT) providers will bring new challenges to the national competent authorities. Incidents affecting OTT communications services will be mostly cross border, and therefore close cooperation between the national competent authorities will be needed in order to allow for effective and efficient supervision.
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
Under the GDPR, private parties have various direct actions against both the relevant data protection authority and the controller or processor that infringed the law. Vis-à-vis data protection authorities, private parties that qualify as ‘data subjects' under the GDPR have the right to lodge a complaint with the authority in the EU member state of their residence, place of work or of the place where the alleged infringement occurred. They also have the right to an effective judicial remedy against legally binding decisions issued by a data protection authority that concerns them. Legal proceedings against a data protection authority are typically brought before the courts of the EU member state where the authority is established. If data subjects' rights under the GDPR have been infringed by a controller's or processor's processing of their personal data, data subjects can bring legal proceedings against the controller and/or processor, either in the EU member state where the controller or processor has an establishment or in the EU member state where the data subject resides. The GDPR further includes a right to compensation, pursuant to which any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to compensation from the controller or processor whose data processing caused the damage. Data subjects can mandate a non-for-profit body, organisation or (consumer protection) association to exercise this right on their behalf.
The rights of action under the GDPR can be exercised against controllers and processors. A ‘controller' is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines both the purposes and means of the processing of personal data. A ‘processor' refers to a natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller. Although the GDPR does not include a specific right of action against directors, officers or employees of controllers/processors, such action may be available under the national laws of certain EU member states.
Neither the NIS Directive nor the e-Privacy Directive addresses private parties' right of action in case of an infringement, although the possibility to bring such action may exist under EU member state law. Under the EECC, EU member states must ensure that the national regulatory authority or another authority or body with proven expertise acts as an alternative dispute resolution entity in accordance with Directive 2013/11/EU on alternative dispute resolution for consumer disputes, with a view to resolving disputes between providers and consumers arising under the EECC and relating to the performance of contracts. EU member states may extend access to alternative dispute resolution procedures provided by that authority or body to end users other than consumers – in particular, micro-enterprises and small enterprises.
2.3 What defences are available to companies in response to governmental or private enforcement?
Under the GDPR, controllers and processors can invoke by way of defence their implementation of appropriate technical and organisational measures to ensure a level of data security appropriate to the risk, taking into account:
- the state of the art;
- the costs of implementation;
- the nature, scope, context and purposes of their data processing; and
- the potential impact on individuals' rights and freedoms.
In addition, the GDPR exempts controllers or processors from liability for damage caused by data processing (which infringes the GDPR) if they can prove that they are not responsible for the event giving rise to the damage. A processor is typically liable only for damage caused by processing where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside or contrary to the lawful instructions of the controller.
Similarly, from the perspective of the NIS Directive, operators of essential services and digital service providers may be able to defend the position that they took appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations. In the case of a cyber incident, operators of essential services and digital service providers could argue that they implemented appropriate measures to prevent and minimise the impact of the incident affecting the security of their network and information systems used for the provision of their services, with a view to ensuring the continuity of those services. It may also be helpful if operators of essential services and digital service providers can demonstrate that they notified, without undue delay, the competent authority or the CSIRT of incidents having a significant impact on the continuity of the services they provide (in the case of an operator of an essential service) or of incidents having a substantial impact on the provision of the service that they offer within the European Union (in the case of digital service providers).
As a possible defence under the e-Privacy Directive, providers of publicly available electronic communications services may be able to demonstrate that they took appropriate technical and organisational measures to safeguard the security of their services, if necessary, in conjunction with the provider of the public communications network (with respect to network security). Furthermore, it may assist in their defence if providers of publicly available electronic communications services have informed their subscribers concerning particular risks of a security breach and of any possible remedies (including an indication of the likely costs involved).
Once the EECC has been implemented by EU member states into their national law, providers of public electronic communications networks or of publicly available electronic communications services may be able to call to their defence that they have taken at least all ‘baseline' security measures set out in the EECC, and that these security measures are state of the art, including encryption. Furthermore, providers may be able to demonstrate that they informed affected users about particular and significant threats of security incidents, and how they could protect themselves.
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
Cyber enforcement actions or judicial decisions are mostly taken at EU member state level. However, there has been a notable increase in cases where data protection authorities of different EU member states have decided to conduct investigations and impose enforcement measures in the context of the same cyber incident with cross-border effects.
A prime example is the regulatory enforcement action against Uber Technologies, Inc and some of its EU-based subsidiaries in the wake of a personal data breach discovered in late 2016, which reportedly affected about 57 million Uber riders and drivers worldwide. Uber found that hackers had accessed personal data relating to ridesharing customers as well as drivers via a third-party cloud service that Uber was using. After being alerted to the incident, data protection authorities from across the European Union established a taskforce to coordinate investigations and exchange information. This coordinated effort resulted in several data protection authorities adopting different enforcement decisions:
- The Dutch data protection authority imposed an administrative fine of €600,000 because it considered that Uber had failed to report the breach to the regulator and affected individuals within 72 hours of having discovered the incident;
- In the United Kingdom, the Information Commissioner's Office (ICO) issued a monetary penalty of £385,000 after it found that there was a serious failure of data security on Uber's part. The ICO also took into account that no steps were taken to inform anyone affected by the breach, or to offer help and support; and
- The French data protection authority (CNIL) levied a €400,000 fine on Uber for failure to implement appropriate security measures. The CNIL took the position that the cyber incident could have been prevented if Uber had implemented specific data security measures, such as strong authentication. In setting the amount of the penalty, the French regulator also considered the fact that hackers had accessed personal data, which provided them with the opportunity to (mis)use the data.
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
The widely reported WannaCry and NotPetya ransomware attacks – which in 2017 affected more than 100,000 organisations across the globe – can be considered as pivotal, as they inspired the Council of the European Union to adopt the new EU Law Enforcement Emergency Response Protocol. The Protocol is designed to (better) prepare for major cross-border cyberattacks and gives a central role to Europol's European Cybercrime Centre. It serves as a tool to support law enforcement authorities in the EU member states and allow them to provide immediate response to major cross-border cyberattacks through rapid assessment, secure and timely sharing of critical information, and effective coordination of the international aspects of their investigations. The Protocol only covers cyber incidents and events of a malicious and suspected criminal nature; incidents and crises caused by a natural disaster, man-made error or system failure are not in scope.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
There are a number of European, national and internationally accepted best practices and standards relevant to proactive cyber security compliance, and the Network and Information Systems (NIS) Directive requires EU member states to encourage their use. Examples of such standards include ISO/IEC 27001 on information security management systems and ISO/IEC 22301 on business continuity management (BCM) systems. ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving information security management systems. It also includes requirements for the assessment and treatment of information security risks. ISO/IEC 22301 is a management systems standard for BCM which can be used by organisations of all sizes and types. Organisations that have adopted the standard can obtain accredited certification, which may help demonstrate to regulators, customers and other interested parties that they are adhering to good practice as far as BCM is concerned.
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
Pursuant to the NIS Directive, each EU member state has designated one or more computer security incident response teams (CSIRTs), whose tasks include monitoring and responding to cyber incidents at EU member state level. CSIRTs are also responsible for providing early warnings, alerts and announcements, and for sharing information with relevant stakeholders about cyber risks and incidents, in addition to providing dynamic risk and incident analysis and situational awareness. CSIRTs are also expected to promote the adoption and use of common or standardised practices for incidents and risk handling procedures, as well as for incident, risk and information classification schemes.
In accordance with the NIS Directive and the Cybersecurity Act, the EU Agency for Cybersecurity (ENISA) is responsible for assisting the CSIRTs and the EU member states in improving the prevention of cyber threats and incidents by providing them with knowledge and expertise. With this objective in mind, in 2011 ENISA launched a project aimed at improving the proactive detection of network security incidents in the European Union. This includes:
- providing an inventory of available measures and information sources;
- identifying good practices; and
- recommending possible areas for further development.
In May 2020 ENISA published a new report and accompanying repository on measures and information sources to proactively detect network security incidents in the European Union. They include good practices, gap analyses and recommendations for the proactive detection of cyber issues.
ENISA has also been facilitating NIS standardisation efforts by cooperating with European and international standards-developing organisations, including the European Telecommunications Standards Institute, the European Committee for Standardization and the European Committee for Electrotechnical Standardization. This initiative is supported by the Cybersecurity Act, which acknowledges that there is a need for closer international cooperation to improve cybersecurity standards, including the need for:
- definitions of common norms of behaviour;
- the adoption of codes of conduct; and
- the use of international standards.
In addition, ENISA is active in providing cybersecurity training materials and organising training courses, which are aimed at bringing ‘field experience' to the cybersecurity community and stimulating proactive cyber compliance.
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
To the extent that such legal duties exist, they are imposed by the national laws of the EU member states.
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
To the extent that such rules, regulations and guidance exist, they are created at EU member state level.
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
EU member states have set up cybersecurity centres, which often assume the tasks of CSIRTs and which encourage companies to voluntarily report cyber incidents – in particular, live cyberattacks that are ongoing and are affecting companies' systems and their ability to function. In addition to providing first-line support and guidance to affected companies, these centres aggregate and make available relevant news, reports and advisories relating to cybersecurity matters affecting their jurisdiction.
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
The various EU laws provide for notification requirements for cyber incidents, which in some cases may overlap.
Under the General Data Protection Regulation (GDPR), controllers must in some cases notify personal data breaches to affected individuals and/or regulators. A ‘personal data breach' is defined broadly as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed". Processors must also notify personal data breaches, without undue delay, to the controllers on whose behalf they are processing personal data.
The GDPR does not impose additional obligations relating to processing in connection with the provision of publicly available electronic communications services in public communication networks, which are subject to specific obligations with the same objective set out in the e-Privacy Directive. According to regulatory guidance of the EU data protection authorities, this means that electronic communications service providers that have notified a personal data breach in compliance with applicable national e-privacy legislation are not required to separately notify data protection authorities of the same breach pursuant to the GDPR.
Under the Network and Information Systems (NIS) Directive, EU member states must implement rules whereby:
- operators of essential services must notify incidents having a significant impact on the continuity of the essential services they provide. To determine the significance of the incident, the operator must take into account:
- the number of users affected by the disruption of the essential service;
- the duration of the incident; and
- the geographical spread with regard to the area affected by the incident;
- digital service providers must notify incidents having a substantial impact on the provision of the service they offer within the European Union. To determine the significance of the incident, the provider must take into account criteria similar to those listed above, as well as:
- the extent of the disruption of the functioning of the service; and
- the extent of the impact on economic and societal activities.
- Commission Implementing Regulation (EU) 2018/151 provides further detail on parameters and thresholds to take into account when determining ‘substantial impact'; and
- where an operator of essential services relies on a third-party digital service provider for the provision of a service which is essential for the maintenance of critical societal and economic activities, any significant impact on the continuity of the essential services due to an incident affecting the digital service provider must be notified by that operator.
In this context:
- an ‘incident' is "any event having an actual adverse effect on the security of network and information systems"; and
- ‘security of network and information systems' means "the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems".
The NIS Directive also explicitly provides for entities which are not operators of essential services or digital service providers to notify incidents on a voluntary basis.
The e-Privacy Directive requires EU member states to implement notification obligations for providers of publicly available electronic communications services to:
- inform subscribers concerning particular risks of a breach of the security of the network;
- notify personal data breaches to the competent national authority. A ‘personal data breach' is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service" in the European Union; and
- notify the subscriber or individual of the personal data breach when the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual.
The Notification Regulation (Commission Regulation (EU) No 611/2013) – which clarifies the notification of obligations of providers of publicly available electronic communications services – also provides that: "Where another provider is contracted to deliver part of the electronic communications service without having a direct contractual relationship with subscribers, this other provider shall immediately inform the contracting provider in the case of a personal data breach."
The European Electronic Communications Code (EECC) requires EU member states to implement rules whereby providers of publicly available electronic communications services and networks are obliged to notify the competent regulatory authority of security incidents that have had a significant impact on the operation of networks or services. A ‘security incident' is defined as "an event having an actual adverse effect on the security of electronic communications networks or services". The EECC sets out five parameters (similar to those listed in the NIS Directive) in order to determine the significance of the impact.
Under the EECC, EU member states must also ensure that in the case of a particular and significant threat of a security incident in publicly available electronic communications services or networks, the relevant providers inform users potentially affected by such a threat of any possible protective measures or remedies which can be taken by the users. Where appropriate, providers must also inform their users of the threat itself.
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
The following describes the requirements at an EU level. In respect of some of these rules, EU member state law or the relevant regulators/authorities in the EU member state may impose additional requirements, such as requirements to provide additional information or the use of standard forms or procedures for notification.
GDPR: In the case of a personal data breach, the controller must notify the data protection authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. The notification must contain particular information prescribed by the GDPR, such as descriptions of:
- the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the likely consequences of the personal data breach; and
- the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Controllers must also notify affected individuals of breaches without undue delay where the personal data breach is likely to result in a high risk to the rights and freedoms of individuals. The notification must again contain certain information prescribed by the GDPR, and must also describe in clear and plain language the nature of the personal data breach. Exceptions exist where:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach – in particular, those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely to materialise; or
- notification would involve disproportionate effort. In such case, the controller must instead issue a public communication to inform individuals in an equally effective manner.
NIS Directive: Notifications under the NIS Directive must be made "without undue delay" to the (one or more) competent authorities or the computer security incident response teams (CSIRTs) designated by the relevant EU member state. The information provided must allow the competent authority/CSIRT to determine any cross-border impact of the incident (in the case of operators of essential services) or the significance of any cross-border impact (in the case of digital service providers).
e-Privacy Directive: Under the e-Privacy Directive:
- the notification of a particular risk of a breach of the security of the network to subscribers must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved;
- must at least describe the nature of the personal data breach and the contact points where more information can be obtained, and must recommend measures to mitigate the possible adverse effects of the personal data breach;
- must be made without undue delay; and
- is not required if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. The measures must render the data unintelligible to non-authorised persons; and
- the notification to the competent national authority must – in addition to the information contained in the notifications to subscribers and individuals – describe the consequences of, and the measures proposed or taken by, the provider to address the personal data breach. It must also be made "without undue delay".
Further requirements as to notification by publicly available electronic communications services under the e-Privacy Directive are provided by the Notification Regulation.
EECC: In the near future, notifications under the EECC to the competent authorities will have to be made "without undue delay". The European Commission may adopt implementing acts detailing the circumstances, format and procedures applicable to the requirement to notify the competent authority.
5.3 What steps are companies legally required to take in response to cyber incidents?
The various obligations outlined above to implement appropriate security measures and to notify cyber incidents are at least implicitly linked to obligations to, for example, investigate the extent of cyber incidents, limit the impact of a cyber incident and restore security, continuity and availability.
Under the GDPR, the controller must also document any personal data breaches – regardless of whether the breach was notified – comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation must enable the data protection authority to verify compliance with the controller's obligation to notify the data protection authority of personal data breaches.
The NIS Directive – when read together with Commission Implementing Regulation (EU) 2018/151 – provides for particularly detailed requirements which apply to digital service providers – for example, in relation to incident handling and business continuity management.
Under the e-Privacy Directive, providers must maintain an inventory of personal data breaches comprising the facts surrounding the breach, their effects and the remedial action taken, which shall be sufficient to enable the competent national authorities to verify compliance with the personal data breach notification rules.
Additionally, the various laws set out above and the EECC require the addressees to comply with the instructions of the relevant regulators and authorities, such as instructions to make further notifications (eg, to the public or to individuals affected by the breach).
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
The GDPR, the NIS Directive, the e-Privacy Directive and the EECC do not provide for explicit legal duties aimed at corporate officers and directors in respect of cyber incident response – although EU member state law may do so. Directors may also have general duties (eg, a fiduciary duty) towards their companies under EU member state law, which may be triggered by a cyber incident.
The GDPR requires certain controllers and processors to appoint a data protection officer (DPO), whose responsibilities include being promptly consulted once a personal data breach or another incident has occurred. The DPO will also act as a point of contact with the data protection authorities. However, it is the controller or processor which remains responsible for compliance with the GDPR, so the DPO will not be in breach of his or her obligations as long as he or she carries out the role outlined by the GDPR.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
Yes. Cyber incident insurance is increasingly common in the European Union, although availability and adoption tend to vary by EU member state. Demand for cyber incident insurance has been driven in part by increased awareness of cybersecurity-related rules (eg, the GDPR) and high-profile cybersecurity incidents and regulatory action.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
In May 2020, amid the COVID-19 crisis, the European Commission adopted a new Cybersecurity Strategy that focuses on how to boost EU-level cooperation, knowledge and capacity. It will accompany a review of the Network and Information Systems Directive and a proposal for additional measures on critical infrastructure protection. Together with the ongoing work on cybersecurity as part of the European Union's Security Union initiative, the new strategy is expected to increase capabilities within EU member states and boost the European Union's overall cybersecurity. The strategy also tries to learn lessons from the COVID-19 period, during which there was reportedly an extraordinary increase in malicious attacks from multiple sources, attempting to capitalise on the disruption caused by the pandemic.
In the course of 2020, EU legislators are also expected to move forward on the creation of the Cybersecurity Competence Network as well as the European Cybersecurity Industrial, Technology and Research Competence Centre. Both will provide additional support to existing cybersecurity policy provisions and actors. The mandate of the European Cybersecurity Industrial, Technology and Research Competence Centre will be complementary to the EU Agency for Cybersecurity's (ENISA's) efforts, but will have a different focus. While ENISA has mostly an advisory role on cybersecurity research and innovation in the European Union, the Competence Centre will concentrate first and foremost on other tasks crucial for strengthening cybersecurity resilience in the European Union. In addition, the Competence Centre and Network's core tasks will include stimulating the development and deployment of technology in cybersecurity and complementing the capacity building efforts in this area at EU and member state level.
A proposal for a new e-Privacy Regulation – designed to replace the current e-Privacy Directive – was published by the European Commission in 2017. The proposed e-Privacy Regulation is designed to complement the General Data Protection Regulation (GDPR), and was intended to come into force at the same time; however, discussions among the EU legislators are still ongoing. The objectives behind the e-Privacy Regulation include harmonising e-privacy rules throughout the European Union and updating the rules to keep pace with technological change. Regulatory fines are also intended to match those of the GDPR. Notably, the e-Privacy Regulation will repeal the e-Privacy Directive's security provisions (to prevent the existing overlap with the rules of the European Electronic Communications Code (EECC)). Given the current lack of consensus on key issues, however, it is unclear when the e-Privacy Regulation's final form will be agreed and what will be included.
By the end of 2020, EU member states are expected to have transposed the EECC into their national legislation. The national competent authorities will have to develop a new security framework for assessing the conformity of providers of publicly available electronic communications services and networks with the new rules. To that effect, ENISA intends to review the European Union's current technical guidelines for security measures and start the process of extending the guidelines to align with the EECC.
At the time of writing, it remains to be seen what the first Cybersecurity Act certifications will cover and what impact they will have on the relevant products, services and processes.
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
In the wake of the COVID-19 pandemic, companies are faced with a new reality in which employees are increasingly working from home and have become more dependent on their employer's IT and networks than ever before. This raises unprecedented challenges for companies as far as the protection of their networks and data assets are concerned. Cyber-related issues that should be at the top of companies' agendas include the following.
Cyber awareness among the workforce: Employees and workers at all levels of the organisation should have a firm understanding of cybersecurity risks and should be advised on how to behave online, particularly when using their employer's IT systems and networks. The possibility of having remote access to company networks and data assets is often taken for granted; and with a growing number of employees working away from offices for extended periods of time, some may become less diligent about data security practices. It is therefore important to organise regular training and to have the necessary company policies in place on the topic of cybersecurity.
Incident response/management plans: Companies should carefully plan how to handle cybersecurity incidents when they occur, and in doing so should consider and prepare for different possible scenarios (taking into account the specific risks relevant to their networks and data assets). Legal requirements to notify regulators and affected individuals in case of a cyber incident should also be part of this plan. Companies should identify beforehand, for instance, what these notification requirements entail and which regulators may need to be notified. More than one regulatory notification may be required if their activities are covered by a combination of the Network and Information Systems Directive, the e-Privacy Directive, the European Electronic Communications Code and data protection rules. Companies should also bear in mind that if a cyber incident has resulted in a personal data breach (as defined in the General Data Protection Regulation), it can be expected that affected individuals will want to exercise the right to access their personal data or to have it erased. Companies may find themselves in a situation where they must respond to a substantial amount of data access and erasure requests in a short period of time.
Data backups: An increasing number of cyber incidents (eg, ransomware attacks) involve the temporary unavailability of data assets. Sometimes data is permanently lost as a result of a cyber incident. Cyber incidents that lead to the loss of access to, or destruction of, personal data constitute ‘availability breaches' under the GDPR. They can present a significant risk to individuals' rights and freedoms – for example, if critical medical data about patients is no longer available. As part of companies' cyber preparedness, it is therefore key to have appropriate backups in place that allow data to be restored. These backups should ideally be kept offline or in a highly secured environment with robust access restrictions. They should also be updated and tested on a regular basis and, to the extent possible, there should be duplication of the most important backups.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.