January 16, 2019

January 15, 2019

Subscribe to Latest Legal News and Analysis

January 14, 2019

Subscribe to Latest Legal News and Analysis

EU Adopts Cybersecurity Directive: What US Companies Need to Know

Not all the news coming out of Europe these days is about Brexit. In fact, the forces of unity and harmonization remain a top priority for European regulators hoping to combat digital security threats and create a safer and more secure environment for the entire online community. To this end, on July 6, 2016, the European Parliament adopted the Network and Information Security (“NIS”) Directive in an effort to enhance cybersecurity and incident reporting at a national level across all of its member states (“NIS Directive”). This move followed an announcement the day before from the European Commission (the “Commission”) that it had launched a public-private initiative that will steer €1.8 billion of investment into cybersecurity by 2020.  According to a recent survey cited by the Commission, 80% or more of European companies were victims of a cybersecurity incident during the last year and the number of such incidents increased globally across all industries by 38% in 2015. The Commission’s Vice President in charge of the Digital Single Market, Andrus Ansip, commented that “without trust and security, there can be no Digital Single Market” and that “Europe has to be ready to tackle cyber-threats that are increasingly sophisticated and do not recognize borders.”  The NIS Directive is a major step in this direction.

US companies take note! Large multinationals may be subject to the NIS Directive even without a physical presence in the EU as the NIS Directive applies to two types of service providers:

  1. Operators of “essential services,” such as companies involved with energy, transport, banking, financial markets infrastructure, health, water and digital infrastructure; and

  2. Digital service providers (“DSPs”), which at a minimum will likely include online marketplaces, online search engines and cloud computing services.

Locks, CybersecurityAlthough the jurisdictional and application-of-law principles are yet to be worked out, companies that fit the definition of a DSP and that interact with the European market in some meaningful way should expect to fall under the national law of one of the EU member states that has implemented the NIS Directive. Note that micro businesses (fewer than 10 persons / €2 million annual turnover and/or balance sheet total) and small business (fewer than 50 persons / €10 million annual turnover and/or balance sheet total) are generally exempt from the NIS Directive.

For those companies who will need to comply (e.g. Ebay, Google, Amazon, and many others), their compliance responsibilities will be wide-ranging and include, among other things:

  • Implementation of “appropriate and proportionate technical and organizational measures” to protect networks and information systems;

  • Ensuring that digital security is adequate to address known risks;

  • Incident response designed to prevent and minimize the impact of security incidents on affected individuals; and

  • Notification obligations to relevant national authorities when security incidents occur that have a “substantial impact” on a covered digital service or a “significant impact” on a covered essential service.

Companies subject to the NIS Directive will have some time to prepare for compliance. Since EU member states will have 21 months to implement the NIS Directive into their national laws after it goes into force in August 2016, the European Union’s harmonization of its cybersecurity standards may not be complete until May 2018 or later.

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Michael B. Katz, Mintz Levin, employee stock trading lawyer, records management attorney

Michael focuses on corporate law matters.

During law school, Michael was a Summer Associate at the firm. He also interned with the Honorable Raymond J. Brassard in the Superior Court of Massachusetts. Michael was a member of the Pro Bono Board and president of the Health Law Society.

Before attending law school, Michael was a legal specialist with Bain & Company, where he worked directly with its in-house legal team on implementing policies and best practices for confidentiality, data collection, employee stock...

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer

Cynthia is Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP).  She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.