contactsErica Wiking Häger,

Partner and Head of Corporate Sustainability and Risk Management,

specialised in data protection and privacy+46 8 595 063 30

erica.wiking.hager@msa.se

Carolina DacköSpecialist Counsel, specialised

in international trade law+46 31 355 17 48

carolina.dacko@msa.se

mannheimerswartling.se

a report by mannheimer swartling

april 2017

Cybersecurity Law Overview

OverviewThe following cybersecurity overview covers six jurisdictions (the US, the EU, Germany, France, Australia and Mexico). For the purpose of this overview, the term cybersecurity refers to the protection of networks, hardware, software and data from attacks, damage or unauthorised access (“attacks”).

Cybersecurity legislation is under development in most countries and is generally scattered over different areas of law. We have grouped these laws into the following categories.

a. Domestic law security requirements: These types of legisla-tion impose requirements on public authorities and private operators in civil society to ensure that they have security measures in place to prevent attacks. These often impose minimum standards to protect public service functions (essential services or critical infrastructure) against cyber threats (e.g. water, hospitals, banking). Also, cybersecu-rity rules in relation to data privacy belong to this group.

this report is distributed solely for informational purposes and should not

be regarded as legal advice. the report may

be quoted as long as the source is specified.

2

b. Protecting national security interests: These types of laws fall under or are closely netted to national defence interest, and aim at preserving a state’s national integrity by preven-ting e.g. state-sponsored espionage.1 These types of laws may therefore override open market principles,2 and restrict foreign investors from acquiring domestic businesses, or may restrict foreign suppliers from tendering in critical infrastructure projects. They may also restrict exports and supply of critical security technology to prevent dissemi-nation of security.

c. Criminalisation of certain cyber activity: These laws aim at criminalising specific acts committed mainly by digital or electronic means (“cybercrime”) and acts for which there is a clear corresponding criminal act when committed physically (“cyber-enabled crime”). For example, burglary or theft is comparable in the cyber world with illegal hack-ing, interception and theft of data. Many countries have or are implementing the international agreement on what is deemed to constitute cyber-enabled crime (the Budapest Convention3).

1 The concept of national security interest may be used in a broad sense to describe a nation’s methods to preserve its sovereignty. Measures to protect national security may range from enhancing military power to ensuring supply of a country’s basic needs (e.g. food and energy). For the purpose of this paper however, we apply the term national security interests to identify measures that target organisations or companies that are exposed to cybersecurity threats.

2 For instance the free trade principles on National Treatment under the WTO. 3 The Budapest Convention covers four categories of cybercrime: (1) offences against

confidentiality of, integrity and availability of computer data and system (illegal access, illegal interception, data interference, system interference, misuse of devices), (2) computer-related offences (computer-related forgery and fraud), (3) content-related (child-pornography) and (4) infringement of copyright.

Key observations and trends We would like to highlight the following observations and trends:

• Domestic law security requirements are evolving and of-ten spring from national cybersecurity strategies. Not all countries adopt legislation (“hard law”) but instead rely on the evolution of industry standards to set the level of actual security requirements (“soft law”). The lack of hard law does not necessarily mean a lack of cybersecurity mea-sures. Australia appears to be putting substantial effort, similar to that of the EU and US, into cybersecurity, but doing so without legislation and relying more on soft law. However, in Mexico, the lack of legislation and lack of cybersecurity efforts, appears to have led to a heightened risk situation, and both legislation and enforcement ap-pear to be needed.

• Foreign investment review laws appear to be on the rise. The US already has a mechanism under CFIUS.4 In the EU, the EU Parliament has called on the European Commission to draw up common EU laws on foreign in-vestment review.5 As some EU member states (e.g. France and Germany) already have such laws in place, whereas other do not (e.g. Sweden), industry should follow or

4 The Committee on Foreign Investment in the United States, see further explanation below under the US summary.

5 The European Parliament recently submitted a request to the Commission to put forward a proposal for new rules (Proposal for a Union act on the Screening of Foreign Investment in Strategic Sectors).

3

engage in what elements the European Commission will consider when drafting such laws.

• There is an important difference and possible tension between on the one hand, (a) domestic security requirements, and on the other hand (b) national security interest (e.g. foreign invest-ment review). The first addresses the level of security a country or region aims at achieving, which is in principle neutral as regards operators and their nationality (as long as the supplier meets the requirements). The second type of measures are based on national security interests and would therefore logically be used to address perceived risks associated with operators from certain countries (their nationality).

• National security interest policy goes beyond foreign invest-ment review. The US has reportedly imposed and possibly revoked budgetary rules that required certain authorities to vet (request approval) from enforcement authorities when procuring information security systems.6 In 2012, both Australia and Germany blocked Huawei from tende-ring for certain network projects. In France, the supply of certain equipment which may be used for interception is prohibited, and supply may only be authorised by a spe-cific governmental agency (ANSSI). Restrictions on who may supply to public authorities would have to be compa-tible with international trade law rules, but the trend may be that other countries could consider such restrictions if they detect or suspect cyberattacks associated with foreign suppliers.

• Recently, one country (the US) used economic sanctions as a tool to signal resistance against cybersecurity threats.7 Whereas the reason in that case was political (interference with elections), economic sanctions could potentially be used as a tool to ban operators allegedly involved in industrial cyber-theft or other security concerns.8 Also, the use of export control enforcement could become a method of blocking specific operators from trade. In March 2017, ZTE entered into a large settlement agreement for ex-porting sensitive US technology to Iran, which reportedly

6 See article from 2013 http://www.reuters.com/article/us-usa-cybersecurity- espionage-idUSBRE92Q18O20130327. Later, in the Consolidated Appropriations Act 2016, the language seems to require a self-assessment.

7 The case concerned Russian interference with US elections in 2016, and several Russian individuals are now listed by the Office of Foreign Asset Control (“OFAC”) and therefore in principle subject to a US trade ban.

8 https://www.washingtonpost.com/world/national-security/2016/12/27/fc93ae12-c925-11e6-8bee-54e800ef2a63_story.html?utm_term=.8f4ed50103a9

jeopardised US national security.9 Thus, imposing san-ctions and enforcing export control rules could, following the US example, possibly be used by countries as tools to address national interest concerns to target specific operators, instead of basing the measure on the operator’s nationality (as with the Huawei example in Australia and Germany cited above).

Use and contact details In sections 4 to 9 below we provide a summary of each of the six jurisdictions. These summaries focus on the two first categories mentioned above, i.e. domestic law security requirements and national security interest requirements. These summaries are not exhaustive and the legal landscape is evolving rapidly. These summaries are not intended as le-gal advice but aim at providing an indicative list of legal acts which at present cover cybersecurity.

This overview has been prepared by Erica Wiking Häger, Partner, and Carolina Dackö, Specialist Counsel, at Mannheimer Swartling. In the spirit of an open digital society, we welcome feedback and information from read-ers who wish to contribute with information. Our contact details are:

erica wiking häger carolina dacköerica.wiking.hager@msa.se carolina.dacko@msa.se+46 8 5950 63 30 +46 31 355 17 48

9 https://www.bis.doc.gov/index.php/forms-documents/about-bis/newsroom/ 1659-zte-settlement-agreement-signed/file, and press release from the US Department of Justice, https://www.justice.gov/opa/pr/zte-corporation-agrees-plead-guilty-and-pay-over-4304-million-violating-us-sanctions-sending

4

United States of Americadomestic law security requirementswhy: The US is developing industry standards to enhance security for defined “critical infrastructure” and to share information on incidents to strengthen responses. Also, spe-cific standards are being developed for US public authorities. Cybersecurity is also in part found in other sector-specific legislation.

what: The key legal acts in the US setting down this work are:

• For private sector operators, the Cybersecurity Enhancement Act 2014, directs the National Institute of Standards and Technology (NIST) to continue developing industry-based standards and best practices for “critical infrastruc-ture”. Also, the Cybersecurity Act 2015, encourages private operators to share information (other operators and the government) about attacks while maintaining confidentia-lity, privilege and immunity from liability and anti-trust laws. Only defensive, not offensive, security measures are allowed.

• For public authorities, the National Cybersecurity Protection Act of 2014 directs the National Cybersecurity and Communications Integration Center of the Department of Homeland Security to collect and share information about risks and incidents with the public and private sec-tor. Federal Cybersecurity Enhancement Act 2016 and Federal Information System Modernization Act of 2014 (FISMA 2014), directs the Department of Homeland Security, e.g. to implement intrusion assessment plans for federal authorities.

• For financial institutions, the Gramm-Leach-Bliley Act of 1999, under the Safeguard Rule, requires them to e.g. ensure integrity of data and notifications of breaches of customer information. Similarly, healthcare organisations, under the Health Insurance Portability and Accountability Act (HIPAA), have to protect information. Further, Electronic Communications Privacy Act (ECPA) prohibits third parties from intercepting or disclosing communica-tions without authorisation.

national or strategic interestswhy: With increasing activity, the US reviews poten-tial foreign investments to ensure that the foreign owners would not pose national interest concerns. Further, trade and export of sensitive information and security technology is restricted in order to prevent dissemination of sensitive technology used to protect against cybersecurity attacks. The US reportedly also imposed (and possibly revoked) require-ments through the Appropriations Act on NASA and the Justice Department to buy information security systems only if federal law enforcement officers had given approval of the supplier.10

what: The CFIUS (Committee on Foreign Investment in the United States), is authorised to review, for national security purposes, transactions that could result in control of a US business by a foreign person. CFIUS shall identify any natio-nal security risk and may request that the President suspends or prohibits a transaction or take other action. Factors to be considered under such a review include, amongst other, the security effect on the US defence industry, US critical infrastructure and also US technological leadership and critical technologies, particularly if the investment is made by a foreign state-controlled entity.11 The International Trade

10 See article from 2013 http://www.reuters.com/article/us-usa-cybersecurity- espionage-idUSBRE92Q18O20130327 Later, in the Consolidated Appropriations Act 2016, the language seems to require a self-assessment.

11 See Section 721 of the Defence Production Act of 1950, 50 U.S.C. App 2170, under (f ), Factors to be considered, available at: https://www.treasury.gov/resource-center/international/foreign-investment/Pages/cfius-legislation.aspx

5

in Arms Regulation and Export Administration Regulations, impose restrictions on export on sensitive items used for information security (hardware, software and techno-logy) including encryption items and software. Further, Executive Order 13694, imposes sanctions against significant malicious cyber-enabled activities, and allows the Office of Foreign Assets Control (“OFAC“) under the US Treasury Department, to impose asset freezes on persons responsible for cyberattacks that threaten national security, foreign policy, or economic health or financial stability of the United States.

cybercrimeThe United States Code (U.S.C.) lists as criminal acts; e.g. online identity theft, hacking, intrusion into computer systems, child pornography, breach of intellectual property. Also, US state laws may impose additional or overlapping offenses.

COUNTRY: USA

Legislation

Domestic law security requirements:

Essential services / critical infrastructure Yes

Data Privacy Yes

Banking / Financial regulation Yes

National Security Interest:

Foreign Investment review Yes

Export Control Yes

Sanctions against cyberattacks Yes

Cybercrime:

Cyber-enabled and cyber specific crime Yes

European Union domestic law security requirementswhy: The EU aims at achieving a common high EU level of security for networks and information systems for certain critical sectors (“essential services”) and to establish coo-peration between Member States and operators to enhance security. Security requirements are also part of several other sectoral EU laws (e.g. telecom, privacy).

what: The main EU legal acts for cybersecurity are listed below. Most EU acts are directives and therefore require im-plementation in Member State national laws (and therefore entails a risk of diverting interpretations).

• The NIS Directive (EU) 2016/1148 requires EU Members States to, by 9 May 2018, impose security requirements and notification obligations on their national essential services providers, both public and private (transport, banking, financial market, health and water supply sec-tors) and introduce penalties for failures. It also creates an incident response team network (“CSIRTs network”).

• The EU electronic communications Directive 2002/21/EC requires operators providing public communication net-works or publically available electronic communications services to ensure security.

• Directive 2009/140 EC (Telecom Package) requires telecom service providers to ensure integrity and notify incidents.

• EU Data privacy rules and ePrivacy Directive also require operators to ensure integrity and protect data.

6

• The eIDAS Regulation nr 910/2014 establishes an inter-nal market for the use of trust services and electronic identification.

national or strategic interestsCompared to the US, there is presently – at EU level – a gap in how cybersecurity risks in relation to foreign investment are assessed. As defence and security lies outside the EU’s legislative competence (Member States shall however ope-rate under a Common Foreign and Security Policy12), EU Member States may adopt and act under national defence or national security laws (e.g. foreign investment reviews in Germany and France, see below). Reportedly, however, Germany has called for an EU regulation, imposing man-datory reviews (in all Member States) to approve or prohibit foreign investments in consideration of possible national security threats. The EU Parliament has also called on the European Commission to draw up such common EU laws on foreign investment review.13

Further, in comparison to the US, the EU has not (yet) imposed any economic sanctions related to malicious cyber activities.

The EU does have laws on trade and export of informa-tion security technology, (mainly through EU Dual Use Regulation 428/2009), which restricts export and trade from

12 The difference between the EU’s legislative competence in internal EU matters ( allowing European Parliament scrutiny) and matters falling under the Common Foreign Security Policy, whereby the Council can act unilaterally, is further explained for instance in the case C-263/14, Parliament v Council. Judgment of the European Court of Justice of 14 June 2016 [ECLI:EU:C:2016:435].

13 The European Parliament recently submitted a request to the Commission to put forward a proposal for new rules (Proposal for a Union act on the Screening of Foreign Investment in Strategic Sectors).

all EU Member States on items (hardware, software and technology) related to information security (including en-cryption items).14 This regulation implements the Wassenaar arrangement, including the relevant sections on information security.

cybercrimeCriminal law is normally the competence of each Member State national law, but the EU has through Directive 2013/40/EU established minimum definitions of what shall constitute criminal offences in all EU Member States (e.g. illegal access, illegal system interference, illegal data inter-ference, illegal interception) and directs Member States to enact criminal penalties against these crimes. Also, Member States shall share information and report incidents.

COUNTRY: EU

Legislation

Domestic law security requirements:

Essential services / critical infrastructure Yes

Data Privacy Yes

Banking / Financial regulation Yes

National Security Interest:

Foreign Investment review No

Export Control Yes

Sanctions against cyberattacks No

Cybercrime:

Cyber-enabled and cyber specific crime Yes

14 Some intra-EU trade is also restricted under the dual use regulation.

7

Germanydomestic law security requirementsBeyond what is required by EU law (e.g. implementing the NIS Directive), Germany has some notable national cyberse-curity laws touching on cybersecurity.

why: Germany has taken legislative action to enhance IT security of Germany’s critical infrastructure and protecting users of the internet.

what: The German IT Security Law (IT-Sicherheitsgesetz: Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme)15 requires private and public infrastructure ope-rators to implement minimum information security stan-dards (or face penalties) as well as reporting obligations for suspected attacks (e.g. energy, telecommunication, health, water/food, finance and insurance). The Federal Office of Information Security (BIS) is responsible for investigating cyberattacks. Further, in specific sectors, the competent aut-hority sets minimum IT security standards (e.g. the Federal Financial Supervisory Authority for the banking sector).

national or strategic interestswhy: The German government may block foreign invest-ments (e.g. the IT security sector) to ensure that they do not threaten public order or security.

what: The German Foreign Trade Law (Außenwirtschafts-gesetz) allows the federal government to block investors from acquiring at least 25% of a company. The Ministry of Economic Affairs conducts mandatory reviews for foreign investments in certain IT security sectors.16 Reportedly, in 2012, the German national research and education net-work decided to ban Huawei from tendering for a network update due to security concerns.17 These rules may be further strengthened if common EU-rules are adopted (see above). Germany also applies the EU dual-use regulation including controls on the export of information security software and hardware (including encryption).

15 IT-Sicherheitsgesetz: Gesetz zur Erhöhung der Sicherheit informations-technischer Systeme, available at: http://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&jumpTo= bgbl115s1324.pdf and further information available at: https://www.bsi.bund.de/SharedDocs/ Downloads/DE/BSI/Publikationen/Broschueren/IT-Sicherheitsgesetz.pdf?__blob=publicationFile&v=5

16 See for example the review of the German company Aixtron which has been subject to further review by the German government: http://www.reuters.com/article/us-aixtron-m-a-fujian-germany-idUSKCN12O13G

17 http://www.lightreading.com/optical/huawei-denied-german-bid/a/d-id/695791

cybercrimeThe German Criminal Code lists numerous acts as criminal offences (e.g., data espionage, phishing, computer fraud, data tampering and computer sabotage).

COUNTRY: GERMANY

Legislation

Domestic law security requirements:

Essential services / critical infrastructure Yes

Data Privacy Yes

Banking / Financial regulation Yes

National Security Interest:

Foreign Investment review Yes

Export Control Yes

Sanctions against cyberattacks No

Cybercrime:

Cyber-enabled and cyber specific crime Yes

Francedomestic law security requirementsBeyond what is required by EU law, operators of informa-tion systems in critical infrastructure are obliged by the Military Planning Act to protect their information systems. The governmental agency ANSSI has an increasing role in preventing and collecting reports of attacks.18

national or strategic interestsUnder article 226-3 of the Penal Code, France prohibits all forms of supply of certain equipment used to intercept communication, unless specifically authorised.19 The go-vernmental agency ANSSI is entrusted to handle and grant authorisations for such supplies.20 France also applies the EU dual-use regulation including controls on the export of information security software and hardware, including

18 See https://www.ssi.gouv.fr/administration/qualifications/produits-recommandes-par-lanssi/

19 See article 226-3 of the Penal Code (Code Pénal).20 See the decree implementing article 226-3 of the Penal Code and delegating to

ANSSI the competence to handle applications for authorisations (Arrêté du 11 août 2016 modifiant l ’arrêté du 4 juillet 2012 fixant la liste d’appareils et de dispositifs techniques prévue par l ’article 226-3 du code pénal). See for further information, Avis no 6012-0449 du 29 mars 2016 sur le projet d’arrêté modifiant l ’arrêté du 4 juillet 2012 fixant la liste d’appareils et de dispositifs techniques prévue par l ’article 226-3 du code pénal, in which the French postal authority (RCEP) provides an opinion on the changes to the lists of equipment subject to authorisations.

8

encryption. In addition, France controls also supply and import of encryption into France. A general provision in the Defence Code allows French authorities, faced with a threat to e.g. its national interest, to perform any technical opera-tion deemed necessary to attribute or mitigate an attack by accessing information. France also requires approval of foreign investments in sensitive sectors critical to France’s national interest.

cybercrimeThe Godfrain Law, incorporated into the French Criminal Code, sets out criminal actions associated with e.g. cybercri-me. France has fully implemented the Budapest Convention into French Law (see also legal acts LOPSSI I and II).

COUNTRY: FRANCE

Legislation

Domestic law security requirements:

Essential services / critical infrastructure Yes

Data Privacy Yes

Banking / Financial regulation Yes

National Security Interest:

Foreign Investment review Yes

Export Control Yes

Sanctions against cyberattacks No

Cybercrime:

Cyber-enabled and cyber specific crime Yes

Australiadomestic law security requirementswhy: Australia has taken several initiatives similar to those of the US and EU to enhance cybersecurity in critical infrastructure, and in sector specific areas, such as banking, finance and data privacy. However, at present, these initiati-ves appear to not be based on legislative action but rather re-commendations, guidelines and voluntary industry standards and cooperation (“soft law”) issues by the government.

what: The Australian Attorney-General has issued a Protective Security Policy Framework applicable in general to Australian governmental authorities. Also, the Australian Government Department of Defence has produced an Information Security Manual (ISM) which applies as a standard for government ICT systems. The government agency, Trusted Information Sharing Network (TINS), provides a platform for sharing information on incidents and increasing resilience against cybersecurity attacks. For ex-ample, for banking, the Prudential Practice Guide CPG 235 issues by APRA sets out a standard for managing data risks. Healthcare providers should follow the specific Computer and Information Security Standards.

national or strategic interestswhy: Australia reviews foreign investments for national interest concerns. Since 2015 the review includes a specific screening to determine whether the foreign investment is made by a foreign government.

what: The Foreign Acquisitions and Takeovers Act 1975 and Regulation 2015, allows the Australian Government Foreign Investment Review Board (FIRB), to review foreign in-vestments in Australia and it advises the Treasurer and Commonwealth Government who may decide that an investment is contrary to national interests. Further, under the Australian Security Intelligence Organisation Act 1976, the Australian Security Intelligence Organisation (“ASIO”) may provide security intelligence to the Australian Government. In 2012, the ASIO advised and the Government blocked Huawei from a public tender of national broadband net-works. Also, under The Defence and Strategic Goods List Australia controls export of information security items in a similar manner as the export control rules of the US and the EU.21

21 Australia implements the Wassennaar arrangement, which includes export control rules on information security items.

9

cybercrimeVarious laws implement the Budapest Convention criminali-sing acts under the Criminal Code Act 1995, Crimes Act 1914. Specific rules exist in the Telecommunications (Interception and Access) Acts, Copyright Act etc. More specifically, the Cybercrime Act 2001.

COUNTRY: AUSTRALIA

Legislation

Domestic law security requirements:

Essential services / critical infrastructure Soft law

Data Privacy Yes

Banking / Financial regulation Soft law

National Security Interest:

Foreign Investment review Yes

Export Control Yes

Sanctions against cyberattacks No

Cybercrime:

Cyber-enabled and cyber specific crime Yes

Mexicodomestic law security requirementsThere appears to be a significant lack of legislation compared to the other examined jurisdictions. Mexican data privacy rules contain some provisions on cybersecurity measures and there are, reportedly, agencies in Mexico working with inci-dent reporting and governmental cooperation. However, the lack of legislative action reputedly is hampering this work. Mexico is seen as a high-risk country for both inbound and outbound attacks.

national or strategic interestsMexico has recently adopted the international Wassenaar Arrangement and therefore also implemented export control rules on information security items.22 Our research has not detected any substantive laws as regards national security reviews or similar legislation.

cybercrime The Federal Criminal Code lists some criminal offences which appear also to cover cybercrime. Mexico has reported-ly adhered to the Budapest Convention, but it is not reported as a signatory. At present, it appears Mexico lacks substan-tive laws prohibiting cybercrime and attempts to introduce legislation have been scrapped.

COUNTRY: MEXICO

Legislation

Domestic law security requirements:  

Essential services /critical infrastructure No

Data Privacy Yes

Banking / Financial regulation No

National Security Interest:  

Foreign Investment review No

Export Control Yes

Sanctions against cyberattacks No

Cybercrime:  

Cyber-enabled and cyber specific crime Some

22 Mexico’s membership to the Wassennaar is still pending and it appears Mexico has not adopted its own laws on export control, but instead simply publishes the Wassenaar Arrangement on its webpage. http://www.siicex.gob.mx/ portalSiicex/CONTROL%20DE%20EXPORTACIONES/Preguntas%20frecuentes.html

stockholmnorrlandsgatan 21box 1711111 87 stockholm, sweden

gothenburgöstra hamngatan 16box 2235403 14 gothenburg, sweden

malmöcarlsgatan 3box 4291203 14 malmö, sweden

helsingborgsödra storgatan 7box 1384251 13 helsingborg, sweden

moscowromanov dvor business centreromanov per. 4125009 moscow, russia

shanghai25/f, platinumno. 233 taicang road, huangpu districtshanghai 200020, china

hong kong33/f, jardine house1 connaught placecentral, hong kong, china

brusselsit toweravenue louise 4801050 brussels, belgium

new york101 park avenuenew york ny 10178, usa

mannheimerswartling.se

Mannheimer Swartling is the leading commercial law firm in the Nordic region with an international practice and assignments all over the world. By combining the highest legal competence with industry know-how, we offer our clients professional legal advice with added value.