Critical infrastructure operators and multinational companies must fully disclose cybersecurity breaches and violations to European Union (EU) authorities or face severe penalties under a new EU cybersecurity law.

The law – the Network and Information Security Directive – is aimed at promoting transparency and cooperation between governments and global companies in the response to cyber threats. It lays out new breach reporting rules for companies in the finance, energy, health and technology sectors.

The new rules will apply, notably, to tech companies considered “digital service providers,” a group that includes online retailers and marketplaces, cloud storage firms and search engines. The definition of “digital service providers” is less clear, leaving uncertainty as to what types of companies will face new reporting requirements. Take Facebook, for example. Search engines and e-commerce sites such as Amazon may be required to fully disclose data breaches, while social networks’ disclosure obligations are less clear. They may face no disclosure requirements.

Expect more clarity in coming months. European regulators are negotiating a new transatlantic data transfer agreement to replace Safe Harbor, and could release the long-awaited General Data Protection Regulation, to replace Data Protection Directive, any day.

The upside is that these new laws and directives will provide some uniformity, and clear direction on companies’ obligations in Europe. But that may result in higher privacy protection standards, stiffer penalties and more aggressive compliance enforcement. To prepare, companies should firm-up their data security and privacy compliance efforts to align with industry standards such as ISO 27001.

For help drafting data security policies, or for advice on how to prepare for new European data privacy rules, contact the author or a member of the Fox Rothschild Privacy & Data Security or Technology teams.