On 7 February, the European Commission published an EU Cyber Security Strategy encompassing a proposed Directive on Network and Information Security. The aim of the Strategy and Directive is to ensure a secure and trustworthy digital environment while promoting and protecting fundamental rights, including data protection, democracy and the rule of law. The proposed NIS Directive contains many of the same elements found in the critical infrastructure/cybersecurity program currently existing in the United States; however, extending the security obligations as proposed greatly exceeds the reach of U.S. critical infrastructure programs, and essentially leaves no private business outside the reach of the Directive. The Directive asserts, without providing any real evidence for the assertion, that all of these new requirements will impose no additional costs, given the requirement under national data protection legislation to maintain appropriate security measures to protect personal data. The NIS Directive contains many laudable provisions, including the principal purpose that Member States should create strategies and competent authorities to supervise cyber risk to critical infrastructure and implement consistent cybersecurity efforts across the EU. This would aid in the creation of emergency response efforts, the sharing of information and the harmonization of law enforcement investigations. However, the breadth and scale of the effort contemplated by the NIS directive may impede progress. The addition of prescriptive requirements on “market operators” will almost certainly lead to the same contentious debate that has pervaded the effort to pass national cybersecurity legislation in the United States. In addition, the insertion of a sanction regime will only add to the difficulties in getting the Directive passed by the European Parliament. Given that security is scalable and risk dependent, sanctions should only arise not for a breach, but when the risk has either been negligently assessed or there is a reckless disregard.
Please click here to read the issued Client Alert.