On February 7, 2013, the European Commission launched its cybersecurity strategy for the European Union (“Strategy”). As part of this Strategy, the European Commission also proposed a draft directive on measures to ensure a common level of network and information security (“NIS”) across the EU. The proposed Directive is a key component of this Strategy. It introduces a number of measures to enhance cybersecurity, including:
- The requirement for EU Member States to adopt a NIS strategy and to designate national NIS authorities to prevent, handle and respond to NIS risks and incidents;
- The creation of a cooperation network to enable the national NIS authorities, the European Commission and, in certain cases, the European Network and Information Security Agency (“ENISA”) and the Europol Cybercrime Center, to share early warnings on risks and incidents and cooperate on further steps;
- The obligation for (1) operators of “critical” infrastructures in certain sectors (financial services, transport, energy and health), (2) providers of information society services and (3) public administrations to implement appropriate security measures and to report incidents having a “significant” impact on the services they provide (e.g., the unavailability of a cloud computing service as a result of which users cannot access their data). Such incidents would have to be reported to the national NIS authorities, who may then decide to inform the public or require companies and public administrations to do so.
The FAQs that accompany the proposed NIS Directive include examples of companies that would be obliged to report cyber incidents, such as cloud computing service providers, search engines; e-Commerce platform providers, Internet payment service providers,
providers of VoIP and other communications services, social network providers, platforms enabling the provision and sharing of videos, platforms enabling the provision and sharing of music, major online computer games, and application stores.