On 7 February, the European Commission (EC) published an EU Cyber Security Strategy encompassing a proposed Directive on Network and Information Security (NIS Directive). The aim of the Strategy and NIS Directive is to establish a secure and trustworthy digital environment while promoting and protecting fundamental rights, including data protection, democracy and the rule of law.
Global societies have become increasingly reliant on network and information systems, in particular the Internet, to facilitate the cross-border transfer of goods, services and people. Given this transnational dimension, and the potential for disruptions occurring in one EU Member State to impact another, it is imperative that these systems remain reliable, trusted and secure from incidents, malicious activities and misuse. The European Network and Information Security Agency's (ENISA) recent report on the cyber threat landscape highlights the vulnerability of network information system technologies, such as cloud computing and associated big data sets, where the concentration of vast amounts of data in few logical locations makes it an attractive target for cyber threat agents.
Within the EU, significant strides have been taken to achieve resilience and stability on network and information systems. ENISA was established through EU Regulation (EC) No 460/2004 in order to ensure a high level of Network Infrastructure Security (NIS) within the EU, and to assist Member States and the EC in facilitating the exchange of best practise. The EC also established the European Cybercrime Centre (EC3) in January 2013, which is incorporated within the European Police Office (EUROPOL) and at the core of cybercrime law enforcement within the EU. Laws including Directives 2002/58/EC and 2002/21/EC are also in place to ensure that all data controllers in the electronic communications sector are obliged to put in place appropriate technical and organisational measures to protect the integrity of their systems and the security of personal data. The recent 2012 proposal for a General Data Protection Regulation creates further requirements for data controllers to report breaches of personal data to the national supervisory authorities within the EU.
Legislative loopholes in the EU are still prevalent because of the purely voluntary system of cyber threat and risk prevention currently in place, with no overarching obligation to ensure all Member States have the required capabilities to...