Increasing global cybersecurity regulation of private companies on the near horizon

The European Union has also recently adopted new legislation regulating digital markets, services and products and cybersecurity of essential services, financial and insurance sectors, with more legislative proposals in the pipeline. Given that most companies have data assets that are global in nature, developing a unified security policy will become increasingly more nuanced and complex. Regulation requirements in various countries are inconsistent, and require a coordinated approach across international jurisdictions.  

United States

On March 1, 2023, U.S. President Biden announced a new National Cybersecurity Strategy designed to develop and enforce rules of conduct in cyberspace. While not binding law, the National Cybersecurity Strategy sheds light on the administration’s policy concerns and areas of focus for near-future regulation of private companies, including:

• Requiring large corporate entities (as opposed to individuals, small companies, state and Logan governments and infrastructure operators), to be responsible for security systems and data by, among other things, having adequate cybersecurity protections in place and not fully disclaiming liability in their contracts with customers.
• Requiring private companies to adhere  to industry-specific security requirements that leverage existing cybersecurity frameworks such as the National Institute of Standards and Technology (NIST) Framework, and the Cybersecurity and Infrastructure Security Agency (CISA)’s Cybersecurity Performance Goals.
• Requiring software companies in particular to adhere to the NIST-based Secure Software Development Framework.
• Establishing new legislation that limits private companies’ ability to collect, use, transfer and maintain personal data, provides strong protections for sensitive data and penalizes companies that introduce vulnerable products and/or service (specifically including software), into the digital ecosystem.
• More closely coordinating with government entities relating to malicious cyber activity.
• Introducing additional security contractual requirements for private companies who contract with the U.S. federal government, and requiring such companies to adhere to the zero-trust security model to improve upon the current boundary-based security system.

Notwithstanding, the foregoing, the National Cybersecurity Strategy advocates creating a safe harbor for companies who adhere to best practices for secure software development (such as the NIST Secure Software Development Framework).

Following the issuance of the National Cybersecurity Strategy, on March 22, 2023, the US Federal Trade Commission (FTC) issued a Request for Information (RFI) on the business practices of Cloud Computing Providers. The FTC is seeking to gather information from users of could services to inform the FTC’s understanding of this industry, its market power, business practices impacting competition and potential security risks. In particular, the FTC is focused on three particular issues:

• Single Points of Failure – outages from cloud providers have potential for widespread impact due to widespread usage of cloud computing service providers across multiple industries
• Security in Cloud Computing — allocation of responsibility for securing data between customers and cloud service providers.  The FTC is concerned that consumers and small businesses who are least aware of security risks and least capable of protecting themselves, are disproportionately responsible for securing their data.
• Market Practices and Competition in Cloud Computing — The FTC is concerned about issues related to the number of service providers and their market power in determining contract terms which are less favorable to consumers (including pricing terms, terms regarding liability relating to security failures, and transitioning data to other providers upon termination of an agreement).

The FTC RFI mirrors similar regulatory inquiries recently initiated in the United Kingdom, France, and The Netherlands on the same topic.

United Kingdom

In 2022 the UK Government published its National Cyber Strategy. This contains the following pillars:

• Pillar 1: Strengthening the UK cyber ecosystem, investing in people and skills and deepening the partnership between government, academia and industry.
• Pillar 2: Building a resilient and prosperous digital UK, reducing cyber risks so businesses can maximise the economic benefits of digital technology and citizens are more secure online and confident that their data is protected.
• Pillar 3: Taking the lead in the technologies vital to cyber power, building industrial capability and developing frameworks to secure future technologies.
• Pillar 4: Advancing UK global leadership and influence for a more secure, prosperous and open international order, working with government and industry partners and sharing the expertise that underpins UK cyber power.
• Pillar 5: Detecting, disrupting and deterring adversaries to enhance UK security in and through cyberspace, making more integrated, creative and routine use of the UK’s full spectrum of levers.

As part of this strategy the UK Government announced in late 2022 that it will update the 2018 Network Information Systems (NIS) Regulations, to better protect the UK’s critical national services from cyber-attack by bringing providers of outsourced IT and managed service providers (MSPs) into scope of those regulations. This was in response to attacks such as Operation CloudHopper, a Chinese cyber espionage campaign that targeted cloud MSPs between 2016 and 2018.

The UK Data Protection regulator, the Information Commissioner’s Office (ICO) continues to investigate and sanction organizations for cyber breaches. Fines issued in the last year include a GBP4.4m fine to outsourcing provider InterServe, for breaches of cyber security under the GDPR. Since early 2023, under new Information Commissioner John Edwards, the ICO is also now publishing reprimands, which are often issued for security breaches that do not reach the threshold for a fine. 

In 2022 the NCSC and the ICO jointly wrote to the Law Society to remind its members that they should not advise clients to pay ransomware demands should they fall victim to a cyber-attack. The ICO made clear that it was incorrect to believe that paying a ransom was a mitigating factor in relation to GDPR fines. The ICO has also updated its guidance on ransomware, as have the National Cyber Security Centre (NCSC). The guidance covers a range of scenarios and steps organizations are expected to take to prevent and respond to ransomware attacks. In 2022 the ICO also issued its first fine for a ransomware attack - Tuckers Solicitors LLP was fined GBP98,000. The NCSC continues to stress that ransomware is the most acute cyber threat the UK faces.

European Union

The European Union has been working on updating its regulatory framework for digital markets and improving cyber resilience of its critical sectors for a few years. Businesses operating in the EU are already familiar with the General Data Protection Regulation (GDPR), imposing general security and notification requirements in relation to processing personal data. Next to that, under the NIS Directive, critical operators in certain sectors (such as energy, transport, finance, banking, water and health) and digital services providers (for example, search engines, certain cloud computing services and online marketplaces) are required to adopt cybersecurity measures corresponding to the risks they are exposed to, and promptly notify the authorities of any security incidents with significant disruptive effect on the continuity of critical services. 

The NIS Directive was revamped last year and will be soon replaced by the NIS 2 Directive, which EU Member States will need to implement by 2024. The NIS 2 Directive sets a higher baseline for cybersecurity risk management measures and reporting obligations across all sectors in its scope (including express cyber governance requirements), introduces new mechanisms for regulatory cooperation, and establishes harmonized enforcement, remedies and sanctions across all EU Member States. It will apply to all medium-sized and large entities operating in critical sectors; the list of sectors is expanded to include, among others, business-to-business ICT managed services, digital infrastructure as data center services, cloud computing services, various manufacturing and research organisations. 

Examples of new obligations include:

• Covered entities must take cybersecurity risk management measures that, among others, ensure business continuity and supply chain security, handling incidents, having basic cyber hygiene practices and cybersecurity training in place, and adopt relevant policies and procedures;
• Management bodies of covered entities must approve these measures, oversee their implementation and can be held liable for non-compliance; there are also mandatory cybersecurity training requirements for the members of management boards; and
• Significant incidents must be reported to the CSIRT or competent authority within 24 hours after the entity becomes aware of the incident, followed by an incident notification within 72 hours, an intermediary report if requested and a final report within one month after incident notification or the handling of the incident. 

Moreover, a new regulation named the Digital Operational Resilience Act (DORA) will apply to the financial sector (which includes the insurance sector and fintechs) starting from January 2025. This will impose strict security, governance and incident reporting requirements not only on financial entities, but also on critical ICT third-party service providers (including cloud service providers) that offer ICT services to them. These providers will also have to comply with certain obligations and be subject to specific regulatory oversight.

The European Union is also working on the adoption of a new Cyber Resilience Act, which will introduce mandatory cybersecurity rules for placing products with digital elements on the EU market. The proposed Act will have direct effect in all EU Member States and is expected to be finalised in late 2023-early 2024. Key provisions of the Cyber Resilience Act include:

• Certain critical products with digital elements (determined on basis of certain criteria, such as criticality of software or intended use in sensitive environments, e.g. as an industrial setting will be subject to specific conformity assessment procedures;
• Essential cybersecurity requirements are introduced for the design, development and production of products with digital elements, as well as obligations on economic operators (ranging from manufacturers up to distributors and importers) in relation to these products. Manufacturers will need to factor in cybersecurity in the design, development and production of their products, exercise cybersecurity due diligence in this process, comply with the transparency requirements on cybersecurity aspects of the product towards customers (including providing technical documentation corresponding to minimum requirements) and ensure security updates;
• Manufacturers will be required to perform a conformity assessment of the product and the vulnerability handling process to demonstrate conformity with the essential requirements (this may include self-assessment, however, critical products will be subject to stricter conformity assessment procedures, including in some cases a third-party assessment);
• Essential requirements for manufacturers to handle vulnerabilities to ensure the cybersecurity of products throughout the whole life cycle of the product, including an obligation to notify within 24 hours the EU Cybersecurity Agency (ENISA) of any actively exploited vulnerability in their product and of any incident having impact on the security of the product with digital elements.  

Although not focused on cybersecurity, another crucial piece of the upcoming EU legislation, the proposed Data Act, will regulate access to and sharing of data generated by IoT devices and related services, as well as the key aspects of interoperability and switching between data processing services, including specifically cloud service providers. Data processing service providers will be required to offer all assistance and support to make the switching processes to another provider or to on-premise system successful, and are obliged to maintain a high level of security throughout the entire switching process. The proposed Data is expected to be adopted before the end of 2023. A recently adopted Data Governance Act will apply from 24 September 2023 and will regulate data intermediation services, reuse of certain categories of publicly held data, data altruism and access to non-personal data by non-EU public authorities.

Allen & Overy prepared an overview of other regulatory developments in the EU relating to data, digital markets and cybersecurity, available here. It covers, among others, the EU Resilience of Critical Entities Directive, the Regulation on the Digital Operational Resilience for the Financial Sector (DORA), the EU Data Governance Act, the Digital Services Act (DSA), the Digital Markets Act (DMA), the European Health Data Space proposal, the EU Chips Act, the Artificial Intelligence Act proposal.

France

In May 2021, the French government issued its National Cloud Strategy to face the challenges posed by cloud computing (including digital sovereignty and data protection), by focusing on three main pillars: 

• Enforcing the “SecNumCloud” visa with international cloud services providers; 
• Adopting a “cloud at the center” policy to accelerate the digital transformation of the administration; and
• Implementing a strong industrial policy to support and develop local projects as a way to enforce French and EU technological sovereignty.

Following this announcement, the French Competition Authority (the Autorité de la concurrence) launched an inquiry, in January 2022, into the functioning of the cloud market in France, with the aim to produce a global analysis of the practices implemented in this sector. The Autorité has been notably concerned with the issue of cloud/vendor lock-in and the challenges encountered by businesses to migrate their data assets and/or implement multi-cloud strategies. An intermediary report from the French regulator notes that cloud users are often left with very little margin for negotiation, which may result in the acceptance of disproportionate clauses both in terms of financial conditions as well as technical constraints with respect to data migration. 

As part of its investigation, the Autorité also started a public consultation process to gather information from relevant stakeholders with respect to their practices within this field. The conclusions of this inquiry are set to be published during the first semester of 2023. 

The Netherlands

In relation to cloud services, the Dutch Authority for Consumers and Markets (ACM) published, on 5 September 2022, the outcomes of a market study into cloud services. The study identified two major risks: the user lock-in and the strong positions within different layers of the cloud. These risks make switching a complex and expensive process, magnified by the practices of cloud service providers, lack of interoperability and typical requirements to pay egress fees to remove the data from the cloud.  The ACM recommended enhancing the proposed EU Data Act (discussed in more details above) in relation to interoperability and data portability requirements, voicing concerns that the proposed legislation would not be effective in removing the switching barriers of cloud service providers. The ACM announced on 5 April 2023 closing its further investigations, expecting that the proposed Data Act and the EU Digital Markets Act (which will become applicable for the most part in May 2023) would now provide solid basis for addressing these risks. 

For more information, please contact A&O’s global privacy and cybersecurity team

Germany

The Federal Cabinet updated Germany’s Cyber Security Strategy in 2021, which provides a framework for cyber security over five years until 2026. The strategy sets forth the essential long-term direction of the Federal Government’s cyber security policy, broken down to guiding principles, action areas and strategic objectives. It focuses on four areas (society, private industry, government and EU/international affairs) and defines 44 strategic objectives in these action areas. Its goal is to strengthen Germany’s digital economy through targeted support for key enabling technologies and requiring a security-by-design approach for emerging and key enabling technologies. 

The Federal Government has further agreed in its coalition agreement to draft a National Security Strategy, for which negotiations started early 2022 and were just recently discussed in the German Bundestag. According to the Federal Ministry for Interior and Community, cyber security threats will be a key aspect to be addressed in the National Security Strategy.  The Federal Ministry for Interior and Community consequently also published its Cyber Security Agenda in 2022 setting out the Ministry’s eight steps for improving and ensuring cyber security in Germany, including measures for ensuring the security of IT supply chains of critical infrastructure providers and expanding the BSI's auditing rights with regard to the trustworthiness of manufacturers who provide critical components for critical infrastructure operators (e.g. in the energy, health or financial sectors).