OCA October 2014: Regulatory radar

United Kingdom

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.


There is no doubt that cyber security is rising up the international agenda, with the recent adoption by NATO of an amendment to its charter to put cyber attacks on the same footing as armed attacks.  This recognises that a cyber attack's "impact could be as harmful to modern societies as a conventional attack"(as stated in NATO's Declaration, at paragraph 72). In its declaration, the alliance also said that it will further develop national cyber defence capabilities, including endorsing better information sharing, to make the organisation better protected.

EU: progress on draft NISD and GDPR

The summer has seen much institutional change in the EU, first with the European Parliament elections in May, the start of Italy's Council Presidency in July and now with the reorganisation of the European Commission and appointment of a new Commission President and Commissioners with effect from 1 November.  As reported in our first edition, there are two proposals making their way through the Brussels legislature which will change the legal landscape for the reporting of cyber attacks. These are the draft Network and Information Security Directive, which will impose reporting obligations on providers of critical infrastructure, and the draft General Data Protection Regulation which will impose data breach reporting requirements on all data controllers. The summer has seen little procedural progress, although trilogue negotiations on the NISD have now begun, and on the GDPR the Council (representing the Member States) has, according to this Council press release, just reached a broad consensus on the security and breach provisions in Chapter IV of the GDPR - although the Council has not yet agreed its position on the whole proposal.  We summarise the current state of play on both proposals here.


Meanwhile, certain Member States are pre-empting the adoption of the NISD with their own cyber breach legislation.  We take an in-depth look at France's Military Programming Act. Afirst-of-its-kind regulatory action against Orange by the French data protection regulator, the CNIL, over a data security breach in its supply chain, is reported here.  


Germany has also proposed its own regime - we look at the latest proposals for an IT Security Act here.


The UK's proposals for tougher sentences for serious cyber attacks under the Computer Misuse Act 1990 are reported here.

US: We report on proposals for the controversial Cybersecurity Information Sharing Act here