Cyber Law in Europe

European Union

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes, The European Union Agency for Cybersecurity (ENISA).

Is oversight provided on a centralized or sectoral basis?

Different requirements apply to operators of essential services ("OES") and digital service providers ("DSP"). OES provide services "essential for the maintenance of critical societal and/or economic activities" that "depend[] on network and information systems[.]"  DSPs include providers of online marketplaces, search engines, and cloud computing. See  Council Directive 2016/1148, arts. 4-5, 2016 O.J. (L 194) 1, 1 ("NIS Directive").

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

7 Baseline Sectors: Energy, Transport, Banking, Financial Market Infrastructures, Health, Drinking Water Supply and Distribution, and Digital Infrastructure. N.B. Member States can identify additional sectors in their transposition legislation.

How do they designate within these sectors?

Unclear: Member States are able to designate Operators of Essential Services (OES)  as they deem relevant for their circumstances, though efforts should be made to ensure consistency across the EU.

"Member States should be responsible for determining which entities meet the criteria of operator of essential services (OES). In order to ensure a consistent approach, the definition of OES should be coherently applied by all Member States. To that end, this Directive provides for the assessment of the entities active in specific sectors and subsectors, the establishment of a list of essential services, the consideration of a common list of cross-sectoral factors to determine whether a potential incident would have a significant disruptive effect, a consultation process involving Member States in the case of entities providing services in more than one Member State, and the support of  the Cooperation Group in identification." See DIRECTIVE (EU) 2016/1148 

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes but not generally applicable across the economy. The Directive on Security of Network and Information Systems ("NIS Directive") instruct EU Member States to impose requirements on both OES and DSPs. See NIS Directive, arts. 14, 16.

Does it take a risk-based approach?

Yes. The NIS Directive instructs Member States to ensure that OES and DSPs "take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems" they use in their operations. See NIS Directive, arts. 14, 16.

Do the security measures enable the use of international standards?

Yes. The NIS Directive provides that risk management measures for DSPs should take into account, inter alia, "compliance with international standards." NIS Directive, art. 16,

 

Member States are also directed to "encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems." Id., art. 19. Finally, the EU Cybersecurity Act specifies that "[a] European cybersecurity certification scheme shall include . . . references to the international, European or national standards applied in the evaluation [if applicable] . . . [and] the identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products, ICT services and ICT processes, security requirements, evaluation criteria and methods, and assurance levels[.]" Council Regulation 2019/881, art. 54, 2019 O.J. (L 151) 15.

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

Generally, yes. The NIS Directive does not mention the NIST CSF, but BSI Group—the British Standards Institution—noted in a 2019 white paper that "a significant number of member states have opted to align themselves with suitable frameworks such as . . . [the NIST CSF]." See The National Information Systems(NIS) Directive: Enhancing your information resilience by improving your cybersecurity, at 6, BSI Group (2019).

 

Do they include prescriptive or technology-based security measures?

Generally, no. The NIS Directive does not include prescriptive or technology-based security measures. While Member States have latitude to impose "technical . . . measures," they have generally aligned themselves with outcome-based frameworks like the NIST CSF, as noted above.

Incident Reporting

Are there mandatory incident reporting requirements?

Yes.  The NIS Directive directs member states to ensure that both OES and DSPs "notify the competent authority or the [Computer Security Incident Response Team, or CSIRT] . . . of any incident . . ." See NIS Directive, arts. 14, 16.

Are there clear thresholds above which an incident should be reported?

Yes. OES should report an incident that has a "significant impact on the continuity of the essential services they provide." NIS Directive, art. 14.  DSPs should report an incident "having a substantial impact on the provision of" their service." Id., art. 16. To determine whether an impact meets these thresholds, the organization should consider number of users effected, duration of the incident and the geographical area affected by the incident. Id., arts. 14, 16. DSPs should also consider the extent of the disruption of the functioning of the service and the extent of the impact on economic and societal activities. Id., art. 16.

How do they determine the timeline within which an incident must be reported?

The NIS Directive instructs member states to ensure that incidents meeting the above criteria are reported "without undue delay[.]" See NIS Directive, arts. 14, 16.

Threat Information Sharing

Have they established a national threat information sharing entity?

Yes. The NIS Directive created the NIS Cooperation Group "to ensure strategic cooperation and the exchange of information among EU Member States in cybersecurity," and part of this directive includes "collecting best practice information on risks and incidents[.]"  See NIS Directive, art. 11; NIS Cooperation Group, European Commission (Nov. 5, 2019).

 

However, these goals may be more aspirational than practical. A 2018 study from the European Economic and Social Committee found that one challenge to European cybersecurity regulation was "the absence of a coordinated vulnerability disclosure (CVD) process in Europe[.]" Cybersecurity: Ensuring awareness and resilience of the private sector across Europe in face of mounting cyber risks, at 10, European Economic and Social Committee (Mar. 2018). 

Does this entity share information out to industry, as well as receiving information?

Yes. The NIS Cooperation Group has published eight working documents, which include tips for industry, such as CG Publication 01/2018 - Reference document on security measures for Operators of Essential Services. See NIS Cooperation Group, European Commission (Nov. 5, 2019). 

Is threat information sharing mandatory for any private sector entity?

No. Not to the NIS Cooperation Group. However, Member Countries are instructed by the NIS Directive to "ensure that the[ir] competent authorities have the powers and means to require [OES and DSPs] to provide . . . the information necessary to assess the security of their network and information systems, including documented security policies . . . [or OES to] evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor and, in the latter case, to make the results thereof, including the underlying evidence, available to the competent authority."  See NIS Directive, arts. 15, 17.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

No. Not to the NIS Cooperation Group. However, Member Countries may conceivably impose such requirements based on the aforementioned grant of authority from the NIS Directive.

Are there requirements to cede control of facilities in an emergency situation?

No. Not at the EU-level, but Member Countries may allow such a policy at the national level. See, e.g.,  Anna Khakee, Securing Democracy? A Comparative Analysis of Emergency Powers in Europe, Geneva Centre for the Democratic Control of Armed Forces, at 29 (2009),

 

("[The Swiss Government has deliberately chosen not to adopt any written rules, constitutional or otherwise, for emergencies so as not to hamper the executive in its handling of the crisis. Rather,
it relies on an extra-constitutional and un-codified 'doctrine of necessity', which stipulates that, in a severe emergency, the government may seize almost total power, leaving the parliament virtually toothless. ").

Are there requirements to provide source code or other decryption capabilities?

No. Again, however, it's conceivable that a Member Country could impose such a requirement based on the authority granted by the NIS Directive.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

Yes. "A [DSP] that is not established in the Union, but offers [digital] services . . . within the Union, shall designate a representative in the Union. The representative shall be established in one of those Member States where the services are offered." NIS Directive, art. 18.

Are there requirements to localize data?

Not officially, but arguably in practice. The General Data Protection Regulation limits the flow of data outside of the EU, based on the cybersecurity of outside countries. See Communication from the Commission to the European Parliament and the Council, Exchanging and Protecting Personal Data in a Globalised World, COM (2017) 7 final (Oct. 1, 2017).

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Unclear: Member States are given discretion to determine their own penalties. Most Member States have included provisions for financial penalties in their transposition legislation.

"Member States shall lay down the rules on penalties applicable to infringements of national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive." See NIS Directive, art. 21.
 

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

Unclear: Member States are given discretion to determine their own penalties. Most Member States have not included provisions for criminal penalties in their transposition legislation. See cite.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

The NIS Directive entered into force in August 2016, and individual countries were required to implement the NIS Directive by May 9, 2018.

 

See Questions and Answers: Directive on Security of Network and Information systems, the first EU-wide legislation on cybersecurity, European Commission (Oct. 28, 2019).

 

The EU Cybersecurity Act entered into force on June 27, 2019. The EU Cybersecurity Act brings a strong agency for cybersecurity and EU-wide rules on cybersecurity certification, European Commission (June 26, 2019). The GDPR entered into force on May 24, 2016 and became binding on May 25, 2018. Data protection in the EU, European Commission, (last visited Dec. 29, 2019).

United Kingdom

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes. The National Cyber Security Centre (NCSC).

Is oversight provided on a centralized or sectoral basis?

Oversight of each CII sector will be provided by their traditional regulator(s).  See The Network and Information Systems Regulations (NISR), 2018 No. 506 (Schedule 1 and 2).

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

13 Sectors: Chemicals, Civil Nuclear Comms, Defense, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water. See Critical National Infrastructure, Centre for the Protection of National Infrastructure (last visited Jan. 1, 2020).

How do they designate within these sectors?

Thresholds. Each sector has its own threshold for determining critical assets. For energy it's any supplier that has 250,000 customers. For financial services,  it's large banks and payment systems. See NISR, Schedule 2)

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes. At the national level for CNI, at the EU level for DSPs

Does it take a risk-based approach?

Yes. An OES/CNI should identify and take appropriate and proportionate measure to manage the risks posed to the security of network and information systems.

Do the security measures enable the use of international standards?

Yes.

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

Yes. In fact, NIST lists the UK's NIS Guidance Collection under "Framework Adoptions" and "International Resources" on their website.

Do they include prescriptive or technology-based security measures?

No. See NCSC Cyber Assessment Framework (CAF) (last accessed January 1, 2020).

Incident Reporting

Are there mandatory incident reporting requirements?

Yes. See NISR Regulation 11 and Regulation 12.

Are there clear thresholds above which an incident should be reported?

Yes. An incident that has a "significant impact on the continuity of essential service" should be reported. To determine significant, the OES should consider the number of users effected, duration of the incident and the geographical area affected by the incident. See NISR Regulation 11(1)-(2).

How do they determine the timeline within which an incident must be reported?

It depends on the sector.  Many sectors do not have a reporting requirement other than for breaches of personal information.
 

Threat Information Sharing

Have they established a national threat information sharing entity?

Yes, the  Cybersecurity and Infrastructure Security Agency's (CISA) is a joint industry and government initiative set-up to exchange cyber threat information in real time.

Does this entity share information out to industry, as well as receiving information?

Yes. NCSC has the Industry 100 group that brings together public and private sector to identify vulnerabilities and reduce attacks.

Is threat information sharing mandatory for any private sector entity?

No. See NISR Regulation 6.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

Yes. An OES must allow their authority to conduct an inspection. See NISR, Regulation 16.

Are there requirements to cede control of facilities in an emergency situation?

No. See Regulation 16.

Are there requirements to provide source code or other decryption capabilities?

No. See Regulation 16.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

No.

Are there requirements to localize data?

No.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Yes. There are four levels of financial penalties depending on the nature of the material contravention. The highest fine is up to 17,000,000 pounds for an incident that could result in a threat to life or significant adverse impact on the UK economy. See NISR, Regulation 18.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

No. The penalty enforcer does have criminal prosecution powers. See NISR, Regulation 18.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

The Network and Information Systems Regulations (NISR) went into effect on May 10, 2018.

Additional Countries

France, Netherlands

© 2023 by National Cyber Law Project Reference Site

uscc_3_color_CMYK_K100_R_Stacked transpa

Disclaimer: This material presented in the International Law Project was prepared by Wiley Rein LLP, the United States Chamber, and the National Security Institute at the Antonin Scalia Law School at George Mason Law School.  It is not legal advice.  Chamber members using this information should consult their own counsel as needed for compliance and regulatory issues in particular jurisdictions.  The information contained herein is provided as a resource, as is, based on domestic regulations and laws as of January 30, 2020. Regulations and laws change so you should consult other resources to ensure continued accuracy.