Network and Information Security (NIS) Directive

Kristof Van Quathem, special counsel in Covington’s Brussels office, advises clients on data protection, data security, and cybercrime matters. He has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies, ranging from compliance advice on the adopted laws, regulations, and guidelines, to the representation of clients in non-contentious and contentious matters before data protection authorities.

Kristof assists many international companies in their preparation for the EU General Data Protection Regulation (“GDPR”). This includes strategic advice on governance and data management, as well as hands-on assistance with writing policies, procedures, and agreements.

What are some of the major cybersecurity components of the GDPR and the NIS Directive? What tips can you provide to U.S. companies when preparing for these changes?
Continue Reading National Cybersecurity Awareness Month Q&A with Kristof Van Quathem

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.

Organisations that are interested in responding to the consultation have until September 30, 2017 to do so.  The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next.  A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details.
Continue Reading UK Government Proposes Cybersecurity Law with Serious Fines

The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year.  Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities:

  • designated* “operators of essential services” within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and
  • certain “digital service providers” that offer services within the EU, namely online market places, online search engines and cloud computing services, excluding small/micro enterprises.

* Once implemented in national law, Member States will have a further 6 months to apply criteria laid down in the Directive to identify specific operators of essential services covered by national rules; they do not need to undertake this exercise in relation to digital service providers, which shall be deemed to be under the jurisdiction of the Member State in which it has its “main establishment” (i.e., its head office in the Union).
Continue Reading EU Cyber Security Directive To Enter Into Force In August

By Mark Young and Vera Coughlan

Formal adoption of the EU Network and Information Security (NIS) Directive is a step closer following a vote on January 14 by the European Parliament’s internal market and consumer protection (IMCO) committee.

As we reported in December, the European institutions reached an informal political agreement on the NIS Directive

Whilst the discussions on the proposed Network and Information Security (NIS) Directive at European level are still ongoing (see Update on the Cybersecurity Directive − over to Luxembourg?, InsidePrivacy, June 12, 2015), less has been said about Germany new national Act to Increase the Security of Information Technology Systems (the “IT Security Law”).  The IT Security Law was published in the Federal Official Gazette on July 24, 2015 (see here) and entered into force the following day.
Continue Reading What You Need to Know About Germany’s Cybersecurity Law

Next week we expect to find out if the Council of the EU will finally agree (“adopt a general approach”) on its version of the proposed General Data Protection Regulation (GDPR).  Progress with a “little brother” of the GDPR – namely the proposed Network and Information Security (NIS) Directive, tagged the Cybersecurity Directive – continues in parallel.  Before providing news next week on the GDPR, we thought that it would be useful to provide a quick update on NIS, especially as some of the issues with the GDPR – such as jurisdiction and supervision of companies – also are proving to be difficult in relation to NIS.
Continue Reading Update on the Cybersecurity Directive – over to Luxembourg?

By Mark Young and Oliver Grazebrook

The Irish Presidency of the Council of the EU has published a progress report on negotiations at Member State level on the EU CyberSecurity Strategy and proposed EU Directive on Network and Information Security (“NIS Directive”).  As we summarised in this post, if enacted in its current form, the NIS Directive will require companies in the energy, transport, financial services and health sectors, as well as a broad range of online companies, to implement mandatory security measures and report significant security incidents to national authorities.

Member States clearly have concerns with some fundamental aspects of the proposals.  The Presidency has highlighted the following issues:

Commission’s Impact Assessment (IA)

  • Several Member States have pointed out that the impact assessment does not sufficiently justify why specific sectors have been included in the proposal, such as “enablers of information society services”, and others have not, such as hardware/software manufacturers.
  • Most Member States have also raised the issue of the perceived significant costs involved in implementing the Directive and regretted that the IA fails to sufficiently assess the possible benefits. 
  • At a more fundamental level, Member States have requested further justification from the Commission why a legislative, rather than a voluntary approach, would be the preferred option to tackle the uneven level of security capabilities across the EU and the insufficient sharing of information on incidents, risks and threats. 

Continue Reading Progress Report on the Proposed EU Network and Information Security Directive