• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

The Network and Information Security Directive - false dawn or resplendent sunrise?

On 7 February 2013 the European Commission published “Cybersecurity Strategy of the EU: An Open, Safe and Secure Cyberspace” (the “EU Strategy”), alongside a Commission-proposed directive on network information security (the “Cybersecurity Directive”). The EU Strategy represented the EU’s vision of how best to prevent and respond to cyber disruptions and attacks, in particular by implementing the Cybersecurity Directive to address national capabilities, preparedness, and EU-level cooperation in countering cybersecurity threats. 

Despite good progress in 2014, the proposed timeline to adopt the Cybersecurity Directive by December 2014 passed without agreement by the three main EU parties – the Commission, Parliament, and Council. Yet, Eurobarometer research results published by the Commission in February 2015 demonstrated that an overwhelming majority of Internet users are concerned with cybersecurity threats, in particular in online banking and online purchasing. 

With the Latvian presidency of the EU Council having reached an understanding with the EU Parliament on 29 June 2015 regarding the main principles to be included in the draft Cybersecurity Directive, it appeared likely that the Cybersecurity Directive would be finalised before the New Year. However, these agreed principles still needed to be converted into legal provisions, with the details of some needing to be discussed at a technical level. As November arrived without any further news, there continued to be a lack of clarity around both the terms of the Directive and the timeframe for adoption. 

Then, on 9 November 2015, EU Digital Commissioner Günther Oettinger announced that the EU Commission, Parliament, and Council were close to signing a compromise deal. With the long-awaited Cybersecurity Directive mere “days or weeks” away, Nicola Fulford, Data Protection and Privacy Partner, and Alex Cravero, Commercial Technology Associate, look at the EU Strategy and the Cybersecurity Directive in more detail. 

Background

The EU Strategy was proposed with the intention of articulating the EU’s vision of cybersecurity in terms of the following 5 priorities:

  • achieving cyber resilience;
  • drastically reducing cybercrime;
  • developing a cyber-defence policy and capabilities relating to the Common Security and Defence Policy (CSDP);
  • developing the industrial and technological resources for cybersecurity; and 
  • establishing a coherent international cyberspace policy for the EU and promoting core EU values. 

A key component of each of these points, and of the EU Strategy in general, is the implementation of the Cybersecurity Directive across all “market operators” in all Member States; namely those designated operators that provide “essential services”. This includes key Internet enablers and critical infrastructure operators, such as eCommerce platforms, social networks, and operators in energy, transport, banking, and healthcare services. 

In particular, the Cybersecurity Directive requires Member States to establish:

  • a Competent Authority (NCA) to monitor the application of the Cybersecurity Directive in their Member State and, if there is more than one authority, appoint a single point of contact (SPOC);
  • a national Network Information Security strategy (NIS), as well as regulatory measures to provide network security; and 
  • authorities responsible for the management of cybersecurity and risk, and emergency response teams to address incidents – namely a Computer Emergency Response Team (CERT) and Computer Security Incident Response Team (CSIRT). 

In addition: 

  • the Competent Authorities (including SPOCs), European Network Infrastructure Security Agency (“ENISA”), and the EU Commission shall together form a cooperation network to coordinate responses to incidents and share information securely amongst members; and 
  • any “market operator” that operates critical infrastructure, the “disruption or destruction of which would have a significant impact on a Member State”, must comply with mandatory security incident notification requirements. 

It is intended that wide rights are provided to Competent Authorities under the Cybersecurity Directive, similar to the General Data Protection Regulation (“GDPR”) due to come into effect in 2016. These include the ability to compel production, audits, and remedial action, as well as sanctions for non-compliance “consistent with the GDPR”. 

Progress

The EU Parliament adopted its report on the proposed Cybersecurity Directive on 13 March 2014, making a number of amendments to the Commission’s original text. Whilst the Council was largely supportive of the Parliament’s amendments, they disagreed over the fixed prescriptive requirements (preferring flexible principles that protect against future change) and establishment of a new cooperation mechanism (given existing bodies and mechanisms are available). 

A trilogue between the Commission, Parliament, and Council in late 2014 resulted in the agreement of a joint text, with the exception of the three following issues:

  • determining the scope of the Cybersecurity Directive and defining a “market operator”: 
    • agreed: it applies to certain public and private sector operators as set out in Annex II that provide services within the EU (i.e. without an establishment test); but 
    • disagreed: 
      • whether the Annex II list of market operators is exhaustive;
      • whether a market operator must be in Annex II and designated by Member State;
      • the list of market operators, including (amongst others) whether health, food supply, water supply, and IT infrastructure such as eCommerce platforms, social networks, and app stores should fall within Annex II; and 
      • whether digital service platforms would be treated as an “essential service”. 
  • determining which security breaches the private sector must notify, and when such notification must be made:
    • agreed: it only applies to significant impact, and may be notified to the public by the Competent Authority; but 
    • disagreed:
      • how quickly a party must notify the Competent Authority
      • how many Competent Authorities (whether one or all) must be notified by the market operator; and 
      • who is able to create criteria to define a “significant impact” – presently proposed to be the European Network Infrastructure Security Agency (ENISA), the EU Commission, and SPOCs; and 
  • agreeing the mandatory extent of national cooperation.

A fourth trilogue that took place on 29 June 2015 resulted in the Latvian presidency of the Council agreeing the main principles to be included in the draft Cybersecurity Directive with the Commission and Parliament; namely that “digital service platforms will be treated in a different manner from essential services”, and that “the details of such will be discussed at a technical level”. 

Whilst the Latvian presidency hailed this a “breakthrough”, this was an understanding on the main principles and not an agreement of the final text. In particular, it did not fully resolve the divisive issue of the extent to which online platforms should be subject to new requirements on breach reporting, as technical-level discussion was still to take place. 

With the EU Member States calling for “rapid adoption” of the Cybersecurity Directive in a Council meeting of 25 and 26 June 2015, there was increased pressure on the incoming Luxembourg presidency of the Council to finalise the Cybersecurity Directive before 31 December 2015. The announcement of 9 November 2015 by current EU Digital Commissioner Günther Oettinger suggests that this pressure may have worked, with the new Cybersecurity Legislation reportedly just “days or weeks” away from being finalised.   

What’s next? 

Whilst we expect to soon see the final text of the Cybersecurity Directive, precisely how it will work in practice will not be known until Member States enact the necessary implementing legislation – a process for which they have 18 months following adoption. 

The true test for the Cybersecurity Directive will be whether it provides any real value, or simply adds another layer of bureaucracy. Companies affected by serious cyberincidents risk breaching this Directive by failing to notify within strict timeframes, but fixed reporting periods may mean companies are not able to appropriately triage the issue and, consequently, may spread undue panic by having to notify the public of incidents without being able to provide much in the way of useful information or reassurance. 

Given the points that remain outstanding following the fourth trilogue, the further discussion and legal drafting that will have taken place to reach the compromise deal between the EU Commission, Parliament, and Council will inevitably have a significant impact on the overall effectiveness of the Cybersecurity Directive; with the potential to fragment rather than harmonise Member-State-wide implementation and application. 

For further information, please contact Nicola Fulford.