We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

European parliament publishes opinion and proposed amendments to the cyber security directive

30 January 2014

On the 15 January 2014 the European Parliament published Opinion 2013/0027(COD) on the proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union (Cyber Security Directive) which suggests some significant amendments to the previous published draft.

The intention of the Directive is to mirror proposals in the US for increasing the resilience of EU networks from cyber-attack and cyber-crime.

The Directive applies to a wide range of 'critical infrastructure companies' and deals with issues such as increased information security policies and procedures and specific data breach notification procedures.

The key points to note from the above Opinion are as follows:

  • amended language more clearly anchors this Directive to the EU Data Protection Directive, the proposed Data Protection Regulation, the draft Directive on the Protection of Trade Secrets and the European Convention on Human Rights
  • amendments to Recital 2 of the Directive spell out the risks of not only cyber-crime but also cyber-attacks from hostile governments
  • amendments to Recital 10 of the Directive stipulate that each Member State should have a competent Authority for coordinating national infrastructure security
  • a new Recital specifically places liability for compliance upon Cloud service providers
  • proposed Recital 2a now places a specific 'duty of care' on businesses and public administrations to implement cyber security
  • recital 29a now specifically includes intellectual property rights theft and infringement in the Directive
  • revisions to Article 3 paragraph 4 amend the definition of a cyber incident to include not only an incident that effects security but also 'the provision of core services'
  • revisions to Article 5 delete the call for a risk assessment plan to identify risks and impacts and instead call for a risk management framework including regular assessments and preventative measures including 'early warning'
  • the insertion of a new Article 14 paragraph 2 specifically states 'commercial software producers shall be held responsible despite non liability clauses in users agreement in case of gross negligence regarding safety and security'
  • the list of critical infrastructure companies affected by the Directive has on the one hand seen the exclusion of social networks but on the other hand has seen the inclusion of businesses in the 'food supply chain'.

This article was written by Robert Bond.

For more information contact Robert on +44 (0)20 7427 6660 or robert.bond@crsblaw.com