Greetings from Brussels!

This was a cybersecurity news week here in Brussels. The European Commission signed an agreement that sets in motion a new public-private partnership on cybersecurity, which combined with the existing EU Horizon 2020 research framework and funding, is expected to trigger 1.8 billion euros of EU investment over the next three years. This is part of a series of new initiatives to better equip Europe against cyberattacks and to strengthen the competitiveness of its cybersecurity sector.

The agreement will essentially have Member State funding and will bring together private-sector entities on cybersecurity issues. More than 100 companies have already pledged to fund cybersecurity research. Although the specifics still need to be ironed out, the EU has put together a 450 million euro stimulus package, which will be distributed in the coming years to businesses, universities and other researchers who are interested in researching and investigating pressing cybersecurity problems. The commission says the measure is designed to "nurture cybersecurity industrial capabilities and innovation in the EU."

According to a recent global survey carried out by the consultancy PwC, and cited by the European Commission, at least 80 percent of European companies have experienced at least one cybersecurity incident over the last year and the number of security incidents across all industries worldwide rose by 38 percent in 2015; these are truly alarming statistics. Annual damages worldwide resulting from cyberattacks are estimated to be as high as 500 billion euros. The damages both material and financial caused to European companies, whether they are big or small, threaten to undermine trust in the future of the digital economy. As part of its Digital Single Market Strategy the commission wants to reinforce cooperation across borders, and between all actors and sectors active in cybersecurity, and to help develop innovative and secure technologies, products and services throughout the EU.

Adding to the eventful week here in Brussels, the European Parliament's plenary also adopted the Directive on Security of Network and Information Systems. The NIS Directive represents the first EU-wide rules on cybersecurity. The objective of it is to achieve a high common level of security of network and information systems within the EU through a trifold of desired outcomes; essentially improved cybersecurity capabilities at the national level, increased cross border cooperation at the EU level, and finally risk management and incident-reporting obligations for operators of essential services and digital service providers.

The directive lays down cybersecurity and reporting requirements for operators of essential services including the energy, transport, health, banking and drinking water sectors. Individual Member States are responsible for identifying the organizations which will fall under the NIS Directive in their respective jurisdictions. Digital service providers such as cloud services and search engines also have a new obligation to report major incidents to a network of national Member State computer security incident response teams. The European Network and Information Security Agency will help Member States in cross-border cooperation.

The NIS Directive will be published in the EU Official Journal in August 2016. Member States will have 21 months to adopt and transpose the directive into their national laws — May 2018 — and an additional six months to identify critical infrastructure operators. Cyber risk has no borders, so pan-EU cooperation in this area is vital. This might well be a welcome piece of EU legislation.

From a privacy perspective, an interesting note here is in relation to the directive’s new incident notification regime which will create an obvious overlap with the data breach notification regime outlined in the GDPR. The NIS Directive states that incidents should be notified without undue delay, however the GDPR explicitly states a 72-hour deadline.  Organizations that fall under both regimes will need to deal with the competing notification rules. Moreover, both sets of legislative rules will apply to all companies, indigenous or not to the EU, that operate within the union or service European citizens. 

The GDPR coupled with the NIS Directive will most likely require companies to re-think and align their privacy and cybersecurity policies in order to meet the requirements of this ever changing legislative digital environment. Much work ahead for the next two years.