June 2016 - Businesses across Central and Eastern Europe will have to deploy “state of the art” technology and processes in order to fend off cyber-attacks and be able to immediately report non-accidental unauthorised access to, or leakage of, personal data. This is mandated by a new European Union Directive on network and information security, which the European Parliament voted to adopt on 16 June. Under the directive, these new rules must be incorporated into national legislations of the Member States, including in CEE, within the next two years. Companies should start planning and preparing now, as meeting these new standards may require significant investments in technology and compliance, or even a complete overhaul of the ways an organisation stores and access proprietary or client data.

Which businesses will have to introduce the mandatory cyber security measures?

Nowadays, no business should ignore cyber security concerns and the need to protect information technology networks and systems. Under the new EU directive, EU-based operators of essential services and digital services providers are now specifically required to increase their levels of protection. Businesses operating in the following sectors are among those subject to the new regulations:

  • Energy: electricity distributors, suppliers and transmission system operators;
  • Oil: operators of oil transmission pipelines, of oil production, refining and treatment facilities, storage and transmission;
  • Gas: gas distributors, suppliers and transmission system operators, storage system operators, LNG system operators, operators of natural gas refining and treatment facilities, among others;
  • Transport: air, rail, water and road companies, including operators of intelligent transport systems;
  • Banking: credit institutions;
  • Financial market infrastructures: stock exchanges and central counterparty clearing houses;
  • Health: healthcare providers (most notably hospitals and private clinics);
  • Water: drinking water supply and distribution companies;
  • Digital infrastructure: e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, application stores, domain name system providers, Internet exchange point operators.

Each EU Member State will determine individually which entities are considered to provide essential services and, therefore, subject to the new cyber security regulations on its territory. The main criteria for this are whether or not (i) the entity provides a service that is essential for the maintenance of critical societal and/or economic activities, (ii) depends on network and information systems, or (iii) an incident involving the entity would have significant disruptive effects on the provision of such services. Only EU-based businesses will be subject to the new cyber security regulations. If an entity provides services in two or more Member States that may be deemed as essential, the respective authorities will consult each other prior to determining if the entity may be subject to the new rules.

The new cyber security requirements do not apply to telecommunication businesses and providers of electronic identification and trust services, as EU sector regulations introduce specific cyber security requirements for these activities. As well, current banking and financial institution legislation in the EU contains detailed rules concerning the security, integrity and overall resilience of network and information systems, and these rules continue to apply and take precedence over the new general cyber security requirements, as the case may be.

What cyber security requirements will businesses have to meet?

Operators of essential services and digital services providers will essentially have to:

  • Take suitable measures to counter and reign in the cyber security risks that their networks and system face in the course of their business. That means not only deploying the necessary technology to achieve this, but also to introduce appropriate internal processes and ensure compliance by employees.
  • Prevent and mitigate cyber security incidents and make sure that the essential service concerned is still available despite the incident.
  • Notify without undue delay the national cyber security authorities in case of cyber incidents that have a significant impact on an essential or digital service provided (e.g., could actually or potentially lead to discontinuation of the service, affects a large number of users, or may result in personal data leaks). The national cyber security authority may require operators of essential services to undergo a security audit and to take specific measures to rectify the identified deficiencies.

What level of cyber security are businesses required to meet?

The cyber security measures required under the new EU rules must address the risks that the current state of technology poses. As technology is constantly developing, there is no one-off or one-time solution. Businesses will have to regularly monitor levels of cyber threats and adjust their levels of protection on a recurring and routine basis.

Each Member State will determine the security standards applicable on its territory. National standards may be based on the security standards prescribed by the EU cyber security governing body, ENISA. Operators of essential services and digital service providers may still implement more robust security measures if they find it necessary. Member States may still decide to allow or require technical solutions and processes (e.g. “back doors” to encryption) that allow law enforcement agencies to monitor, detect and investigate instances of cybercrime or related criminal offences.

What do these rules mean for businesses in Central and Eastern Europe?

Cyber security incidents in Central and Eastern Europe rise by approximately 20% on average annually. Operators of essential infrastructure and digital service providers are reportedly among the most targeted businesses. National governments have already recognised these realities and drawn action plans in the national cyber security strategies adopted over the last five years. The mandatory cyber security standards that the new EU rules prescribe can be expected to follow within the next two years.

For operators of critical infrastructure and digital services providers operating in CEE markets, the implementation of these new rules will necessitate a comprehensive review and assessment of the state of their networks and information systems, their IT needs, and best ways to meet them. The new requirement for “state-of-the-art” protection will likely require increased spending on software updates. In order to be able to notify authorities of data breaches swiftly, businesses must have tools to monitory security, establish non-accidental breaches quickly and identify the data and individuals affected promptly.