Cyber Law in Europe

France

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes. The French Network and Information Security Agency (ANSSI) (Agence Nationale de la Sécurité des Systèmes d'Information).

Is oversight provided on a centralized or sectoral basis?

Both. ANSSI sets technical and organizational rules that are "mostly basic cyber hygiene measures and common to all sectors." However, there are additional sector-specific safety and incident notification requirements. See The French CIIP Framework, ANSSI.

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

12 Sectors. Food, Water Management, Health, State Civil Activities, Judicial Activities, Military Activities, Energy, Finance, Transportation, Electronic, Telecom and Broadcasating, Industry, and Space and Research. See La Securite Des Activites D’importance Vitale, SGDSN

How do they designate within these sectors?

The law designates by subsector and "type of operators" within those subsectors. (i.e. Sector: Energy; Subsector: Electricity; Type of Operators: Supply Chain Companies, Distribution Network Managers, and Transmission System Operators).  See Annex, Decree No. 2018-384 of 23 May 2018.

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes. ANSSI has established technical and organizational rules that are "[c]ross-sectoral [and] are mainly composed of basic cyber measures and fall within 20 categories including network mapping, network segmentation, implementation of trusted detection capabilities, accreditation, etc." See The French CIIP Framework, ANSSI.

Does it take a risk-based approach?

Yes. Operators are only subject to the rules where "networks and information systems are necessary to the provision of [an essential] service and that an incident affecting these networks and systems would have serious consequences on the provision of this service," assessed according to several criteria, including the number of users depending on the service, and whether other essential designated sectorsdepend on that activity." See Article 2, Decree No. 2018-384.

Do the security measures enable the use of international standards?

Yes.  Article 12 of Law No. 2018-133 of February 26, 2018, which contains various provisions for adaptation to European Union law in the field of security, states that digital service providers (DSP's) must take "respect of international standards" into account when identifying and addressing risks that threaten the security of their networks and information systems. See Article 12, Law No. 2018-133 of February 26, 2018. 

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

The French framework requires more than what is required by NIST CSF.

Do they include prescriptive or technology-based security measures?

No.

Incident Reporting

Are there mandatory incident reporting requirements?

Yes. Operators must report incidents to the ANSSI. See Article 11, Decree No. 2018-384.

Are there clear thresholds above which an incident should be reported?

It depends on the sector. See The French Cyber Security Framework , FAQ, How Does Security Incident Notification Work Within the Framework of the CIIP Law?, (last accessed Jan. 1, 2020). 

How do they determine the timeline within which an incident must be reported?

An operator must report any incidents "as soon as they become aware of them." See Article 11, Decree No. 2018-384.

Threat Information Sharing

Have they established a national threat information sharing entity?

Yes.  The Information Systems Security Operational Center (COSSI) is responsible for "acquir[ing], develop[ing], capitaliz[ing] and shar[ing] knowledge of the cyber threat as well as the vulnerabilities of the digital systems that the agency defends..." See Operations Branch (SDO), ANSSI.

Does this entity share information out to industry, as well as receiving information?

Yes. See Operations Branch (SDO), ANSSI.

Is threat information sharing mandatory for any private sector entity?

Yes. See Article 11, Decree No. 2018-384.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

Yes. The Prime Minister, after consulting the ministers concerned, may impose one control per calendar year on a network or information system (unless they note a security incident or vulnerability during the check, in which case there may be more checks.) See Article 13, Decree No. 2018-384.

Are there requirements to cede control of facilities in an emergency situation?

No.

Are there requirements to provide source code or other decryption capabilities?

Yes, in certain circumstances. Article L.871-1 of the French Internal Security Code enables administrative and judicial authorities to require natural or legal persons providing encryption services aimed at ensuring a confidentiality function to submit within 72 hours an agreement enabling the decryption of data transformed by means of the services they have provided. See Frederic Lecomte and Melina Charlot, France: Cybersecurity 2020, ICLG (Oct. 22, 2019).

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

Yes, pursuant to Art. 18 of the NIS directive. See
Article 9, Decree No. 2018-384.

Are there requirements to localize data?

No.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Yes.  
A fine of € 100 000 is imposed on operators for failing to comply with the security rules referred to in Article 6. A fine of € 50,000 is imposed for the same persons not to comply with the obligation to report an incident or information. Obstruction of the inspections of the national security authority is punishable by a fine of €100 000.

 

See Article 15,  Law No. 2018-133 of February 26, 2018.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

No. 

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

Law No. 2018-133 was enacted on February 26, 2018.  Decree n ° 2018-384 was enacted on May 23,  2018.

Netherlands

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes. The National Cyber Security Centre, under the authority of the National Coordinator for Counterterrorism and Security, oversees digital security in the Netherlands. 

Is oversight provided on a centralized or sectoral basis?

Both. The Network and Information Systems Security Act (Wet beveiliging netwerk- en informatiesystemen, "NISS Act") requires providers of essential services and digital service providers to take appropriate technical and organisational measures to manage security risks to their networks and information systems.  There are also sector-specific regulations.

 
See Shima Abbady & Berend van der Eijk, Stricter enforcement of cybersecurity rules to be expected in the Netherlands, Lexology (Oct. 7, 2019).

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

Category A: National transportation/distribution of electricity, natural gas production, oil supplies, storage/production/processing of nuclear materials, drinking water supplies, & water management.

 
Category B (lower thresholds in terms of economic impact, physical impact, and societal impact): Regional distribution of electricity and gas, flight/airplane management, maritime and inland shipping management, large scale storage, production, or processing of petrochemical resources, financial sector, communication with/between emergency services, police mobilization, government services that depend on reliable, available digital information and data systems. 


Securing Critical Infrastructures in the Netherlands, The Hague Security Delta, at 9 (2015).

How do they designate within these sectors?

Under the direction of the NCTV, the Dutch ministries will review which critical components require protection and will examine whether organizations are sufficiently aware of vulnerabilities. See Government of Netherlands: Structural improvement in digital resilience (June 12, 2019).

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes. The 2018 National Cyber Security Agenda set forward seven objectives and necessary measures to accomplish these objectives. Among these measures include mandatory cyber threat/incident reporting (notification) as well as requiring critical processes to develop their capacity to withstand cyber-attacks (duty of care). 


See Ferd Grapperhaus, Minister of Justice and Security, National Cyber Security Agenda: A cyber secure Netherlands (April 20, 2018).

Does it take a risk-based approach?

Yes.

See Nicolas Castellon and Erik Frinking, Securing Critical Infrastructures in the Netherlands: Towards a National Testbed, The Hague Security Delta.

Do the security measures enable the use of international standards?

Unclear from available resouces.

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

NIST has not identified Netherlands as a compatible jurisdiction. 

See International Resources, Adaptations, NIST.

Do they include prescriptive or technology-based security measures?

No.

Incident Reporting

Are there mandatory incident reporting requirements?

Yes. Incidents must first be reported to the Computer Security Incident Response Team (CSIRT). For critical providers, this means the National Cyber Security Centre within the Ministry of Justice and Security. Digital service providers report incidents to the CSIRT for digital services provided to the Ministry of Economic Affairs and Climate Policy. In addition, providers of essential services and digital service providers must also report these incidents to their sectoral supervisory body.  

See Ministry of Justice and Security, National Coordinator for Security and Counterterrorism, Cyber Security Assessment Netherland 2019.

Are there clear thresholds above which an incident should be reported?

Providers of essential services, others designated as critical providers by administrative order, and digital service providers are subject to a notification obligation in the event of incidents that could have substantial consequences. An incident is defined as any event that has a damaging effect on the security of the network systems and information systems used for the purposes of the services in question. 

 

See Ministry of Justice and Security, National Coordinator for Security and Counterterrorism, Cyber Security Assessment Netherland 2019.

How do they determine the timeline within which an incident must be reported?

Unclear from available resources.​

Threat Information Sharing

Have they established a national threat information sharing entity?

Yes. The National Cyber Security Centre, the agency tasked with overseeing digital security in the Netherlands, alerts public authorities and organizations of potential threats and advises both on how to protect themselves from online threats. GOVERNMENT OF NETHERLANDS, Fighting Cybercrime in the Netherlands.

Does this entity share information out to industry, as well as receiving information?

Yes. The National Cyber Security Centre alerts public authorities and organizations of potential threats and advises both on how to protect themselves from online threats.

Is threat information sharing mandatory for any private sector entity?

Yes. Providers of essential services, others designated as critical providers by administrative order, and digital service providers are subject to a notification obligation in the event of incidents that could have substantial consequences.

 

See Ministry of Justice and Security, National Coordinator for Security and Counterterrorism, Cyber Security Assessment Netherland 2019.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

The Computer Crime Act, which went into effect on March 2019, gives public authorities the power to access computers covertly to investigate serious crimes (child pornography, drug trafficking and targeted shootings). Jurisdiction would extend to personal computers, mobile phones and servers. In addition, the Act gives investigating officers the power to apply various investigative tactics, such as making certain data inaccessible, copying files and tapping communication channels.

 

See Government of Netherlands, New law to help fight computer crime.

Are there requirements to cede control of facilities in an emergency situation?

See above.

Are there requirements to provide source code or other decryption capabilities?

The Dutch Code of Criminal Procedure  states that in cases involving serious offenses like terrorism, the public prosecutor can require a person “reasonably presumed to have knowledge of the manner of encryption of the communications . . . to assist in decrypting the data." See Daniel Severson, The Encryption Debate in Europe, Hoover Institution (2017).

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

Unclear from available resources.

Are there requirements to localize data?

Not other than the GDPR.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Unclear from available resources.​

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

Netherlands has criminal penalties for the following cyber activities: hacking, illegal interception, data interference, system interference, misuse of devices, computer fraud, computer forgery, data theft, identity theft, grooming (prepping minors for sexual abuse), child pornography, racism, violation of copyright, violation of privacy. While the majority of these offenses carry punishment of two to four years in prison, some of these would allow for an eight-year maximum sentence. B. J. Koops, Cybercrime Legislation in the Netherlands, Electronic Journal of Comparative Law (December 2010).

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

The Cyber Security Assessment was published on September 13, 2019. 

© 2023 by National Cyber Law Project Reference Site

uscc_3_color_CMYK_K100_R_Stacked transpa

Disclaimer: This material presented in the International Law Project was prepared by Wiley Rein LLP, the United States Chamber, and the National Security Institute at the Antonin Scalia Law School at George Mason Law School.  It is not legal advice.  Chamber members using this information should consult their own counsel as needed for compliance and regulatory issues in particular jurisdictions.  The information contained herein is provided as a resource, as is, based on domestic regulations and laws as of January 30, 2020. Regulations and laws change so you should consult other resources to ensure continued accuracy.