Olga Finkel and Robert Zammit have recently written the  Malta chapter for Cybersecurity 2015 issue of Getting The Deal Through.  Olga and Robert talk about how cybersecurity is promoted and regulated in Malta, how industries are affected by such laws and the challenges that the jurisdiction faces in this area.

Legal framework

1       Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?

Malta has not enacted dedicated cybersecurity legislation; however, as a member of the European Union and the Council of Europe, it must fully conform to its obligations resulting therefrom. To this end, in 2001 a sub-title was added to the Criminal Code (Chapter 9 of the Laws of Malta) entitled ‘Of Computer Misuse’, which largely incorporates the provisions of the Council of Europe Cybercrime Convention, which itself was fully ratified by Malta in 2012.

Under the Criminal Code, article 337C criminalises unlawful access to, or use of, information. Among the offences criminalized under this article is the unlawful use of a computer or other device or equipment to access any data, software of supporting documentation held in that computer or on any other computer, or uses, copies or modifies any such data, software or supporting documentation. This article also criminalises unauthorized activities which hinders access to any data, and covers also the unlawful disclosure of data or passwords. The following article 337D then criminalises the misuse of hardware. One of the most striking features of the Computer Misuse sub-title in the Criminal Code is the evident technological neutrality, which will allow these criminal laws to cater for a host of unlawful activities, irrespective of the technological complexities at issue.

The Data Protection Act 2001, together with subsidiary legislation enacted under it, form a legislative framework that implements EU directives, regulations and recommendations, relating to privacy, including privacy in the electronic communications sector. This law imposes security obligations upon processors of personal data, whether it is collected, processed and stored via automated means or otherwise, and creates rights for the data subject with regard to personal and sensitive personal information held by data controllers.

The Electronic Communications Networks and Services (General) Regulations (SL 399.28) imposes requirements on providers of electronic communication services to ensure the security and integrity of networks from incidents, threats or vulnerabilities. An undertaking providing publicly available electronic communications services over public communications networks must take all necessary measures to ensure the fullest possible availability of such services in the event of a catastrophic network breakdown.

In certain sectors, such as the financial services and remote gaming sector, information security requirements are imposed by way of sector-specific rules and/or supervisory process by licensing authorities.

2       Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?

One has to keep in mind that, in general, the size of Malta-based enterprises is small and the costs of proper data security measures can be quite high. Therefore, overall, it is regulated industries and e-government itself that lead the way in the field of cybersecurity. The fields that have experienced both heightened growth via the web and mobile channels and are also involved in handling high volumes of sensitive data, are the industries that responded to cybersecurity challenges most. Amongst these are electronic (including mobile), banking, payments, telecommunications, e-government services, web-service providers and co-location centres, and remote gaming. Other sectors lag behind.

3       Has your jurisdiction adopted any international standards related to cybersecurity?

The chief international standard adopted in Malta is the ISO27001, adopted by a number of organisations and governmental bodies in Malta to govern their information security management operations. Other organisations choose to implement the provisions of this standard without obtaining the corresponding certification. This standard is adopted, however, on a voluntary basis and, where an obligation to maintain certain levels of cybersecurity exist, adoption of this standard acts as a presumption that sufficient measures have been taken.

4       What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?

Generally speaking, a company’s affairs are managed by the board of directors who are responsible for the company’s performance of its obligations.

From data protection legislation perspective, the data controller is obliged under the Data Protection Act to implement appropriate technical and organizational measures to protect the personal data processed against accidental destruction or loss or unlawful forms or processing. The security measures to be implemented must give regard to the technical possibilities available, the cost of such measures, the special risks relating to the processing of the data, and the sensitivity of the data being processed. There are no explicit or specific legislative provisions further to the above.

Data controllers may be held responsible for inadequate cybersecurity by the Information and Data Protection Commissioner, who may order rectification of breach and may also institute civil legal proceedings where provisions of the Act have been or are about to be violated, and to refer any criminal offences encountered by reason of his functions to the competent public authority. Criminal penalties may be applicable to breaches of information security under this Act.

In regulated sectors, such as financial services and remote gaming, service providers undergo certification / supervisory checks, where they have to show and justify that the security measures taken are proportionate and adequate to the risks. In case the supervisory body is not satisfied, the providers may either be refused a licence, or face fines and/or suspension of their licence.

In addition, in the financial services sector, license holders are being increasingly required to set up an internal audit function which is independent from the operational activities. The principal purpose of such audit would be to assess the appropriateness of the service provider’s internal policies and procedures, including information security and risk management policies, and would review the compliance by the organisation with the same. Findings are reported to the Board of Directors of the organization.

5       How does your jurisdiction define cybersecurity and cybercrime?

At present, specific definitions of cybersecurity and cybercrime do not exist in Malta’s statutes or case law. One may however find guidance to these terms in the Criminal Code Sub-Title relating to Computer Misuse, which defines a “computer” as an electronic device that performs logical arithmetic and memory functions by manipulating electronic or magnetic impulses, and includes all input, output, processing, storage, software and communication facilities that are connected or related to a computer in a computer system or computer network. “Computer data” here is defined as any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function. These definitions thus allow for broad scope to be afforded to the computer-related crimes of unauthorised access, use or modification of computing systems, software, hardware and data foreseen in this sub-title.

6       What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?

There are only generic requirements under applicable legislation relating to cybersecurity, stating that the security of systems must be adequate in relation to the sensitivity of information and repercussions that may arise as a result of information security breaches. There are no explicit or specific legislative requirements in addition to the above. However, those companies who are obliged to maintain adequate security in their business (such as financial services, telecoms, remote gaming) and normally have to undergo supervisory checks by their licensing authorities, normally adopt ISO27001 standard. Moreover, financial service providers having to undergo PCI compliance generally follow the applicable rules as well with regard to storing of data and its encryption.

In the financial services sector, whilst applicable financial service legislation does not contain any mandatory requirements concerning certification of data centers or software applications to be used by financial businesses, during the application phase, the supervisory authority will consider the proposed IT structure on a case by case basis and will expect the applicant to identify reputable data centers and software providers which will enhance its ability to ensure continuous and regular provision of the licensed financial activities and adequate protection of customer data.

7       Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?

Malta does not at present have any laws or regulations which cater for cyberthreats to intellectual property. For the purposes of data security, unauthorized access to or misuse of data, data protected by intellectual property rights is treated in the same way as any other data.

8       Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?

The Criminal Code provisions in relation to computer misuse are made applicable to “computer networks”, “software”, “hardware” and “computer systems”, which are defined widely and with enough technological neutrality to incorporate all conceivable cyberthreats to any technological infrastructure. These are the provisions which at present address cyberthreats to critical infrastructure. It must also be noted that in the Maltese Government’s Digital Malta strategy presented in March 2014 entitled the “National Digital Strategy for 2014-2020”, a National Cyber Security Strategy is planned for the coming years, which will include rules for the protection of critical infrastructure.

9       Does your jurisdiction have any cybersecurity laws or regulations that specifically address privacy and civil liberties?

In addition to the provisions of the Data Protection Act and subsidiary legislation, the Electronic Communications Networks and Services (General) Regulations (SL 399.28) address data protection issues arising from the use of electronic communications networks and services, whether these are public or non-public.

These regulations impose requirements on providers and communications and services to ensure the security and integrity of networks from incidents, threats or vulnerabilities, including personal data breaches. An undertaking providing publicly available electronic communications services over public communications networks must take all necessary measures to ensure the fullest possible availability of such services in the event of a catastrophic network breakdown.

Under Maltese law, private communications can only be intercepted by the Malta Security Service upon the obtainment of a warrant signed by the Minister under the circumstances related to national security delineated in the Security Service Act (Chapter 391 of the Laws of Malta).

10    What are the principal cyberactivities that are criminalised by the law of your jurisdiction?

The principal cyberactivities criminalized under article 337C of the Criminal Code are the unauthorised:

  • Use of a computer or other device to access, use, copy or modify data or other information held;
  • Output of data or other information from the computer where it is held in any manner whatsoever;
  • Copying of data or other information to a storage medium or other location other than that in which it is held;
  • Prevention or hindering of access to such data;
  • Hindering or impairing the functioning or operation of a computer system, software or the integrity or reliability of any data;
  • Possession of or use of data;
  • Installation, alternation, moving, damaging, deletion, deterioration, suppression, destruction, variation or addition of any data or other information;
  • Disclosure of a password or other form of access to an unauthorized person;
  • Interception by technical means of data transmissions;
  • Production or any other form of procurement of a device, including a computer program, which is designed or adapted for the committing of the above-mentioned acts.

Breaches of the obligations and duties under the Data Protection Act and the Electronic Communications Act may also result in criminal sanctions.

11    How has your jurisdiction addressed information security challenges associated with cloud computing?

Maltese regulatory authorities have not as yet addressed the cybersecurity challenges emerging from the growing cloud computing sector through specifically targeted regulations.

Current policy frameworks seek to mitigate risks, while at the same time seizing the full benefits of cloud computing. This can be seen, for instance, in the licensing approach carried out at present by the Malta Gaming Authority, Malta’s public regulatory body responsible for all forms of gaming, where requests for use of public or private cloud are dealt with on a case by case basis during the licensing process of a remote gaming operator. The same approach is to be seen with respect to financial services licence applications before the Malta Financials Services Authority (the single regulator of financial services in Malta).

12    How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?

Malta’s current cybersecurity laws largely transpose European directives and standards, and must comply with standards and rules contained in directly applicable European Union regulations. As a result of this, foreign jurisdictions would not be prejudiced by local rules when choosing to carry out their business in Malta.

Best Practice

 13    Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

The chief international standards relating to information security are ISO27001 and 27002 security standards. Several organisations choose to implement the provisions of these standards in order to reduce risks to their computers and networks, without obtaining the corresponding certification.

 14    How does the government incentivise organisations to improve their cybersecurity?

Capital investments made in relation to an organisation’s information technology infrastructure may be eligible for tax credits on the expenditure incurred under the Micro Invest Scheme, promoted by the Maltese government agency responsible for providing fiscal and other incentives to business, the Malta Enterprise.

15    Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

In the local telecommunications industry, one such code of conduct, signed by the major industry players exists promoting cybersecurity in accordance with the European Framework for Safer Mobile Use by Young Teenagers and Children to which they are signatories. This code of conduct relates to the content provided by the communications providers, and not to internet content in general. This Code of Conduct is publicly available and may be accessed on the telecommunications providers’ websites.

16    How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The process of enacting legislation and regulations applicable to the cybersecurity and ICTs field is one which involves detailed discussions and consultation briefings involving key industry players, stakeholders in the field, and the general public to pool ideas with governmental bodies. This helps ensure that regulations created for this field in which newer and more complex risks are constantly emerging are efficiently targeted in the creation of cybersecurity standards and procedures.

17    Is insurance for cybersecurity breaches available in the jurisdiction and is such insurance common?

Insurance coverage for cybersecurity threats are increasing in popularity in Malta at the same time as information technology companies continue to set up their businesses here. As cybersecurity breaches are becoming a major risk for modern data centric organisations, it is beneficial to cover this risk in an appropriate insurance policy, which can cover data loss incidents, business interruptions and network outages. However, while an insurance policy can cover the financial risks associated with security breaches, including the damages caused to third parties, no policy can ever bring back lost data or recall back leaked sensitive information or erase potential reputational damage. Accordingly, insurance policies are not a substitute of, and should always work in conjunction with, data security policies and processes that minimise the risk in the first place.

Enforcement

18    Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?

The Information and Data Protection Commissioner is the person authorized by the Data Protection Act to ensure and enforce compliance with the provisions of the Data Protection Act.

The Malta Police Force set up a dedicated Cyber Crime Unit in 2003, whose main function is to provide technical assistance in the detection, investigation and prosecution of crime wherein the computer is the target or the means used.  The Cyber Crime Unit is made up of police officers who are trained in the investigation of crimes that take place over the internet or through the use of a computer.

In addition, sectoral regulatory bodies may initiate and carry out enforcement through licensing and fines mechanisms. 

19    Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.

Sectoral authorities, in general, have powers of requesting documentation, making site visits, conducting investigation, reporting to other competent bodies (such as police) on its findings.

For example, in exercising his functions the Information and Data Protection Commissioner is empowered to enter and search any premises under the powers that are vested in executive police by any law. Similar powers are afforded to the Malta Financial Services Authority. In particular, the Malta Financial Services Authority require applicants for a financial services licence to implement an IT and operational setup where the master data is located in Malta (or where this is not so, where replicated, back-up data is located in Malta). The Authority will require applicants to ensure that it will at all times have unrestricted control and direct and immediate access to the data in Malta so that the Authority’s inspectors can at any time have sight of such data to enable it to exercise its supervisory powers.  Similarly the Malta Gaming Authority requires applicants for remote gaming licenses to have in place an information security policy which aim is to safeguard data, applications, equipment and network, as well as a strict system access control policy to ensure that access is limited to the system as well as physical access is limited on a need-to-know basis. Without the implementation of such policies, amongst other required policies, remote gaming applicants are not granted the license to operate in the remote gaming business from Malta. Audits are performed by appointed technical auditors to ensure that these policies are being followed.

 The Malta Police Cyber Crime Unit is charged with the investigation of criminal acts commonly associated with technology, as well as the investigation of more traditional offences such as fraud and threats perpetrated by cybermeans. It is charged with the analysis and seizure of digital evidence collected in connection with investigations as well as in identifying persons committing crimes over the internet.

20    What are the most common enforcement issues and how have regulators and the private sector addressed them?

The actual criminal offence enforcement of breaches of cybersecurity against perpetrators is extremely low due to the fact that the crimes are often perpetrated from outside of Malta and there is a great difficulty in enforcement in such cases. The inability to prosecute is the most acute problem arising in enforcement of criminal cases relating to breaches of cybersecurity. Authorities will have to collaborate with foreign counter parts to be able to identify and arraign perpetrators. Companies located in Malta generally fully cooperate with police and provide information and access to their data and networks to assist in the investigation of crimes.

21    What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?

The penalties applicable under the Data Protection Act may vary from fines ranging between €120 and €23,300 and imprisonment of not more than six months. The criminal penalties vary depending on the provisions of the Act being breached. On encountering a breach of the Act, which could lead to criminal proceedings, the Commissioner is to refer the situation to the competent authorities who in turn would need to take action in the Criminal Courts of Malta.

Other breaches of the Act may result in administrative fines which can vary from one-time fines of up to €23,300 and daily fines of up to €2,500, depending on the provisions of the Act being breached.

In the remote gaming sector, should operators be found not in compliance with their information security policy and system access control policy the Gaming Authority would request the operators to take adequate actions to ensure compliance. Should this be not done to the satisfaction of the authority fines may be imposed.

In the financial sector, the Malta Financial Services Authority reserves the right to impose certain sanctions where the entity no longer fulfils the conditions required for the granting of the licence generally. Such sanctions include the revocation or restriction of a licence and the imposition of administrative penalties where there is a breach of applicable financial services legislation.

22    What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?

Article 3A of the Processing of Personal Data (Electronic Communications Sector) Regulations requires providers of publicly available electronic communications services to notify a personal data breach to the Information and Data Protection Commissioner, and, where the personal data breach is likely to adversely affect the personal data of privacy of a subscriber or individual, such subscriber or individual, without undue delay. Contravention of or non-compliance with the provisions of these Regulations may lead to a penalty not exceeding €23,293.73 for each violation, and €2,329.37 for each day during which the violation persists. This fine is of an administrative nature, and shall be determined by the Information and Data Protection Commissioner.

Regulations 55 and 56 of the Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28) require undertakings providing network elements or service to inform the Malta Communications Authority, inter alia, of any significant risk of a breach, or any actual, significant breach of the security or integrity of the services or network or failure or serious degradation of international connectivity. Any person suffering loss or damage because of any contravention of these Regulations shall be entitled to take action before the competent court or tribunal, seeking compensation from the person who caused the loss or damage.

Finally, data controllers operating in certain sectors, such as in the financial services, may be required by the relevant authority to disclose any personal data or security breach.

23    What challenges and appeals can parties make against non-compliance rulings?

Challenges and appeals made under the Data Protection Act are to be made to the Information and Data Protection Appeals Tribunal established under the Act.

Any person aggrieved by a decision taken by the Information and Data Protection Commissioner under the Electronic Communications Act may also appeal to the same Tribunal.

Appeals made from a decision of this Tribunal may be made to the Court of Appeal in its Inferior Jurisdiction.

24    What are the possible sanctions for cybercrimes?

A person who is found guilty of an offence of cybercrime under the provisions relating to Computer Misuse in the Criminal Code may be liable to a fine not exceeding €23,293.73 or imprisonment for a term not exceeding four years, or to both a fine and imprisonment.

Where the offence committed is in anyway detrimental to any function or activity of the Government, or is carried out by an employee to the prejudice of his employer or to a third party in his capacity as an employee, or in any way hampers or interrupts a public service or utility, this penalty shall be increased to a fine ranging between €232.94 and €116,468.67, or a term of imprisonment for a term from three months to ten years, or to both fine and imprisonment. The minimum penalty where a person is found guilty of this offence for a second or subsequent time shall not be less than €1,164.69.

25    How can parties seek private redress  for unauthorised cyberactivity or failure to adequately protect systems and data?

Private parties may seek private redress under the provisions of the Civil Code (Chapter 16 of the Laws of Malta).

Threat detection and reporting

26    What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

The Data Protection Act provides that the carrying out of data processing by way of a processor is to be governed by a contract or other legally binding instrument which must stipulate that the processor shall act only upon instructions from the data controller and shall implement all the necessary technical and organisational measures to ensure the protection of the data, by providing sufficient security.

The Electronic Communications Networks and Services (General) Regulations impose an obligation on undertakings providing connection to public communications networks or other publicly available electronic communications services to ensure the implementation of a security policy with respect to the processing of personal data. Appropriate security measures must be taken to prevent and minimize the impact of security incidents on users and interconnected networks. International gateway operators must additionally, at all times, adopt appropriate measures to safeguard the integrity and resiliency of the network elements utilized to provide international connectivity, and to secure the availability of capacity or have alternative measures in place to ensure an adequate level of uninterrupted international connectivity.

27    Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Electronic communications providers are bound to retain categories of data pertaining to call and SMS logs, and internet data such as IP addresses, however no content records may be collected or stored.

Civil legal proceedings brought under the provisions of the Civil Code (Chapter 16 of the Laws of Malta) and the Code of Civil Procedure (Chapter 12 of the Laws of Malta) may be brought within a prescriptive period of five years. For this reason, it is advisable that records are kept for a period of five years from the date of the cyberthreat or attack in question.

The Prevention of Money Laundering and Funding of Terrorism Regulations (SL 373.01) may have cybersecurity implications. Under these Regulations, records of threats, identity information, and records of all business transactions must be kept for a minimum period of five years from the date on which the relevant transaction or financial business was completed.

Furthermore, in the Remote Gaming sector the Authority responsible requires operators to report situations of attacks on their system. These reports need to be prepared and submitted to the Authority within 24 hours of the incident and a copy of report is kept at the Company’s registered address.

28    Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

The European Commission Regulation 611/2013 provides for measures relating to the notification of personal data breaches under Directive 2002/58/EC (the “ePrivacy Directive”) application to electronic communications providers. This Regulation applies to providers of publicly available electronic communications services, who are obliged to notify the competent national authority of a personal data breach. Information which must be notified to the competent national authority in an initial report of a personal data breach comprises of the date and time of the incident, the circumstances of the personal data breach, the nature and content of the personal data compromised, the technical and organizational measures applied by the provider to the affected personal data and the relevant use of other providers. Further technical information which must be provided pertaining to the personal data breach includes a summary of the incident, the number of subscribers or individuals concerned, the potential consequences, and the technical and organizational measures taken by the provider to mitigate potential adverse effects. Similar information must be provided to the subscriber or individual.

The Electronic Communications Networks and Services (General) Regulations (SL 399.28) provide that where there is a significant risk of a breach of security or integrity of the services or network, the provider must appropriately and without undue delay notify the Malta Communications Authority (MCA) and any users concerned at the least of the risk and remedies possible, as well as contact points for more information. Serious and significant breaches or failures of international connectivity must be notified to the MCA, and where appropriate, the MCA shall inform regulatory authorities in other Member States and the European Network Information Security Agency (ENISA).

Additionally, reporting obligations arise under the Prevention of Money Laundering and Funding of Terrorism Regulations (SL 373.01). Subject persons under these Regulations and the enabling Act are bound to report any transaction which they know, suspect or have reasonable grounds to suspect may be related to money laundering or terrorist financing, and must examine with special attention any complex or large transactions or any other behaviour which appear to be suspicious and these findings must be reported to the Financial Intelligence Analysis Unit.

29    What is the timeline for reporting to the authorities?

Under the Commission Regulation 611/2013, all personal data breaches must be reported to the competent national authority no later than 24 hours after the detection of the breach. Providers may provide further details of the breach within three days of the initial notification in the event that full details cannot be provided at the time of initial notification.

Reporting obligations under the Prevention of Money Laundering and Funding of Terrorism Reports must be submitted to the Financial Intelligence Analysis Unit (FIAU) as soon as is reasonably practicable, but not later than five working days from when facts are discovered or information is obtained. This timeframe may only be waived if the subject person makes representations to the FIAU justifying the reasons why the information cannot be submitted within the said time, and the FIAU may at its discretion extend such time as is reasonably necessary to obtain and submit the information requested.

The reporting obligation in the remote gaming sector is of 24 hours from incident.

30    Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

The European Commission Regulations 611/2013 impose an obligation upon electronic communications providers to make a notification of a personal data breach to the subscriber or individual concerned. This notification must be made when the breach is likely to adversely affect the personal data or privacy of the person involved; this notification is made in addition to the notification which must be made to the national competent authority. The notification obligation to the subscriber or individual may only be waived if the technological implementations rendering the data concerned unintelligible to an unauthorized person are to the satisfaction of the competent national authority.

The Electronic Communications Networks and Services (General) Regulations (SL 399.28) provide that where there is a significant risk of a breach of security or integrity of the services or network, the provider must appropriately and without undue delay notify any users concerned at the least of the risk and remedies possible, as well as contact points for more information. Where the MCA determines that the network security breach is in the public interest, it may inform the public of this, or require the undertaking concerned to do so accordingly.

31    Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

At present, there do not exist any legal or policy incentives targeting the voluntary sharing of information relating to cyberthreats as such.

32    Are there generally recommended best practices and procedures for responding to breaches?

In the remote gaming business, the best practices currently in place are the safe-keeping of all data related to the cyberthreat, the setting up of a dedicated team to identify the source of the threat and ensure proper steps are taken to avoid repeating of such incident, and the education of the employees to ensure that all employees are aware of the threats and the importance of following the company’s procedures and policies. Where necessary third party firms are engaged to perform penetration tests to ensure that the systems used are adequately secure.

UPDATE & TRENDS

The principal challenges facing the regulatory sphere relating to cybersecurity primarily result from the constant emergence of new threats to computer and information security. Legislators and regulators must thus keep abreast of technological threats to cybersecurity, and make use of international standards to meet their objectives. It is critical, in this light, to consider the benefits as well as the challenges associated with the adoption of international cybersecurity standards. The 2013 European Commission Joint Communication containing the ‘Cybersecurity Strategy of the European Union’ recognised the fundamental importance of a multi-stakeholder approach to the development of standards and regulations in the field of cybersecurity, where private sector service providers are extensively involved in the operation and implementation of public sector requirements.

Reproduced with permission from Law Business Research Ltd. This article was first published in Getting the Deal Through: Cybersecurity 2015, (published in January 2015; contributing editors Benjamin A Powell and Jason C Chipman, Wilmer Cutler Pickering Hale and Dorr LLP ) For further information please visit www.gettingthedealthrough.com.”