Thursday, June 15, 2017
This issue of the Lexing newsletter focuses on a major strategic issue for businesses: cybersecurity. Cybersecurity is a key element of success and sustainability. Amid the cyberattacks that recently hit computers around the world (such as the WannaCry ransomware) and as everybody is preparing for the General Data Protection Regulation (“GDPR”) that will in particular strengthen the obligations of businesses regarding data security, there is a growing need to take measures for protection, both technically and legally. The Lexing network provides an overview of cybersecurity laws around the globe.
Cybecrime today: Cybercrime can be broadly defined as criminal acts committed online with use of electronic communications networks and information systems, including (a) crimes specific to the Internet (e.g. phishing), (b) online fraud and forgery (e.g. identity theft), and (c) illegal online content (e.g. child sexual abuse material). According to the 2016 Internet Organised Crime Threat Assessment (IOCTA), a yearly report on developments and emerging threats in cybercrime produced by Europol’s European Cybercrime Centre (EC3), cyber-attacks are increasing in terms of intensity, volume and quality (1): Cryproware (encryption ransomware) has become the most prominent malware threat, the volume of child sexual exploitation material exchanged on the Darknet increases in volume, DDoS attacks continue to grow in intensity and complexity, and generally findings demonstrate that criminals quickly adapt to and abuse emerging technologies.
Cybersecurity, a strategic EU priority: The European Agenda on Security (2) lists cybercrime, along with terrorism and organised crime, as a top priority for the current mandate of the European Commission in the field of security. The Digital Single Market stategy is also part of the framework for the EU initiatives on cybersecurity and cybercrime, with its key objectives being to increase cybersecurity capabilities and cooperation between Member States, foster the European cybersecurity industry and to embed cybersecurity in the future EU policy initiatives from the start, in particular with regard to new technologies and emerging sectors such as connected cars, smart grids and the Internet of Things (loT) (3). The EU initiatives and activities on network and information security are supported by the European Network and Information Security Agency (ENISA), the EU's Agency for cyber security, as well as by the Computer Emergency Response Team for the EU institutions (CERT-EU), a team made up of IT security experts from the main EU Institutions.
The NIS Directive: The Directive (EU) 2016/1148 on security of network and information systems (NIS Directive), adopted by the European Parliament on 6 July 2016 (4), is the first piece of EU-wide legislation on cybersecurity. The NIS Directive applies to operators of essential services (e.g. in the energy, transport, banking, health sectors) and to digital service providers (including online marketplaces, cloud computing services and search engines). Its objective is to achieve a high common level of security of network and information systems within the EU, introducing an obligation to adopt national strategies on the security of network and information systems, facilitating strategic cooperation and the exchange of information among Member States, and imposing risk management and incident reporting obligations for operators of essential services and digital service providers. Member States, including Greece, must transpose the NIS Directive into national law by May 2018.
This issue, to which Germany, Belgium, France, Portugal, Russia and Costa Rica have also contributed, is available here