As you know, the EU recently adopted the General Data Protection Regulation (hereafter "GDPR") in which data security plays a prominent role.
What are the obligations set by the GDPR in terms of data security?
The GDPR imposes stricter obligations on data processors and controllers with regard to data security while also offering more guidance on appropriate security standards (notably through approved codes of conduct or approved certification mechanisms).
The GDPR also contains for the first time a definition of "personal data breach" and requires notification to both the supervisory authority and affected data subjects.
Although the GDPR will be applicable as of 25 May 2018, companies should already take it into consideration in order to make sure that they are compliant by that date.
Furthermore, the EU adopted the Directive on security of network and information systems(hereafter "NIS Directive").The general aim of the NIS Directive is to enhance the global level of cybersecurity in the EU by setting common cyber-security standards amongst Member States and service providers and increase the EU-level cooperation. In order to ensure an effective prevention of cybersecurity incidents and the sharing of information on cyber risks, each Member State will have to designate one or more competent authorities to monitor the application of the NIS Directive and set up a Computer Security Incident Response Team (CSIRT) Network (in this respect, Belgium already created in 2009 the Federal Cyber Emergency team). These should help preventing attacks on interconnected EU infrastructures.
In addition, the NIS Directive sets minimum standards for cybersecurity on critical infrastructure operators. The NIS Directive lays down cybersecurity and reporting requirements for "operators of essential services" which includes those operators within, notably, the energy, transport, health, banking or digital infrastructure sectors to ensure that their IT systems are protected from cyber threats.
What are the obligations set by the NIS Directive?
According to the NIS Directive, operators defined by their Member States as organizations providing "essential services" will have to:
1. Take technical and organizational security measures in order to manage the risk posed to the security of the network and information system which they use as part of their operations;
2. Take appropriate measures to prevent and minimize the impact of incidents affecting the security of the network and information system;
3. Notify substantial incidents to the relevant authority (a similar obligation is to be found in the GDPR).
Unlike the GDPR, the NIS Directive does not provide for any mandatory adoption or penalties in case of failure to comply.
Member States will have until 9 May 2018 to implement the NIS Directive into national laws and a further six months to identify "operators of essential services" based on the following criteria :
- The operator provides a service which is essential for the maintenance of critical societal/economic activities;
- The provision of that service depends on network and information systems; and
- A security incident would have significant disruptive effects on the provision of the essential service.
Within the coming two years, most companies should therefore in principle be better protected against hacking.