Laws and regulations governing cybersecurity

Network and information systems and services play a vital role in society. Their reliability and security are essential to economic and societal activities, and in particular to the functioning of the internal market.

The magnitude, frequency and impact of security incidents are increasing, and represent a major threat to the functioning of network and information systems. Those systems may also become a target for deliberate harmful actions intended to damage or interrupt the operation of the systems. Such incidents can impede the pursuit of economic activities, generate substantial financial losses, undermine user confidence and cause major damage to the economy of the European Union.

Network and information systems, and primarily the internet, play an essential role in facilitating the cross-border movement of goods, services and people. Owing to that transnational nature, substantial disruptions of those systems, whether intentional or unintentional and regardless of where they occur, can affect individual Member States and the European Union as a whole. The security of network and information systems is therefore essential for the smooth functioning of the internal market.

Building upon the significant progress within the European Forum of Member States in fostering discussions and exchanges on good policy practices, including the development of principles for European cyber-crisis cooperation, a Cooperation Group, composed of representatives of Member States, the Commission, and the European Union Agency for Network and Information Security (‘ENISA’), should be established to support and facilitate strategic cooperation between the Member States regarding the security of network and information systems. For that group to be effective and inclusive, it is essential that all Member States have minimum capabilities and a strategy ensuring a high level of security of network and information systems in their territory. In addition, security and notification requirements should apply to operators of essential services and to digital service providers to promote a culture of risk management and ensure that the most serious incidents are reported.[1]

 

In particular, due to the specific borderless nature of cyberspace and the need for effective international cooperation, the EU seeks to approximate the legislation of individual Member States so that cybersecurity can be tackled effectively.

Regulations, directives, framework decisions and other EU/EC documents are primarily a means of approximating the laws of individual EU countries. In terms of cybersecurity, the most important documents are the following:

EU primary law

§  Charter of Fundamental Rights of the European Union

Directives of the European Parliament and of the Council

§  91/250/EEC on the legal protection of computer programs

§  98/34/EC on the procedure for the provision of information in the field of technical standards and regulations, as amended by Directive 98/48/EC

§  1999/5/EC on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity

§  2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce)

§  2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities (Access Directive)

§  2002/20/EC on the authorisation of electronic communications networks and services (Authorisation Directive), as amended by Directive 2009/140/EC

§  2002/21/EC on a common regulatory framework for electronic communications networks and services (Framework Directive), as amended by Directive 2009/140/EC

§  2002/22/EC on universal service and user rights relating to electronic communications networks and services (Universal Service Directive)

§  2002/58/EC on processing of personal data and protection of privacy in electronic communications sector

§  2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks

§  2008/114/EC on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection

§  2011/93/EU on combating the sexual abuse and sexual exploitation of children and child pornography, replacing Council Framework Decision 2004/68/JHA

§  2013/11/EU on alternative dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC (Directive on alternative dispute resolution for consumer disputes)

§  2013/40/EU on attacks on information systems and replacing Council Framework Decision 2005/222/JHA

§  2015/1535 on the procedure for the provision of information in the field of technical regulations and rules on information society services

§  2015/2366 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (“revised Payment Services Directive”)

§  2016/680 on the protection of individuals with regard to the processing of personal data by the competent authorities for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, on the free movement of such data and repealing Council Framework Decision 2008/977/JHA

§  2016/1148 on measures for a high common level of security of network and information systems across the European Union (NIS)

Regulations of the European Parliament and of the Council

§  460/2004/EC establishing the European Network and Information Security Agency as amended by Regulation No 1007/2008

§  1077/2011/EC establishing a European Agency for the Operational Management of Large-Scale Information Systems in the Area of ​​Freedom, Security and Justice

§  526/2013 on the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 Text with EEA relevance

§  910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS[2])

§  679/2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)

Council Decisions

§  92/242/EEC in the field the security of information systems

§  2005/222/JHA on attacks against information systems

§  2011/292/EU on the security rules for protecting EU classified information

Other documents

§  Council of Europe Convention No. 185 on Cybercrime

§  Council of Europe Additional Protocol No. 189 to the Convention on Cybercrime

§  Council of Europe Convention No. 196 on the Prevention of Terrorism

§  Commission Implementing Regulation (EU) 2018/151 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact

International standards

§  ISMS series ISO/IEC 27000

§  in the Czech Republic ČSN ISO/IEC 27001:2014

Currently, the most important document of the European Union related to the issue of cybersecurity is DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, of 6 July 2016, concerning measures for a high common level of security of network and information systems across the European Union.[3]

This directive is currently being revised, and the NIS2 directive is being prepared. The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 and helped achieve a higher and more even level of security of network and information systems across the EU. In view of the unprecedented digitalisation in the last years, the time has come to refresh it.

The changes to the revised directive are appropriately presented in the European Commission document[4]: