Teal blue graphic

European Commission proposes stronger cyber security laws

The European Commission has issued a cyber security strategy and an accompanying draft Directive which seek to harmonise a minimum level of network and information security (NIS) across the European Union. The proposals, if passed, will require operators of 'critical infrastructure' (which includes cloud providers, the energy sector, the banking sector and public administration providers) to notify major security incidents to a new cyber security regulator.

The cyber security strategy outlines the vision and principles on applying the EU core values and fundamental rights in cyberspace and articulates the EU's vision in terms of five strategic priorities:
  •  achieving cyber resilience;
  •  drastically reducing cybercrime;
  •  developing cyber defence policy and capabilities related to the Common Security and Defence Policy;
  •  developing the industrial and technological resources for cyber-security; and
  •  establishing a coherent international cyberspace policy for the European Union and promoting core EU values
The European Commission notes that past regulatory efforts have been on too small a scale and too fragmented, and have often been of a voluntary nature. As a result, many gaps remain in the cyber security system.

The proposed NIS Directive would require each Member State to adopt a NIS strategy and designate a national NIS competent authority with adequate resources to prevent, handle and respond to NIS risks and incidents. The proposals would also see a Europe-wide cooperation mechanism established, enabling Member States to share early warnings on risks and incidents through a secure infrastructure.

In addition, the proposed Directive aims to extend the scope of cyber security by applying the obligation to report significant cyber incidents to operators of 'critical infrastructure'. Under existing EU rules, only providers of public electronic communications services (essentially ISPs and telecoms providers) are required to report significant data security incidents. The draft Directive will extend obligations to adopt risk management practices and to report major security incidents to key internet providers (including large cloud providers, social networks, e-commerce platforms and search engines); the banking sector and stock exchange; the energy sector (e.g. electricity and gas suppliers); transport operators; health service providers; and public administrations.

The Directive will need to be approved by the Council of Ministers and the European Parliament before it is formally adopted. Member States will then have 18 months to implement the Directive. See Related links for the draft Directive and strategy.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2013. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.

Insights & events View all