Written by Mickaël Tome and Cyril Pierre-Beausse, Avocats à la Cour

Published on 10.09.2019 - Paperjam

On May 28, 2019, the law transposed into Luxembourg law the rules stemming from the European Network and Information System Security Directive (NIS Directive), thus completing the complex regulatory environment that applies to organizations established on Luxembourg territory.

New rules have recently been added to the existing legal framework for information security in Luxembourg. On May 28, 2019, the law indeed transposed into Luxembourg law the European "NIS" Directive of July 6, 2016, which establishes measures to ensure a common high level of security of networks and information systems in the European Union.

The essential objective of this new regulation is to require the essential actors in the daily lives of Luxembourg nationals to equip themselves with the necessary means to fight cybercrime. This new legal framework underlines the importance of information technologies in our societies, our dependence on these technologies and their own vulnerability to computer attacks. The new rules place increased responsibility on organizations to deal with the frequency and impact of security incidents.

They must (with nuances depending on the type of actor concerned) adopt technical and organizational measures to reduce the risks to the security of their networks and information systems, prevent and manage incidents, and promptly notify the competent authority of incidents with a significant impact.

The principles underlying this regulation are well known: risk-based approach, security governance, preservation of service continuity, incident prevention and management, and notification of incidents to the regulator. These are the same principles that have been imposed since May 2018 by the so-called GDPR on all organizations in the country that process personal data.

However, it is logical that the obligations on operators of "essential services" and digital service providers are strengthened, since an incident affecting them can create a domino effect. And therefore present a systemic risk, a general threat to the economy or national security.

As for the actors concerned, they have to take into account several parallel regulations, but which were sometimes not designed to be applied in a combined way. As an illustration, several obligations to notify security incidents now exist towards different regulatory authorities (National Commission for Data Protection/CNPD in case of personal data breach under the RGPD, Commission de surveillance du secteur financier/CSSF or Institut luxembourgeois de régulation/ILR in case of significant incident on the continuity of essential services or on the provision of a digital service under the new rules). In short, a source of complexity, whereas in the case of a major incident, there is no lack of concerns, time is of the essence and notification deadlines are extremely short. In addition, the obligations vary depending on the legal qualification of the incident with regard to the various applicable regulations. Organizations will therefore have to decide urgently and give (without trembling) a precise, substantiated and documented qualification.

A point of interest of the law of May 28, 2019 is the choice made by the legislator to designate competent authorities in matters of network and information systems security that are different according to the sector concerned: the CSSF has competence for the financial sector (including providers of digital services to this sector), while the ILR will take care of the other sectors. This is an interesting specialization, which has not been retained for data protection, for example.

In the event of non-compliance, the actors concerned are exposed to a sanction from these authorities, ranging from a simple warning to a fine of up to 125,000 euros. One can only deplore the insignificance of this amount compared to the level of fines provided for by the RGPD in case of personal data breach by any organization ("essential" or not) of the Market.

Faced with this, the players must think about the risks upstream and in a global way and continuously improve the prevention and management of incidents. On the other hand, it is essential to rationalize compliance efforts, create the necessary synergies between different possible projects (RGPD, information security, electronic archiving, digitization), and control the associated costs and deadlines. In this respect, the level of preparation for the new requirements varies greatly from one sector to another.

The image above is under license CC BY 2.0