paul@paulfoleylaw.ie
22 Northumberland Road, Dublin D04 ED73, Ireland, EU
INTRO
INSIGHTS

The new EU Cyber Security Regime

By
Paul Foley
The new EU Cyber Security Regime relates to the security of network and information systems, as they play an essential role in facilitating the cross-border movement of goods, services and people.

The Regime comprises, Directive (EU) 2016/1148, (known as the Network and Information Security Directive or Cyber Security Directive) implemented in Ireland by SI No 360 of 2018, the Commission Implementing Regulation (EU) 2018/151  (which lays down further elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact) and the Cyber Security Act 2019.

The Cyber Security Directive

  • (a) lays down obligations for all Member States to adopt a national strategy on the security of network and information systems;

  • (b) creates a Cooperation Group in order to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence amongst them;

  • (c) creates a computer security incident response teams network (‘CSIRTs network’) in order to contribute to the development of trust and confidence between Member States and to promote swift and effective operational cooperation;

  • (d) establishes security and notification requirements for operators of essential services (see Schedule 1 to SI 360 of 2018 ) and for digital service providers (online marketplaces, online search engines and cloud computing services) (although the regulations exclude microenterprises or small enterprises, from the definition of relevant digital service provider). The obligations for operators of essential services are primarly set out in Part 4 and in Part 5 for digital service providers (of SI 360 of 2018). In the case of digital service providers additionally the obligations in the Commission Implementing Regulation apply;  

  • (e) lays down obligations for Member States to designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systems. In Ireland, the computer security incident response team being a unit of the Department of Communications, Climate Action and Environment is the Irish “CSIRT”;

The Cyber Security Act 2019 (Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification)(Act)

  • (a) strengthens the role and powers of ENISA (the European Union Agency for Cyber Security) (See Title II to the Act) and in particular Article 8 on Market, cybersecurity certification and standardisation); and 

  • (b) establishes an EU cybersecurity certification framework (see Title III Articles 46 to 65) which will allow the emergence of certification schemes for specific categories of ICT products, processes and services. See in particular Article 52 which provides that “a European cybersecurity certification scheme may specify one or more of the following assurance levels for ICT products, ICT services and ICT processes: ‘basic’, ‘substantial’ or ‘high’.”
map-markerenvelopetagarrow-left linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram