EU employers and unions should prepare now for new cybersecurity directive
Main image
EU cybersecurity
John van der Luit-Drummond, Editor

Predicted to have a huge impact on employers, members of the European Parliament have voted for a new draft cybersecurity law that will set tighter risk-management and reporting obligations at large European-based companies. However, amid Europe’s more worker-friendly environment, unions and works councils are set to play a big role in the implementation of new cyber protections.

A study from the European Parliamentary Research Service found that cyberattacks – one of the fastest-growing forms of crime worldwide – are growing in scale, cost, and sophistication. The latest forecast shows that global ransomware damage costs could reach €17bn in 2021, 57 times the costs in 2015.

Research also suggests companies suffer a ransomware attack every 11 seconds in 2021, up from every 40 seconds in 2016. As a result, the EU is demanding businesses invest greater sums in their cyberspace defences.

“Cybercrime doubled in 2019, ransomware tripled in 2020, and yet our companies and institutions are spending 41% less on cybersecurity than in the US,” said Dutch MEP Bart Groothuis, a member of the Renew Europe Group.

“We must strengthen the EU’s cybersecurity and create the tools to handle cyber incidents together when they occur. We cannot stop all cybercrime from occurring, but we can protect ourselves better than before and better than others. This new legislation makes the EU a safe place to work and do business.”

Europe’s original cybersecurity law – the Directive on Security of Network and Information Systems (NIS) – was introduced in 2017. However, EU countries implemented the law in different ways, thereby fragmenting the single market.

MEPs argue lack of harmonisation has led to insufficient levels of cybersecurity across the bloc and, given the current high level of cybersecurity threats, updated legislation is now critical.

Compared to the existing NIS legislation, the draft directive – the so-called NIS2 – would oblige more companies to invest in online safety measures. The requirements include incident response, supply chain security, encryption, and vulnerability disclosure, among other provisions.

Medium-sized and large companies with a €10m turnover and at least 50 employees in “essential sectors”, such as the energy, transport, banking, health, digital infrastructure, public administration, and space sectors, would be covered by the new security provisions.

In addition, the new rules would protect organisations in so-called important sectors, such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles, and digital providers. Member states would also be able to identify smaller organisations with a high security-risk profile.

According to the legislative text adopted last Thursday by the European Parliament’s industry, research and energy committee, EU countries will have to meet stricter supervisory and enforcement measures, and harmonise their sanctions regimes.

Under the draft proposals, companies that fail to comply with their obligations could face fines of up to 2% of their revenue – the same percentage ransomware attacks usually ask for – while cybersecurity would become the responsibility of the highest managerial levels, with senior executives facing regulatory action for non-compliance.

Training and unions

In preparation of the directive’s “huge impact”, Dr Rajko Herrmann, a partner at vangard | Littler in Berlin, says employers need to create awareness and establish risk management for cybersecurity among their employees. However, he warns this must be done in partnership with relevant unions or works councils.

“Job profile and job requirements for employees in the relevant sectors will have to be adapted and policies need to be updated and appropriate business processes implemented or existing processes adapted,” he says. “This may trigger certain obligations vis-à-vis collective/employee representative bodies.”

Herrmann also advises employers to begin developing suitable cybersecurity training for workers and update existing IT systems, with union agreement.

“The update of existing IT-systems and processes to improve cybersecurity will require amendments to existing collective agreements in respect [of] those IT systems as well, especially in countries with works councils/union representation,” Herrmann adds. 

Establishing reporting obligations is also of high importance, says Herrmann: “One of the major parts of the upcoming directive is to establish proper and suitable internal and external reporting obligations in respect of relevant cybersecurity incidents. This may also trigger and entail obligations vis-à-vis the employees and employee representatives.”

Remote working

Despite MEPs’ intentions, the need to protect corporate assets may still be hindered by national regulations designed to protect the privacy of employees, as well as ever-evolving provisions governing remote working, explains Emanuela Nespoli, a partner at Toffoletto De Luca Tamajo in Milan.

“From an employment law point of view, it is important to keep in mind that cybersecurity concerns compliance with regulations protecting employee privacy, in addition to provisions that regulate employee remote monitoring,” she says.

Nespoli points to article 4 of the Italian Workers’ Statute of Rights that states the use of online tools designed to monitor employees remotely are only permitted if there is a collective agreement signed with the works councils or unions.

She continues: “When implementing an IT security system, employers must not only think about the adoption of effective systems and software but – in order to use the information collected [to adopt] disciplinary sanctions – they must comply with Italian law and have effective policies in place allowing the collection and processing of data. Otherwise, even the most sophisticated software against cyberattacks risks being useless.”

MEPs must now negotiate their proposals with the 27 member states, represented by the European Council, to agree the scope of the final directive.