New Approaches to Network and Information Security Regulation: The EU Telecoms Package
AbstractThe ePrivacyDirective and the FrameworkDirective as amended by the EU Telecoms Package introduce, for the first time, obligations for providers of public communications networks and for providers of publicly available electronic communications services to notify certain personal data security breaches and certain network security breaches to subscribers, individuals concerned, and/or the competent national (regulatory) authority. This paper analyzes the conditions under which different types of security breaches will have to be notified and to whom this notification will have to be addressed. The paper will conclude with a riskbased assessment of these new security breach notification requirements, examining to what extent they not only allow users to take corrective security measures and regulators to make informed policy choices, but also to what extent the new policies address the fundamental problem of the misalignment of risk and risk mitigation capability.