Cybersecurity can be defined as “the state of being protected against the criminal or unauthorised use of electronic data, or the measures taken to achieve this”. The European Union Agency for Network and Information Security (ENISA), which is a centre of expertise for cybersecurity in the EU, published a document further detailing the scope and content of the notion of cybersecurity.
Its counterpart is cyberattacking which consist of criminal or unauthorised access or use of electronic data. A cyberattack can lead to heavy consequences, namely financially, for the entity victim of such an attack. It is therefore important to adequately protect the entity and/or oneself from cyberattacks.
The protection of data, including electronic data, has become a critical issue namely in the European Union (EU). For example, the General Data Protection Regulation or GDPR (Regulation n°2016/679) illustrates the EU’s desire to strengthen the protection of personal data through increased accountability and heavier sanctions.
Moreover, the EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union, also known as the Network and Information Security (NIS) Directive, was to be implemented by each and every Member State by May 9th, 2018.
Mathias Avocats draws an overview of the NIS Directive and of the current situation.
What is the current situation?
The aim of the NIS Directive is to harmonise and ensure an equivalent high level of security of network and information systems throughout the Member States. To this end, the latter must “adopt a national strategy on the security of network and information systems defining the strategic objectives and appropriate policy and regulatory measures” (Article 7 of the NIS Directive). It furthermore reinforces cooperation between Member States.
In a few words, the NIS Directive aims at preventing cyberattacking. It is applicable to operators of essential services and digital service providers. They are subject to new obligations and namely to notify substantial incidents to the competent authority. In France, the competent authority is the Network and Information Security Agency (Agence Nationale de la Sécurité des Systèmes d’Informations, ANSSI).
As previously stated, the NIS Directive was to be implemented by May 9th, 2018. It therefore has full effect. Most Member States have been able to meet the deadline, such as France. However, this is not the case for all 28 Member States. The European Commission has provided a list of Member States in which the Directive has not yet been transposed (ex: Spain) or which have not given certain details such as their national strategy or single point of contact (ex: Cyprus). The concerned Member States must swiftly implement or provide the information required.
What happens now?
The EU intends to take further measures regarding cybersecurity. Amongst the numerous projects are namely a new Directive regarding the combating of fraud and counterfeiting of non-cash means of payment. A Proposal has already been drafted and will replace the current Council Framework Decision of 28 May 2001 combating fraud and counterfeiting of non-cash means of payment. In sum, the Proposal aims at including virtual currency fraud within its scope, increasing the penalties and enhancing the rights of victims.
The proposal has been accepted by the Council of the EU and is currently under study in the EU Parliament. An impact assessment has already been undertaken regarding the Proposal. It is recognised that non-cash payment fraud is a threat to security and is an obstacle to the digital single market. It also states that stakeholders agreed that the Framework Decision was no longer up-to-date. It remains to be seen what the EU Parliament will decide.
It must also be underlined that cybersecurity is also related to trade secrets. Indeed, cybersecurity is a means to them. The EU Directive 2016/943 of June 8th, 2016 on the protection of undisclosed know-how and business information (trade secrets) against heir unlawful acquisition, use and disclosure is currently being implemented by several Member States.
Mathias Avocats remains at your disposal for any further questions.