New EU Cybersecurity Rule Means Additional Compliance Obligations for Critical Infrastructure and Tech Companies


By Christopher L.E. Hines

On December 07, 2015, the European Commission (EC) agreed on new cyber security laws that will require certain critical infrastructure operators and multinational companies to fully disclose cyber-security breaches and violations to European Union (EU) authorities or face severe penalties.  

The new law, known as the “Network and Information Security Directive” outlines cyber security breach reporting rules for companies in certain sectors such as finance, energy, health and technology.  The purpose behind the law is to encourage more transparency and cooperation between nations and large multinational companies when responding to and combating cyber threats.  

Notably, technology companies that qualify under the Directive’s definition of “digital service providers” – including online market places, cloud computing and search engines – will be subject to the cyber security breach reporting rules.  But it unclear as to what type of companies qualify as “digital service providers” and therefore will be subject to the reporting requirements.  For example, service provider companies such as Google and Amazon may be required to fully disclose cyber-security breaches to EU authorities, while social network companies, such as Facebook, may not be required to make any disclosures in the event of a cyber security breach. 

Companies can expect more clarity on the draft NIS Directive in the coming months.  European regulators are also negotiating a new transatlantic data transfer agreement to replace Safe Harbor, and the General Data Protection Regulation, which will replace the existing Data Protection Directive, is expected any time now.  

The good news is that these new laws and directives will provide a degree of uniformity across Europe, providing companies with clear direction on their obligations across the continent. The bad news is that companies can expect more significant compliance obligations, higher standards for the protection of privacy (including data), and far more significant penalties and regulatory enforcement action in the event of a breach or other non-compliance.  Companies should begin strengthening their privacy and data security compliance programs now, focusing on designing to industry standards like ISO 27001.  

For more information about drafting vendor data security policies, or for advice on how developments in Europe may impact your compliance programs, please contact the author or a member of the Polsinelli Privacy & Data Security Team.