European authorities reached a provisional agreement on the Network and Information Security Directive, the first-ever EU-wide cybersecurity standards. Press releases from the European Parliament, European Commission, and European Council announced the December 7, 2015 deal. The Directive seeks to improve the cybersecurity capabilities of member states, as well as improve cooperation on cybersecurity issues between EU nations. Moreover, once formally approved, the new rules will require “operators of essential services” and some internet services providers to adhere to minimum cybersecurity standards and report significant cyber-attacks to public authorities. Notably, the Directive will put an end to the current fragmentation of individual cybersecurity systems by the twenty-eight member nations, and will substantially change the regulatory landscape for many businesses that operate within the European Union. This provisional agreement is an outgrowth of the European Commission’s 2013 Cybersecurity Strategy and proposed Directive on Network and Information Security.
Data, Privacy & Security in the EU -
The Network and Information Security Directive comes amidst a flurry of substantial changes to cybersecurity rules and regulations within Europe. The European Union is particularly well known for its stringent privacy laws, and recent developments reflect a commitment to personal privacy protections. The European Court of Justice (“ECJ”), for example, invalidated the Safe Harbor framework on October 6, 2015. The Safe Harbor agreement had allowed US companies to self-certify that they would comply with more stringent EU data protection standards so as to allow for the free transfer of European data to the United States. According to the ECJ ruling, however, data stored on US servers does not meet EU standards, largely due to the US government’s mass surveillance program—thus rendering the agreement illegal.
Please see full Alert below for more information.