Parsing the EU’s Cybersecurity Rules

Posted by Mark Greisiger

A Q&A with Alan Meneghetti of Locke Lord LLP

Last December, the European Commission, the European Parliament and the Council announced that they had reached an agreement on an EU-wide cybersecurity directive that should go into effect within the next few years. I asked UK-based lawyer Alan Meneghetti about what the new rules mean and what they cover.

There’s a huge concern that Europe is not prepared for the cyber attacks and breaches on the scale we’re seeing in the U.S.

Can you give a brief overview on EU-wide cybersecurity rules?  Since this directive is focused more on national infrastructure type companies, it seems the concern is more about protecting system availability/integrity as opposed to safeguarding individuals’ private data. Is that fair to say?
Yes, that’s a good assumption. There’s quite a bit of privacy legislation coming into force in Europe right now, with a mix of regulation and directives. Much of our data protection legislation is from the 1990s and needs to be updated. We must view this directive in that larger context. There’s a huge concern that Europe is not prepared for the cyber attacks and breaches on the scale we’re seeing in the U.S. This Directive covers operators of servers in sectors such as banking and healthcare, so it is limited to what the regulators regard as essential services.

Given the need for coordination amongst EU countries, when might this realistically go into effect?
What is regarded as a final draft is being discussed at the moment and has to be formally approved after debate by the Parliament and Council. Once approved, it will be published in the Official Journal of the EU and member states will have 21 months to implement it into national law, with a further 6 months to identify operators of essential services. Some member states might be able to (or indeed, wish to) implement it sooner, of course. The intention is to have a coordinated approach to network infrastructure and security, but I am not convinced, despite the best intentions, that we are assured of a harmonious and homogeneous implementation.

Are there any specific security standards required?
Yes, and no. The Commission will draw up a list of standards that member states will be encouraged to use, but the member states will have autonomy to make decisions about pieces of the legislation and their scope. We’ve seen this in the privacy sector, such as the Facebook v. Schrems decision in which member states have responded individually and in the latest draft of the General Data Protection Regulation where member states are given autonomy to legislate in certain areas. It’s hard to say at this stage how disparate the standards will be between member states. The hope is that at least cybersecurity will be moved higher up the member states’ legislative agendas.

Is there any mention of potential fines or penalties for noncompliance?
The short answer is that this will be delegated to member states and we don’t know at this stage how they will legislate it nor the details or size of the fines. What the directive does say is that member states have to lay down the rules for infringements and ensure that these should of course be proportionate to the offence in question and that relevant authorities have the power to assess security and investigate cases of noncompliance. I suspect how it plays out will be an iterative process as we have seen with other privacy legislation. I would just say for now: Watch this space.

In summary…
We want to thank Mr. Meneghetti for his EU insights. Given that cybersecurity including privacy is really a global risk exposure we are certain that many of our cyber liability insurance partners and their clients will be paying attention to these emerging regulations.