National security is in the hand of Member States, not of the European Union, under Article 4, par. 2, TEU. But cybersecurity is not only an issue involving national security, as it has much to do with trust with the digital economy, the freedom of speech, the free trade, the respect of citizens’ rights, their data protection and privacy; in a few words, it is a basic element of the European Single Market. As the digitalisation and interconnection of the economy and society haveglobal reach, the dimension of the problems goes well beyond the territory of a single Member State. In fact, cyber incidents are indeed booming, their complexity, frequency and the "surface" of their impact - from access to essential services to democratic processes - is set to increase still further. In the current context and looking at the future scenarios, it appears that individual actions by Member States and a fragmented approach to cybersecurity cannot increase the collective cyber-resilience of the Union. This situation therefore requires an intervention at EU level. That is why the EU started a few years ago a long way running toward the construction of an update framework made of a few legal tools with the aim to protect citizens, undertaking, and assisting MS in their strategy. In fact EU is well placed to address at the same time data privacy and cybersecurity, the two sides of the same coin, given the scope of its policies and the tools, structures and capabilities at its disposal.
At this regard, the legal patchwork is composed by several pieces, whose most relevant could be considered: the EU Regulation 2016/679 (GDPR) , already entered into force and applicable from 25 May 2018, the so called Enforcement Directive 2016/680 , the NIS Directive 2016/1148 , together with the “EU-US Privacy Shield” on transnational transfer of personal data, following the Schrems case of the European Court of Justice.
The GDPR. Proposed in 2012 and adopted on 27 April 2016, GDPR shall apply from 25 May 2018 with the aim to remove red tape for businesses and tighten privacy protections for individuals. It is going to replace the current EU Data Protection Directive 95/46/EC adopted in 1995, which has been implemented differently by EU Member States into their respective national jurisdictions, resulting in the fragmentation of national data protection laws. As it is a Regulation, GDPR will come into effect immediately without any need for additional domestic legislation in EU Member States.
GDPR also applies to entities that are not located within the EU, but that offer goods or services to, or monitor behavior of data subjects in the EU. It introduces a Data Protection Impact Assessments (DPIA) as a means to identify high risks to the privacy rights of individuals when processing their personal data, imposes that security is to be based on a risk assessment (not of the risks the organization faces, but the risks for the rights and freedoms of natural persons). The GDPR introduces the principle of accountability to lawfulness, fairness, purpose limitation and transparency, on which EU Data protection legislation EU has always been based. Whereas the Data Protection Directive only had one line stating that sanctions had to be defined by the Member States, the GDPR exactly details what administrative fines can be incurred for violating articles of the GDPR. The maximum fines depend on what the “category” in which the violation occurs.
The recent EU package. Since 2013, the technological and security landscape in the European Union has changed at a very fast pace. That’s the reason why, as announced in President Juncker's State of the Union address on 13 September 2017, the Commission and the High Representative proposed a set of measures based on different legal tools, in order to reinforce the EU's resilience and response to cyber-attacks. This by strengthening the already existing European Union Agency for Network and Information Security (ENISA), creating an EU-wide cybersecurity certification framework, a Blueprint for how to respond to large-scale cybersecurity incidents and crises, and a European Cybersecurity Research and Competence Centre. The proposals also include a Directive on the combatting of fraud and counterfeiting of non-cash means of payment to provide for a more efficient criminal law response to cyber–attacks, as well as a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities and measures to strengthen international cooperation on cybersecurity.
An EU certification framework. ICT security certification plays an important role in increasing trust and security in products and services that are crucial for the smooth functioning of the Digital Single Market. At the moment, several different security certification schemes for ICT products exist in the EU, with a risk that multiple certification initiatives lead to barriers in, and the fragmentation of the single market. On the other hand, a "one size fits all" approach to cybersecurity certification would not work across the large variety of ICT products and services. So, the Commission proposes the creation of a European cybersecurity certification framework (voluntary for market players), which is expected to deliver numerous individual European cybersecurity certification schemes.
A new Directive on non-cash payment fraud. With the proposal of a new Directive on non-cash payment fraud the Commission is trying to face the challenges posed by the substantial changes in the area of non-cash payments and by the increase in online fraud. In fact, in order to ensure that crimes committed with new payment instruments can be effectively prosecuted, the EU's criminal law framework need to be up to date notably to ensure an approximation of the level of penalties. In particular, the fact that non-cash payment fraud often takes place online challenges the traditional concept of territoriality since information systems can be used and controlled remotely from anywhere. Therefore, jurisdiction should be asserted for the offences committed irrespectively of the offenders' nationality and physical presence, but in view of any damage caused by the offence on the territory of the Member State.
The EU Cybersecurity Agency. The current mandate of the European Union Agency for Network and Information Security (ENISA), based in Greece, is going to expire in June 2020. So far ENISA's role has mainly been limited to provide expertise and advice rather than dealing operationally with cybersecurity. In light of the significant changes that have occurred in the cybersecurity landscape since the adoption of the ENISA Regulation in 2004, the Commission decided to transform ENISA into a stronger EU Cybersecurity Agency with a permanent mandate, greater operational resources and a stable footing for the future. New tasks and resources will be given to the Agency in areas such as operational cooperation and Information and Communication Technologies (ICT) security certification in order to reflect the new reality and needs in cybersecurity, by preparing, in cooperation with Member States' certification authorities, candidate European cybersecurity certification schemes.
The transposition of NIS Directive. The NIS Directive is a cornerstone of the EU’s response to the growing cyber threats and challenges which come along with the growing digitalisation of our economy and life, and its implementation, based on an harmonised approach, is therefore an essential part of the cybersecurity package presented on 13 September 2017. The EU’s response effectiveness is curtailed as long as the NIS Directive is not fully transposed in all EU Member States; this was also recognized as a critical point in the Commission's 2016 Communication on Strengthening Europe's Cyber Resilience System. At this regard the EC Communication (with its annex) aims at reinforcing these efforts by bringing together and comparing best practices from the Member States which are relevant for the implementation of the Directive, by providing further guidance on how the Directive should be implemented and through more detailed explanations on specific provisions, in view of the transposition deadline of 9 May 2018, and the deadline for the identification of operators of essential services of 9 November 2018.
The first important element is the Member States’ preparedness, which should be ensured by having national cybersecurity strategies in place, whose function is to define the strategic objectives and appropriate policy and regulatory actions in relation to cybersecurity. The Directive specifically sets forth the principle of minimum harmonisation, pursuant to which Member States may adopt or maintain provision with a view to achieving a higher level of security of network of information systems. Therefore, the adoption of comprehensive national strategies which go beyond the minimum requirements of the NIS Directive (i.e., by covering more than the operators of essential services (OES) and digital service providers (DSPs) would increase the overall security level of network and information systems. In fact various Member States have already decided or are currently considering whether to include additional sectors, such as public administration (in case public administration offer essential service), postal and food sectors, chemical and nuclear industry, environmental sector, civil protection. Adequate financial and human resources are indispensable for the effective implementation of national strategies, including the sufficient resourcing of national competent authorities, and Computer Security Incident Response Teams (CSIRTs) is therefore fundamental for the achievement of the Directive's objectives. The process of drafting and the subsequent adoption of a national strategy is complex and multifaceted, requiring sustained engagement with cybersecurity experts, civil society and the national political process if it is to be effective and successful. The European Commission underlines that a sine qua non condition is senior administrative support at least at State Secretary or equivalent level in the lead ministry, as well as political sponsorship. Member States are required to designate one or more national competent authorities and they can assign this role to an existing authority or authorities adopting a centralized (France) or a decentralized (Sweden, Ireland, Austria, Cyprus and Finland) approach. In case of decentralized approach, ensuring strong cooperative arrangements between numerous authorities and the single point of contact is extremely important, in order to increase effectiveness of implementation and facilitate enforcement.
Operators of essential services (OES) and digital service providers (DSPs) are required to take appropriate security measures and notify serious incidents to the relevant national authorities. The NIS Directive does not define explicitly which particular entities will be considered as OES under its scope; instead, it provides criteria that are to be applied in order to carry out an identification process by 9 November 2018. MS are requested to provide to the Commission information on national measures allowing for the identification of OES, the list of essential services, the number of identified OES and the relevance of those operators for the sector. Furthermore, they could also consider sharing with the Commission the lists of identified operators of essential services and if necessary on a confidential basis, as this would help to improve the accuracy and quality of the Commission’s assessment. OES should be established on the territory of the concerned Member State, which implies the effective and real exercise of activity through stable arrangements (whereas the legal form of those arrangements should not be a determining factor). This means that a Member State can have jurisdiction over an operator of essential services not only in cases where the operator has its head office on its territory but also in cases where the operator has for example a branch or other type of legal establishment. Having regard to the state of art, OES should take appropriate and proportionate measures to manage the risk posed to the security of network and information systems which the organizations use in the provision of their services, in order to prevent and minimize the impact of an incident. The Digital Service Providers (DSPs) are the other category of entities included in the scope of the NIS Directive. These entities are considered to be important economic players due to the fact that they are used by many businesses for the provision of their own services, and a disruption of the digital service could have an impact on the key economic and societal activities. The Directive does not require Member States to identify the digital service providers, which would then be subject to the relevant obligations. The Communication highlights that, under lex specialis principle, the provisions on security and/or notification requirements for digital service providers or operators of essential services are not applicable if an EU sector-specific legislation provides for security and/or notification requirements, which are at least equivalent in effect to the corresponding obligations of the NIS Directive. For example, the security and notification requirements provided for in the Directive do not apply to providers which are subject to the requirements of Directive 2002/21/EC, concerning undertakings providing public communications networks or publicly available electronic communications services.
Maurizio Mensi, Membro del Servizio giuridico della Commissione europea, professore SNA e Luiss Guido Carli, responsabile di @LawLab Luiss
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union