If you Google “EU law on security”, you’ll find the EU Data Protection Directive near the top of the search results. But search a little harder and you’ll find more.
This week saw the EU publish a new draft Directive on network and information security. However this isn’t about personal data or rules for particular sectors like telecoms. The proposed rules apply to all manner of digital platforms like e-commerce and payment platforms. They will also apply to a very broad range of critical infrastructure operators.
Who is covered by the new rules?
All “market operators” are caught. A “market operator” is defined as a provider of information society services (ISS) which enables the provision of other ISS. ISS, in this context, means an e-commerce service and this may include e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services and application stores. So, the rules will apply to those who provide any such services which underpin e-commerce services provided by others. But its’s still an incredibly broad list.
Market operators also include operators of critical infrastructure including providers of:
- electricity, gas and oil
- airlines, maritime transport, railways (even associated warehousing, cargo handling and support services)
- financial market infrastructure; and
So what do the new rules say?
Market operators (ie. all of the above) have to ensure that appropriate technical and organisational measures (yes, that phrase from the Data Protection Directive) are in place to ensure network and information system security in particular to ensure business continuity for the services underpinned by their networks and services. So a cloud computing service has to comply where it has customers using it services to deliver services to end-users. An electricity company will have to comply as its services will almost certainly fall into this category. Have a look at Article 14 of the draft Directive for more detail.
Duty to Notify
Article 14 also requires market operators to notify the “competent authority” (to be set up or appointed by each EU member state) of any incidents having a “significant impact on the security of the core services they provide”. So if you’re hit by a cyber attack and this results in unscheduled downtime or a power outage, you would have to notify.
The Directive also deals with a range of information security requirements but it is the new duties to ensure security and notify a regulator that spell a broadening of the EU rules in this area.