European Commission proposes new rules on cybersecurity and data flows

On 19 September, the European Commission presented its long awaited proposal on the free flow of data to enable the storage and processing of non-personal data across the EU, as well as an updated cybersecurity strategy.

The draft regulation on the free flow of data includes an obligation for EU Members States to withdraw current national data localisation requirements “unless it is justified on grounds of public security”. It focuses on non-personal data, and will apply to data storage, the processing of data on platforms and the processing of data in applications. To enable the portability of non-personal data, the proposal suggests self-regulatory measures for professional users and academics. The rights of EU Member States to request access to data will not be impacted by this regulation.

The Cybersecurity Strategy comprises several proposals, including a Regulation on the implementation of the Network Security Directive, which will come into force in May 2018. There is also a proposal for a stronger, permanent mandate for the EU’s Cybersecurity Agency and a voluntary framework for EU-wide security certification of ICT products and services, the “Cybersecurity Act”. While a “one-size-fits-all” approach to cybersecurity certification will not work given the variety of ICT products and services, a European cybersecurity certification scheme, with clear descriptions of security requirements to be met by covered products, systems or services would help create common EU-wide standards. A certificate of compliance with such requirements would be recognised in all Member States, comparable to similar schemes, for example, in the food sector.

All proposals will be debated in the European Parliament and the Council during the coming months with the aim of adoption before the end of this Commission’s mandate.