December 5, 2021

Volume XI, Number 339

Advertisement
Advertisement

December 03, 2021

Subscribe to Latest Legal News and Analysis

December 02, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

New EU Cybersecurity Rule Means Additional Compliance Obligations for Critical Infrastructure and Tech Companies

On December 07, 2015, the European Commission (EC) agreed on new cyber security laws that will require certain critical infrastructure operators and multinational companies to fully disclose cyber-security breaches and violations to European Union (EU) authorities or face severe penalties.  

The new law, known as the “Network and Information Security Directive” outlines cyber security breach reporting rules for companies in certain sectors such as finance, energy, health and technology.  The purpose behind the law is to encourage more transparency and cooperation between nations and large multinational companies when responding to and combating cyber threats.  

Notably, technology companies that qualify under the Directive’s definition of “digital service providers” – including online market places, cloud computing and search engines – will be subject to the cyber security breach reporting rules.  But it unclear as to what type of companies qualify as “digital service providers” and therefore will be subject to the reporting requirements.  For example, service provider companies such as Google and Amazon may be required to fully disclose cyber-security breaches to EU authorities, while social network companies, such as Facebook, may not be required to make any disclosures in the event of a cyber security breach. 

Companies can expect more clarity on the draft NIS Directive in the coming months.  European regulators are also negotiating a new transatlantic data transfer agreement to replace Safe Harbor, and the General Data Protection Regulation, which will replace the existing Data Protection Directive, is expected any time now.  

The good news is that these new laws and directives will provide a degree of uniformity across Europe, providing companies with clear direction on their obligations across the continent. The bad news is that companies can expect more significant compliance obligations, higher standards for the protection of privacy (including data), and far more significant penalties and regulatory enforcement action in the event of a breach or other non-compliance.  Companies should begin strengthening their privacy and data security compliance programs now, focusing on designing to industry standards like ISO 27001.  

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume V, Number 346
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Practice Group

The Polsinelli Intellectual Property Department is a cross-functional group of attorneys organized to service all of our clients' intellectual property needs in a variety of industries. Our attorneys handle the most complex issues facing technology and high tech companies, bioscience and life sciences companies, animal science, medical device, pharmaceutical, chemical, software and business methods, and any of a variety of other high tech industries. We are ranked among the Top 10 Best Performing Law Firms Overall and in High-Tech by Patexia’s Patent Prosecution Intelligence...

816.360.4280
Advertisement
Advertisement
Advertisement