What is the regulatory framework for EU cybersecurity?
Bombarded with multiple cyberattack reports, resulting to great economic loss for corporations as well as to individuals’ data loss/destruction/publication, performed with the usage of software varying from viruses and Trojan horses to DOS, phishing and unauthorized access, it early became obvious to EU that a single regulation would not be adequate.
As a result three separate legal instruments were adopted:
- The Regulation (EU) 526/2013 -that replaced the Regulation (EC) 460/2004 of the European Parliament and Council – establishing the European Union Agency for Network and Information Security (ENISA)
- The Directive (EU) 2016/1148 on Security of Network and Information Systems (NIS)
- The Regulation (EU) 679/2016 on General Data Protection Regulation (GDPR) that has already been into force from May 25th
Additionally a proposal for a Regulation on Privacy and Electronic Communication (ePR) is currently being processed by the EU with the ultimate aim of privacy and confidentiality rules’ also to be applied to new providers of electronic communication services (i.e. WhatsApp,
Skype, Facebook Messenger), besides the traditional telecommunication providers and operators.
At last legislative initiatives are currently being negotiated towards the adoption of a unified cybersecurity certification approach within EU, named “The Cybersecurity Act”.
What is ENISA and its responsibilities?
ENISA was originally formed in 2004 following the enactment of the Regulation (EC) No 460/2004. Its duties are limited within the field of cybersecurity and include granting EU Member-States and EU bodies with suggestions and guidance, official recommendations, data analysis, as well as promote cooperation between. However following the 2013-2016 study that was published by the EU Commission, it became apparent that cybersecurity legislation should become consolidated among EU Member-States, which can only be
achieved via the enhancement of ENISA’s role within the Union. The EU Commission stated the need for ENISA’s responsibilities to become clear and distinct from the ones’ of other EU bodies, as well as the need for ENISA to expand its financial and workforce resources. It
was also underlined that ENISA should have a “permanent”, more specific mandate that will enable it to target its knowledge to foreseeing and combatting the ever-growing cyberattacks within the Union. That mandate would also allow ENISA to address the needs of the
neglected private sector and include the latter in its agenda, as well as establish realistic standards in terms of certification and standardization by taking into account the financial resources of each Member-State.
That “permanent” mandate formed the Regulation (EU) No. 526/2013 that repealed Regulation (EC) No 460/2004. The role of ENISA was reinforced, as set out in Art. 1(1) of the Regulation, to raise “awareness of network and information security and to develop and promote
a culture, of network and information security in society for the benefit of citizens, consumers, enterprises and public sector organizations in the Union”.
The new regulation is set for ENISA to organize and elevate the EU cybersecurity policy and legislation. It focuses on combatting cybercrime, via preventing and detecting, and in cooperation with the Europol’s European Centre. In that context the Regulation builds upon
the prior-to-its-enactment success work of the Computer Emergency Response Teams (CERTs) established within Member States. Risk management and the security of IT products and services in quest of standards become a priority. ENISA is assigned with the duty to provide answers and assist EU countries and Institutions in terms of cyber-attacks and cyber-security. In brief, ENISA is nowadays called to monitor cybersecurity standards and cyber-attacks within EU, interact with other EU bodies, as well as Member States, built upon the already at place structures and set the ground for the EU cybersecurity policy.
With a view towards the future, it should be noted that according to ENISA’s 2016-2020 strategy the Agency’s role is deemed more central than ever with five factors stated as predominant. ENISA is thus required in the following years to apply its expertise and support
Member States in the changing network and information security environment, as well as introduce cybersecurity “as an EU policy priority” by providing support to EU bodies and Member States and implement the EU cybersecurity legislation· ensure, through the aforementioned support, the maintenance of “state-of-the-art network and information security capacities” and also develop the EU community of cybersecurity· transparently handle its funds in order to enable within-the-agency expertise and interaction with EU stakeholders,
meaning Member States’ competent authorities.
What does NIS introduce?
With cybersecurity on top of the EU agenda and ENISAS’s highlighted role, the need arose for a common ground of rules to be developed within EU· a Directive setting the minimum harmonization with Member States having the ability to implement more strict measures
to safeguard cybersecurity.
Entered into force on the 6th of July 2016, the Network and Information Systems Directive introduces the first EU cybersecurity rules for “achieving a high common level of security network and information systems within the Union so as to improve the functioning of the
internal market”. The Directive stresses 9th November 2018 as the deadline for Member States to “identify the operators of essential services with an establishment of their territory” on a threefold basis· as such shall be identified any public or private entity that provides services of economic and societal importance by relying upon network and information systems, whereas an “incident” would prohibit the provision of said services. It should be noted that for the purposes of the NIS directive an “incident” is described as “any event having
an actual adverse effect on the security of network and information systems”. Micro and small enterprises do not fall under the scope of the Directive
Following that each Member State has to adopt “a national strategy” towards succeeding the highest level on the security of network and information systems. A national competent authority shall be appointed on that matter to monitor the application of NIS alongside with a national single point of contact to ensure cross-border cooperation of Member States authorities. Furthermore Member States are required to establish computer security incident response teams (CSIRTs) - with the assistance of ENISA, if needed. The CSIRTs, the single point of contact and the competent authorities may be identical or separate· in the latter, cooperation is underlined of key importance. Also CSIRTs have to inform the single point of contact of any incident and following the 9th of August 2018 shall submit once a year a “summary report” to the Cooperation Group, consisting of Member States’, Commission and ENISA representatives, as well as stakeholders’ representatives, if needed.
Once identified as of essential services, operators have to fulfill the requirements of appropriation and proportionality with regards to the technical and organizational measures they undertake for security network and information systems’ risk management. In that context “operators of essential services notify, without undue delay, the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide’’. It shall be noted that the content of these notifications is intended to enable
the competent authority or the CSIRT to determine any cross-border impact of an incident, without subjecting the notifying party to increased liability. The significance of the incident is calculated with regards to how many users were affected, how long it lasted and how far it expanded geographically.
It so becomes evident that, according to NIS, Member States are responsible to arrange for the implementation of the rules introduced by NIS, as well as the penalties in case of noncompliance. The only limit set by the Directive is that any penalties predicted have to be
“effective, proportionate and dissuasive”.
Furthermore, as already stated with regards to ENISA, standardization underplays a significant role within the EU cybersecurity network. Thus, NIS also stresses the need for the sum of Member States to follow not only the European, but also the internationally accepted standards in terms of the network’s and information systems’ security. Assistance by ENISA via guidelines and suggestions is once again provisioned.
At last, NIS Directive welcomes entities that have not been considered by Member States of essential services to voluntarily notify any incidents of “significant impact”.
How does GDPR contribute to the accomplishment of cybersecurity within EU?
The most recently enacted (25th of May, 2018) legislative initiative, GDPR, has inadvertently altered the perception of data and their need for safeguarding, not only within EU, but internationally. GDPR broadens the traditional scope of the data definition (name, address, telephone number etc.) to include biometrics, genetics, etc. Furthermore, with the high economic penalties that GDPR introduces, any breach by the data controllers/processors can be deemed extremely expensive. Any data breach must be disclosed 72 hours following the legal entity’s knowledge acquisition of the breach. The applied penalty amounts either up to 40% of the entity’s annual revenue, or up to 20 million euro, based on which of the two is higher.
In order to balance the need for high and meticulous protection of data on one hand and the risk of economic entities attributed with costly penalties on the other, data controllers have to establish and implement a strong cybersecurity system. Prudential measures towards cybersecurity vary, while GDPR does not explicitly include the ones applicable. Corporations are left to determine a cybersecurity approach on their own.
Data controllers are expected to draft the corporation’s policy that will map very carefully its activities and the lawful basis through which any data processing will take place and entail “damage control” procedures in case of a breach, as well as a Risk Impact Assessment via a Risk Management Matrix Template. Of key importance to that initiative is the role of a Data Protection Officer, where one has to be appointed under GDPR (Art. 37).
Technology-wise security software and hardware are the first essential tools for data controllers to avoid data “leakage”. Other useful assets include encryption of data that are stored within disk devices, as well as of data that are provided and transmitted online via Transport Layer Security (HTTPS)· password management with multi-factor authentication instead of the two-factor one (username, password)· preventive of data loss software that keeps track of the “travel” of data within the corporation’s network and prevents transfer to unauthorized locations· Identity and Access Management (IdAM) allowing separation between people and machines· Vulnerability Scanning and Management to avoid vulnerabilities within the applied software/firmware· Patch Management that updates software’s code to avoid hacking attacks· Endpoint Security that prevents cyberattacks to Endpointsremote devices that are connected to the corporate IT network. Data controllers should also not neglect the appropriate training of the corporation’s cybersecurity employees in order to respond promptly to a potential cyberattack and data breach.
ePR: What new does it introduce to data protection?
Following GDPR, the Commission has proposed since 10.1.2017 another Regulation, ePR, that will amend the Directive 2002/58/EC on Privacy and Electronic Communications (widely known as the “cookies law”) with respect for private life and the protection of personal data in electronic communications. ePR aims to secure cybersecurity via regulating all electronic communications, including- besides the traditional public communication providers- software providers, i.e. Facebook Messenger, WhatsApp, Skype, that in the recent years have become widely popular, as well as machine-to-machine-communications (Internet of Things). The territorial scope is the same as in GDPR starting from EU, but also extending internationally. Consent is the key element introduced, since marketers will not have the ability to email or text individuals without their prior consent. Confidentiality is regulated as a duty of all communication providers.
One though should not confuse GDPR and ePR; whereas GDPR is drafted with respect to personal data protection, as defined in Art. 8 of the European Charter of Human Rights (ECHR), while ePR with respect to individuals’ personal life, as defined in Art. 7 of ECHR. ePR is intended to accompany and enable the enactment of GDPR via securing the privacy in communications· which privacy is attributed to the content of personal information, as well as to metadata (i.e. the duration of a call or the location it was made). It remains however to ascertain the final content of the electronic-privacy Regulation.
Latest update: “The Cybersecurity Act”
The latest cybersecurity initiative constitutes the -due-for-negotiations between the EU Parliament and the EU Council- «Cybersecurity Act», which is expected to unify the process of cybersecurity certification within EU. The advantages will be significant for businesses which will avoid the unwanted cost of multiple certifications in different Member-States. More specifically according to the 2017/0225(COD) Draft Report of the Committee on Industry, Research and Energy, the certification will mainly be voluntary, and mandatory in exceptional cases. The new framework is expected to reinforce the EU Single Digital Market pylons towards –among others- data protection, confidentiality and privacy, non-access by non-authorized persons/IT systems and prevention of cyber-attacks (especially large-scale ones).
Moreover, the certification will take place on a risk-basis determining one out of three levels
of cybersecurity:
- Basic; equivalent to “surface” protection from wide-known risks
- Substantial; containing basic protection, but also the ability to identify and combatcyberattacks with mere equipment
- High; further incorporating the ability to overcome “state-of-the-art cyber-attacks” with the proper equipment
ENISA is once again set to play a central role, not only by providing a reference point for businesses, but also via organizing the certification framework for specific products following EU Commission’s request. Standardization is once again the prime concept.
Conclusion
The task of regulating the chaotic world of the wide-web may appear impossible. The existing legal framework, though, that surrounds the EU Digital Single Market initiative imposes very meticulous drafting that serves a wide scope of activities and individuals. It remains
to see how these rules will be applied by the Member States that are called to secure the compatibility of the measures they undertake under NIS, GDPR and the upcoming ePR and Cybersecurity Act, among them.