Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

New obligations to report cyber attacks: will they apply to your business?

25 Feb 2013 United Kingdom 8 min read

Key contact

  • Claire Walker
    London

    Claire Walker

    Head of Client Training

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

In a month that has seen Facebook, Apple and other household names report hacks to their systems, the EU has proposed new measures on cyber attack reporting. If adopted, the Network and Information Security (NIS) Directive would apply to ecommerce platforms, social networks and key infrastructure providers (widely defined). It would oblige them to have formally documented security policies, undergo security audits and report cyber attacks to national authorities. Exactly who will be subject to the new obligations, and how far will these differ from data breach reporting obligations already in the pipeline? Olswang takes a practical look at the proposals.

Will your business be subject to the new rules?

The new Directive, which forms part of the EU's Cyber Strategy, aims to preserve the integrity and continuity of services which play a key role in the economy and society. A wide range of services are potentially caught, including not only utilities but also online platforms which increasingly provide the life blood of other businesses.

The proposed new security and incident notification requirements would apply to public administrations and "market operators". Market operators are split into two categories:

a) "Providers of information society services which enable the provision of other information society services". These include: "e-commerce platforms; Internet payment gateways; social networks; search engines; cloud computing services; application stores". That list is described as non exhaustive.

b) "Operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health". These are detailed more fully (and again, non-exhaustively) in Annexe II to the Directive.

The key requirements would apply to "all market operators providing services within the European Union" but micro enterprises would be exempt. The recitals to the Directive stress the need for the obligations to be proportionate to the risk presented by the network or system concerned.

Communications networks which are already subject to specific security and data breach notification requirements under the Privacy and Electronic Communications Directive would not be subject to the new security and notification requirements under NIS.

Why the new Directive?

The scale and seriousness of cyber crime is reflected in recent comments by House Intelligence Committee Chair Mike Rogers (reported by the Wall Street Journal, another recent high profile hack victim) that the US is "losing the war" against state sponsored attacks from China. Resilience against costly and devastating cyber attacks is a high priority for Europe too. Its Cyber Strategy was officially unveiled on 7 February by Vice President Neelie Kroes. The proposals are contained in two documents, a Joint Communication from the Commission and the High Representative of the EU For Foreign Affairs and Security Policy and the draft NIS Directive or, to give it its full title, a directive "concerning measures to ensure a high common level of network and information security across the Union"..

The Commission's strategy is five fold: building cyber resilience; reducing cyber crime; developing cyber defence policy and capabilities; developing cyber security resources; and establishing a coherent EU cyberspace policy. The NIS Directive forms a core part of this strategy by:

  • requiring Member States to adopt a NIS strategy and designate a national authority to deal with information security risks and incidents;
  • creating a cooperation mechanism between Member States for sharing information and dealing with attacks; and
  • obliging public administrations and a wide range of private sector providers of critical infrastructure to adopt risk management practices, be subject to security audits and to report major security incidents affecting their services.

The NIS Directive states that existing capabilities are not sufficient to ensure a high level of NIS within the Union, so minimum requirements need to be harmonised.

How does the NIS Directive relate to data breach notification proposals?

Although there is some overlap with current and proposed data protection rules on notification of security breaches, the proposed NIS Directive is broader in scope since it relates to the integrity and business continuity of networks and services more generally, regardless of whether personal data is compromised (although in practice the two go hand in hand). As well as personal data, intellectual property is often the target of cyber attacks - hence the need for wider legislation. Where hacks do put personal data at risk, the NIS Directive envisages that cybercrime authorities would work closely with data protection authorities. The two regimes are complementary, and businesses subject to new obligations under NIS would continue to be subject to data protection rules.

See our table for an at a glance comparison of the two regimes.

The new security and incident notification requirements at a glance

In terms of substantive new obligations and risks for affected businesses, Member States would be required to introduce the following obligations on public administrations and market operators.

  • Obligation to take "appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations." This obligation is elaborated on as follows: "Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular…to prevent and minimise the impact of incidents …and ensure the continuity of the services" - Article 14 (1).
  • Obligation to notify to the competent authority of "incidents having a significant impact on the security" of the core services they provide - Article 14 (2).
  • Compliance with "binding instructions" from the competent authority - Article 15(5).
  • Use of technical standards and specifications is to be promoted by Member States, to promote consistency - Article 16.
  • Obligation to provide information (to the competent authorities) needed to assess the security of their networks and information systems, included documented info security policies - Article 15(2) (a).
  • Obligation to undergo security audits by the national authority or an independent body, with the results made available to the competent authority - Article 15(2) (b).

The new rules would also entail:

  • Disclosure of reported incidents by the competent authority (or by the market operator at the authority's request) to the public, if in the public interest - Article 14(4).
  • Sharing by the competent authority on an annual basis of notifications with the network of NIS authorities - Article 14.
  • Notification by the competent authorities of a suspected serious criminal nature to law enforcement authorities - Article 15(4).

Some of the detail - for example technical standards and guidance on the circumstances when attacks would need to be reported - is to be left to "delegated acts" by the Commission.

When are the new rules likely to come into force?

In its Communication, the Commission pledges to "ensure swift transposition and implementation of the cybercrime related directives" - however a precise timeline is difficult to predict at this stage. The draft Directive is yet to start its formal legislative process, something which can typically take two years. Member States would have 18 months from formal adoption to then bring domestic legislation into force. The European Parliament's procedure file for the Directive is available here.

In the meantime, the UK Government adopted its own cyber strategy in 2011. The latest implementation measures were announced on 20 February in this press release and include establishing a UK Computer Emergency Response Team, a national cyber crime unit and extending the coordinating role of the Centre For The Protection of National Infrastructure (CPNI).

Olswang comment

The need for systems to be resilient against cyber attack is uncontroversial - and voluntary reporting of serious hacks is becoming an accepted part of damage limitation and reputation management. The devil of the new regime will be in the detail - for example with regard to national guidance to define the circumstances in which incidents need to be reported, and the nature of the "binding instructions" which national cyber crime authorities will have the power to issue. Technical standards and benchmarks will undoubtedly have a key role to play in helping define whether a business has done enough to comply. It is unclear how far current technical benchmarks like ISO 27001 will apply, or whether further standards will need to be developed. Given the constantly evolving nature of cyber threats, this is an area unlikely to stand still for long. New legal requirements or not - the need for private and public sector organisations to shore up their defences against cyber attacks is a top priority.

Ross McKean is Head of Data Protection and Privacy and Claire Walker is Head of Commercial Know How at Olswang LLP.

More insights
Cyber TMT - Technology, Media & Telecommunications Data Protection & Freedom of Information Technology

Explore more

Publication United Kingdom

Cyber risk management for senior leadership teams

02 Oct 2025 1 min read
Event United Kingdom

CMS Update Morning: Media, Sports and Entertainment

29 Apr 2026
Expert Guide International

Data protection and cybersecurity laws in the United Kingdom

38 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.