As reported in our first edition, there are two proposals making their way through the Brussels legislature which will change the legal landscape for the reporting of cyber attacks. These are the draft Network and Information Security Directive, which will impose reporting obligations on providers of critical infrastructure, and the draft General Data Protection Regulation which will impose data breach reporting requirements on all data controllers. The summer has seen much institutional change in the EU, first with the European Parliament elections in May, the start of Italy’s Council Presidency in July and now with the reorganisation of the European Commission and appointment of a new Commission President and Commissioners with effect from 1 November. The summer has seen little procedural progress, although trilogue negotiations on the NISD have now begun, and on the GDPR the Council (representing the Member States) has, according to this Council press release, just reached a broad consensus on the security and breach provisions in Chapter IV of the draft Regulation (although the Council has not yet agreed its position on the whole proposal). We will continue to monitor progress in our Cyber Alert.
We summarise the state of play – as at 22 October 2014 – on both proposals in a table available here