On December 7, 2015, the European Parliament and the Council issued a directive "concerning measures to ensure a high common level of network and information security across the Union." This is an informal agreement on the structure and goals of draft legislation on cybersecurity in the private sector.
Legislation regulating the approach to cybersecurity taken by essential services operators and digital service providers will be developed and put forward by the member states. Essential services include the energy, transport, finance and health sectors or other sectors member states deem essential. Companies operating in these sectors will be required to put in place minimum standards for cybersecurity and report significant cybersecurity incidents.
The minimum standards that digital service providers, such as search engines, cloud services and e-commerce platforms such as PayPal and Amazon will be less onerous. We note that the exact nature of the obligations to be imposed has yet to be decided.
The driving force behind this directive is the recognition that in an interconnected economy, private companies provide a number of essential services that are vulnerable to a cyberattack which could cause widespread economic disruption.
If passed, each member state will be required to establish a government authority that is responsible for Network and Information Security. These government authorities will share information with each other and work closely with the Computer Emergency Response Team established in 2012 to coordinate the prevention, detection, and mitigation of cyber-attacks.
The directive's other goal is to encourage the private sector to increase its commitment to cyber security and develop cyber resilience: the ability to better absorb, manage and prevent cyberattacks. As such, the directive will require mandatory reporting of significant cybersecurity incidents.
The requirements and obligations that will be imposed are as of yet unknown. This directive, however, is likely a harbinger of future legislative developments in Canada and worldwide. Legislators in Canada are strengthening or imposing mandatory reporting of privacy breaches. As part of this review of privacy laws, governments will likely consider whether the private sector is adequately protecting itself or whether legislation is required to reduce the impact of cyberattacks on the economy and society.