Cyber Security: Law and Guidance

What is cyber security?

Cyber security is concerned with both the security of cyber space and the security of entities that use or rely on cyber space. For these purposes, cyber space includes:

• The internet and the world-wide web.
• The facilities and apparatus that underpin and connect the internet and the world-wide web (for example, telecommunications, internet access and internet service provision).
• The facilities and apparatus that support the provision of content available through the internet and the world-wide web.
• The facilities and apparatus that support data processing and data storage accessible through the internet and the world-wide web (for example, cloud computing services and the supporting infrastructure, such as data centres).
• Cyber space also includes physical places as well as purely virtual ones.

Entities that use cyber space need to be cyber secure. However, the regulatory reform process for cyber security in the EU, the US and elsewhere has been very selective about the categories of entities that should carry a statutory duty to be cyber secure.

Legislation and Regulation

In February 2013, the European Commission published a proposal for a Directive on Network and Information Security, colloquially known as the NIS Directive or the Cyber Security Directive. The purpose of the Directive is to ensure a high common level of network and information security (NIS) within the EU. In March 2014, the European Parliament voted to adopt an amended version of the Directive. To become law the Directive has to be adopted by the Council of Ministers, which is yet to happen. After it is adopted, the EU member states will have to introduce their own national legislation, to transpose the Directive's requirements into their domestic law.

In addition to the NIS Directive, the EU has embarked on a variety of law reform initiatives that concern similar subject matter such as:

• Draft General Data Protection Regulation (GDPR)
• Draft Payment Services 2 Directive (PSD2)
• Better Regulation Directive 2009

Policy and legal developments abroad support the point that the trajectory of the law is broadly the same the world over. The critical point of difference between jurisdictions concerns the introduction of ex ante regulatory frameworks to establish an enforceable duty of care for cyber security. The EU wishes to adopt an ex ante regime, unlike the United States (US), which prefers to use "soft law" mechanisms to achieve its ambitions for cyber security. However, the approach of the UK government is more consistent with the US approach than the EU approach. Where the US and EU is most aligned is on a duty of "breach disclosure", whereby the providers of critical infrastructures and services are required to notify regulatory bodies of serious cyber security incidents.

Cyber Security: Law and Guidance provides an overview of the key legal developments for cyber security in England and Wales, focusing on the proposed NIS Directive and related legal instruments, including those for data protection and payment services. It also provides insights into how the law is developed outside of regulatory frameworks, by reference to the "consensus of professional opinion" on cyber security, case law and the role of professional and industry standards for security.

Suggestions are made on how to build a "defensive shield" to protect an organisation from regulatory actions and litigation. With cyber security law destined to become heavily contentious legal privilege will be an advantage.

Organisations require expert assistance to operationalise these matters and Cyber Security: Law and Guidance provides this assistance.