Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Within the European Union, such recommendations are largely rooted in national law and based on national considerations. Therefore, the stance on the protections recommended varies depending on the member state one is situated in. However, the European Union Agency for Cybersecurity (ENISA) has analysed national recommendations for small and medium-sized enterprises and collated general recommendations in its Review of Cyber Hygiene practices. These include:

  • having records of all hardware and software;
  • utilising secure configuration for all devices;
  • managing data flows in and out of the network;
  • scanning all incoming emails;
  • minimising administrative controls;
  • regularly backing up data and testing that it can be restored;
  • establishing an incident response plan;
  • enforcing similar levels of security across the supply chain; and 
  • ensuring suitable security controls in any service agreements.

 

Further, the NIS Directive established a network of computer security incident response teams across Europe. Companies and individuals can use the network to receive detailed local advice on best practice and how to best respond to cyberattacks.

How does the government incentivise organisations to improve their cybersecurity?

In this area, the European Union has left the process largely up to member states. Within the European Union, tax breaks and VAT exemptions to incentivise the improvement of cybersecurity (as outlined in ENISA’s National Cyber Security Strategy Good Practice Guide 2016) are only used by three member states and generally have been linked with a low level of cybersecurity. The mechanisms used by the majority of states are public–private partnerships (PPPs). PPPs involve private companies in the legislation and implementation process of cybersecurity laws, incentivising the improvement of cybersecurity on an industry level and generating greater awareness of the threats. ENISA has found that approaching private actors at an early stage of the implementation of any cybersecurity law leads to a stronger commitment to the results as the companies can voice concerns in advance and can be directly involved in the solutions. 

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

Within the European Union, industry standards and codes of practices exist mostly on a decentralised level, created by private actors. Among these, there is ISO 27001, a specification for information security management systems. It sets out conditions on the general organisation of processes relevant to cybersecurity regardless of the business area or industry. While the European Union does not provide codes of practices per se, it does offer a certification process on a centralised level. Under the Cybersecurity Act, companies involved in information and communications technology (ICT) can have their products certified to prove their security. Manufacturers of ICT products, providers of ICT services or processes and regulatory authorities wishing to ensure the security of ICT products within their regulations can all request certification. The goal of certification is to showcase the level of protection afforded by their products. With this initiative, the European Union hopes to improve the internal market conditions for ICT products in general. 

Are there generally recommended best practices and procedures for responding to breaches?

Under EU law there are robust notification obligations in place for certain security breaches. All companies must report any breach of personal data to the relevant data protection supervisory authority unless it is unlikely to result in a risk to the rights and freedoms of the affected individuals (article 33(1), General Data Protection Regulation (GDPR)). A company must additionally inform the individuals affected if the data breach is likely to pose a high risk of adversely affecting their rights and freedoms (article 34(1), GDPR). The NIS Directive and its transposition into national law impose further notification obligations on operators of essential services and digital service providers (articles 14(3) and 16(3), NIS Directive) that need to report an incident to the relevant supervisory authorities if it has a substantial impact on the provision of a service. The provision applies irrespective of whether personal data is affected by the breach.

However, notification alone is not an adequate measure when responding to a breach. Companies, particularly when dealing with hacking attacks, should also consider taking the following actions:

  • determine leadership for the incident and involve the data protection officer, if appointed;
  • involve IT-forensic professionals to investigate the attack and identify the targeted software and hardware, describe how systems were accessed, determine the categories of data affected and document the analysis;
  • check whether personal data was affected by the attack and the level of risk to be expected for those whose data was breached; 
  • identify possible measures to alleviate the issue; 
  • contact the data protection supervisory authorities within 72 hours of awareness of the breach, if necessary; 
  • make data subjects aware of the breach if there is a high risk their freedoms and rights will be impacted; 
  • let others who may have been affected know of the breach on a voluntary basis (eg, contract partners and banks to ensure money flows are not redirected), if necessary;
  • consider any cross-border implications and duties arising in other jurisdictions or on a national level; 
  • contact the insurance provider if the plan covers cyberattacks; and
  • create a framework for dealing with similar issues in the future and implement systems to recognise them at earlier stages.
Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Information about cyberthreats is primarily collated through mandatory reporting under EU law and member states’ laws as well as the predictions of experts, which is why there are limited legal or policy incentives for voluntary sharing of information. ENISA creates frequent reports on the threats in the cyber landscape using this information. Nevertheless, there are various platforms at EU level to facilitate further voluntary information sharing within certain sectors or on specialised topics. In the finance and banking sector, for example, the European Financial Institutes – Information Sharing and Analysis Centre was founded to exchange information on cyber incidents. Another good example is the European Advanced Cyber Defence Centre. Its goal is to foster extensive sharing of information about cyberthreats across member states to improve detection.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The main way to ensure cooperation between the government and the private sector is through PPPs, as they provide a basis for cooperation and ensure open communication, particularly when drafting and implementing legislation. For the private sector, this form of cooperation gives companies the opportunity to influence national legislation as well as to help achieve resilience in the cyber ecosystem of the relevant country. The government also benefits as the private sector is more likely to implement more robust cybersecurity measures and have a stronger commitment to the rules. Within the European Union, more than 15 member states have PPPs set up. They are particularly prevalent in the larger countries.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Insurance for cybersecurity is available across the European Union. Core coverage for this type of insurance includes data breaches and leakages, business interruption and cyber extortion. Additionally, it also generally covers third-party risks such as privacy liability and electronic media liability. The market for cyber-insurance in the European Union has grown significantly in recent years, with a majority of businesses purchasing cyber liability insurance. Increasingly, it is becoming the standard.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

13 January 2021