Fighting back: EU to take on the hackers

There are concerns surrounding the Network and Information Security Directive. Nathalie Dreyfus of Dreyfus & Associates examines the potential consequences of the draft legislation...

Ever since the alarming proliferation of cybercrime, which equates to an estimated annual cost of more than $400 billion, and the recent spate of hacking cases around the world, cyber security has clearly evolved into a global issue. The threat posed by cybercrime, cyber espionage and attacks against critical online infrastructure is developing apace. To remedy a potential loss of confidence in the digital economy, it is important to create awareness among EU member states, companies and individuals, by taking appropriate measures.

The EU therefore took up the matter in 2013 with a view to proposing a directive to increase the level of cyber security in member states and to establish a comprehensive strategy in this regard. The Network and Information Security (NIS) Directive was approved on 13 March 2014 at the European Parliament, with a strong majority of 521 votes against 22. It is now being discussed at the European Council.

This draft directive focuses on entities with the highest risk, namely critical infrastructure operators, where an incident can have far-reaching consequences for public health, the economy and security. But given the importance of digital industries in our societies, some EU member states would be in favour of extending the scope of the directive to the digital sector to ensure the stability of the European economy. Big companies offer services, such as email or cloud, which are becoming progressively indispensable to the smooth running of the economy. Like hosting companies, they control and manage increasingly sensitive information and data.

It has become paramount to safeguard their infrastructure and their information systems, as evidenced by the recent Sony Pictures case.

Sony Pictures was robbed of nearly all of its data, much of it sensitive, confidential and personal. While it is unclear whether this cyberattack originated from North Korea or elsewhere, it was nonetheless considered as being the largest attack ever against a private stakeholder. Consequently, the FBI issued warnings to all major US companies on the plausible operating mode of the hackers.

This hacking entails significant financial and legal ramifications for Sony Pictures. Apart from the leak of several films and its business strategies, employees also sued against the company’s information system for failing to secure their personal data. This example is emblematic of the failure and negligence of companies in matters of IT security.

NIS Directive: new security obligations

The aim of this draft directive, which is established on the principles of security of member states and economic stability, is to reduce cybercrime. From the outset, the draft directive sets out, that “computer networks, systems and services play a crucial role in society”, adding that “the magnitude, frequency and impact of security incidents are growing and represent a major threat to the operation of computer networks.”

Therefore, the directive requires member states to designate a central authority to develop their national cyber security strategy. This authority is to monitor and ensure the consistent application of the directive in its territory, for instance, the National Agency for the Security of Information Systems (ANSSI) for France. Indeed, the EU Agency for Network and Information Security (ENISA), which will have a coordinating role, noted that 17 member states already have national cyber security strategies at their disposal. In fact, the directive aims to establish cooperation between national authorities to tackle potential threats to several member states.

Furthermore, the NIS Directive contains a non-exhaustive list of critical infrastructure operators, including operators in the energy, banking, health, transport and financial services sectors. These critical infrastructure operators are subject to a series of security requirements such as incident reports. In fact, the directive imposes reporting requirements of incidents and security breaches having a “significant impact”.

Member states do not all agree on the meaning of these obligations and the directive seeks to establish what exactly a “significant impact” is that should trigger a reporting procedure. Under the directive, this impact would depend on the number of users affected by the service, the duration of the incident and the geographical area. For now, the amended definition in Section 8(a) of Article 3 reads: “[An] incident which has a significant impact: an incident that affects the security and continuity of a network or system information and which causes significant disruption of key economic or societal functions.”

As a last resort, the NIS Directive would impose several obligations, namely that of reporting all incidents detected in networks, training safety managers, responding to audits of a national regulatory body, but also to identify “connection points of vital importance”. The directive specifies, under Article 11, that “all member states and all market participants should have sufficient means, both technical and organisational, to be able, at any time, to prevent and detect incidents and risks relative to networks and computer systems and take the necessary intervention and mitigation measures”.

In addition, it should be noted that, with regard to security obligations imputed to critical infrastructure operators, some countries, such as France, have already leapt ahead. Indeed, the French ANSSI already deals with the compliance of similar security obligations incumbent upon large banks and telecom operators, but not on private digital stakeholders, yet.

Extension of obligations to digital stakeholders: significant consequences and concerns

The requirements for critical infrastructure operators could apply to other stakeholders in the private digital industry. In its annex, the directive mentions: ecommerce platforms, internet payment gateways, social networks, search engines, IT cloud services, as well as online application stores.

Specifically, it should be companies that often have the status of hosting providers, such as Google, Amazon, Microsoft, OVH and Dailymotion, which should be covered. However, during the debates, small- and medium-sized enterprises have not been formally rejected.

In addition, only the most important services would be concerned, specifically, those which would have a major economic impact. For example, while the Amazon cloud service would be concerned, its ecommerce site would not be. This is the subject of a heated debate, and for now, member states remain divided as to whether to include or not some digital industry players such as cloud providers, in this European legislation.

While the concerned companies consider these measures as being disproportionate, several member states seem to favor the extension of said security obligations to private digital industry stakeholders. For example, French Prime Minister Manuel Valls and his German counterpart, Chancellor Angela Merkel, are agreeable to the extension. Indeed, the German government has even prevised European regulations since it has recently passed a bill, on 17 December 2014, concerning cyber security, thus revamping its legislation to force companies to invest in IT security.

But not all member states concur on this issue, and the affected companies even less so. The latter consider that security obligations, if they must be complied with, could constitute a significant financial burden. Therefore, the very competitiveness of these companies would be weakened, especially SMEs. Such an intervention by a public authority through a state central authority is prey to sharp criticism. Some question the legitimacy of the state to infiltrate the information systems of a private company.

In France, the AFDEL, a French association of internet software and solutions vendors, urged not to extend the field of critical infrastructure operators provided for in the directive to “companies of the information society”. While supporting the project and its objective of strengthening cyber security in Europe, it asserts that this extension could damage the competitiveness of enterprises. Thus, for the AFDEL, the qualification of “critical infrastructure” for all digital business is not justified and it would be disproportionate to impose additional administrative obligations, such as mandatory reporting of security incidents to the national agencies responsible for cyber security. Similarly, SYNTEC, the professional union of digital service companies, software vendors and consulting firms in technology, warned against a “dangerous evolution” of the text.

Real debate, and even tension, Presently exists between EU member states and private stakeholders on this issue. Currently, the NIS Directive has not yet reached the European Council for a first reading. Council meetings are not materialising due to disagreements between ministers of each of the member states of the transport, telecommunications and energy cluster.

Should obligations be levied on digital industry stakeholders, they will have to implement them. Any company failing to comply with the new European legislation may be penalised or incur severe liability in cases of computer attacks due to lack of security. Forthcoming developments are to be followed minutely and will involve all internet stakeholders.
The latest features from IPPro The Internet
As the UK shifts closer to its eventual departure from the EU, the country’s intellectual property industry assesses its options and looks to avoid a cliff edge. Kate O’Rourke, president of the Chartered Institute of Trademark Attorneys, explains
Vladimir Biriulin of Gorodissky discusses the technical knowledge that the Russian IP Court has developed over its four-year tenure
Join Our Newsletter

Sign up today and never
miss the latest news or an issue again

Subscribe now
With EU copyright reforms coming to a head, Barney Dixon speaks to Raegan MacDonald to see how the landscape has changed in recent months
Le Quang Vinh of Bross & Partners examines the substantive changes to criminal law in Vietnam that promise to rein in counterfeiting and piracy
As EU copyright reform continues, publishers are insisting the press publisher’s right will be good for business and won’t harm consumers. Angela Mills Wade of the European Publishers Council explains
ECTA’s copyright committee was formed in response to the modernisation of the EU’s approach to copyright. Chair Dr Christian Freudenberg tells Mark Dugdale what this has meant in practice
ECTA has ramped up its efforts to ensure that IP rights are heard in Brexit negotiations. But this isn’t all the trademark association has been up to in the past year, as Ruta Olmane explains
William Dyer III and Bea Koempel-Thomas of Lee & Hayes examine TC Heartland v Kraft and the arguments put forward in support of each party
Country profiles
The latest country profiles from IPPro The Internet
While Indian fair use is not explicit, provisions exist for the fair dealing of copyright. Rohit Singh and Tina Canneth of Abu-Ghazeleh Intellectual Property delve deeper
An interpretation of the current events exception in Radosavljević is creative, say BDK Advokati's Bogdan Ivanišević and Marko Popović
IPPro Patents

Visit our sister site
for all the latest IP patents news and analysis
Yu-Li Tsai of Deep & Far examines how damages are calculated in patent infringement litigation
A recent amendment will make costly annulments a thing of the past. Gilberto Sanchez of SPECyF explains
New legislation in Turkey promises a swathe of trademark changes. Dr Cahit Suluk of Cahit Suluk Intellectual Property Law Firm explains
A trademark decision clarified ‘against the public order’ as an absolute ground for refusal. Sár and Partners – Danubia Patent & Law Office reports
Bogdan Ivanišević and Marko Popović of BDK Advokati review the recent squabble about copyright protection for ‘routinely created photos’
Alston & Bird recently expanded with a new office focusing on counselling Chinese companies on US intellectual property law. Yitai Hu explains what patent owners face when working across borders
The latest interviews from IPPro The Internet