bto solicitors - Corporate & Commercial Business Lawyers Glasgow Edinburgh Scotland

  • "really fights your corner..."
    "really fights your corner..." Chambers UK
  • "Consistently high-quality work and client-friendly approach."
    "Consistently high-quality work and client-friendly approach." Chambers UK

EU to introduce Mandatory Cyber Security Reporting: Cyber Security Directive

10 December 2015

Europe’s Cyber Security Directive which aims to strengthen European resilience to cyber-attack will have substantial implications for key infrastructure providers such as communications, cloud computing, some e-commerce platforms, healthcare, energy, banking and transport operators.

The Directive is intended to improve the ability of member states to co-operate and respond to cyber threats. The Directive will introduce mandatory reporting of security breaches for key infrastructure providers in energy, transport, financial markets, health and water. Once the Directive has been approved in Europe member states will have 21 months to implement the Directive in National Law and a further 6 months to identify “operators of essential services”. These operators will be subject to enhanced security requirements and will be subject to the mandatory reporting requirement.

Paul Motion
Paul Motion, Partner

Member states will be required to introduce Computer Security Incident Response Teams (CSIRTs) who will work co-operatively with the EU Agency for Network and Information Security (ENISA) to improve cross border incident handling and response.

Presently, ENISA is reporting that security incidents and human error in these key infrastructures result in annual losses in the range of €260- €340 billion Euros, and that presently there is no co-ordinated approach to security and reporting within the EU (1).

The text of the Directive text still needs to be formally approved by member states, the presidency will present the text for approval by member states' ambassadors at the Permanent Representatives Committee on 18 December 2015 (2). Formal adoption by both the Council and the Parliament is required before the Directive will become law in Europe.

The changes are, however, likely to lead to greater continuity in respect of security standards which will benefit those providers with operations in multiple European jurisdictions. Commentators are calling for a light touch from regulators, particularly, given the wide scope of services including information and communication technology services that may be covered by the Directive (3).

Although the immediate effects of increased security requirements will be felt most keenly by large infrastructure service providers, we anticipate a knock on effect as these larger operators look to secure their supply chains by imposing increased security requirements in contracts and procurement processes.

Paul Motion, Partner & Solicitor Advocate T: 0131 222 2939




  3. Society for Computers and Law, ‘Cybersecurity Directive Pending’ 8 December 2015


“The level of service has always been excellent, with properly experienced solicitors dealing with appropriate cases" Legal 500

Contact BTO


  • 48 St. Vincent Street
  • Glasgow
  • G2 5HS
  • T:+44 (0)141 221 8012
  • F:+44 (0)141 221 7803


  • One Edinburgh Quay
  • Edinburgh
  • EH3 9QG
  • T:+44 (0)131 222 2939
  • F:+44 (0)131 222 2949