Why Blockchain Firms Shouldn't Ignore New EU Cybersecurity Laws

Jacek Czarnecki is an attorney at Warsaw-based law firm Wardynski & Partners, where he specializes in areas including FinTech, digital currencies and blockchain.

In this opinion piece, Czarnecki discusses European regulatory developments beyond blockchain, arguing that some laws under review outside the industry's oversight could prove impactful to its practices.

We know that 'virtual currencies' (the term to be hardwired into European Union law) will be covered by new anti-money laundering and terrorist financing regulations.

But, while the details on this industry-specific regulation will follow shortly, there are also other pieces of the EU legislation that deserve attention in the meantime.

Going forward, it is quite clear that blockchain as a technology will primarily attract the attention of regulators interested in particular applications.

Lawyers, by and large, think about bitcoin from the perspective of financial regulations or look at smart contracts from the point of view of contract law. This is not necessarily correct, (smart contracts may replace not just legal contracts, for example), but it shows a pattern of thinking that we may be wise to keep in mind going forward.

Namely, that other use cases of blockchain will require legal analysis based on specific areas they impact.

Am I regulated?

This has one important consequence: the regulations that may apply to any specific blockchain use case aren't clear.

In other words, depending on particular applications of blockchain, different laws may apply. For example, token crowdsales will be scrutinized under securities regulation, since they very often serve the same aim as IPOs, or at least have very similar economic meaning.

Naturally, this should not come as a surprise. The internet might provide a useful example.

We are already used to the fact that different activities performed over the internet may trigger wide range of various regulations, such as consumer protection, personal data protection or intellectual property law.

The practical result is that blockchain projects will often require legal analysis to determine what kind of regulation will apply to a particular application (if any).

This should be also taken into account by lawmakers and regulators. New legislation, even if not drafted with blockchain in mind, may cause side effects that can stifle innovation.

Changing data laws

With this in mind, we've recently seen a number of other regulations that, while not specifically aimed at the technology, could nonetheless impact its growth.

Examples include the new personal data protection framework in the EU, which – although declared as 'technologically neutral' – may potentially cause conflicts.

Another interesting example is the EU's directive on security of network and information systems (the NIS Directive, also dubbed as cybersecurity directive), adopted in 2016. Some of its provisions, which are going to become binding law in 2018, pose questions with regard to blockchain projects.

The new directive is important for the private sector, because it imposes cybersecurity obligations on some entities, including certain rules of handling cybersecurity incidents or obligations to take specific measures to manage risks in such systems.

The NIS Directive sets forth three types of digital services: online marketplace, online search engine and cloud computing.

Cloud computing

The cloud computing service is particularly interesting here.

The cybersecurity directive defines it as a "digital service that enables access to a scalable and elastic pool of shareable computing resources". While the definition of cloud computing isn't controversial, it is worth noting that it can be interpreted broadly.

The directive itself confirms that a wide interpretation should be applied when it says that "cloud computing services span a wide range of activities that can be delivered according to different models".

What does it mean for blockchain technology and its applications?

The first consequence is that some activities such as cloud mining can be covered by the above definition.

Much more interesting is how the new regulation will apply to ethereum and similar solutions. Services provided via ethereum (which is a kind of a distributed computing platform) may potentially fall within the above mentioned definition of a cloud computing service.

In such a situation, providers of such services will be subject to obligations set forth in the cybersecurity directive. It is even more interesting if we think of distributed services that cannot be easily attributed to any specific provider.

We will know the scale of issues following from potential application of the cybersecurity directive to blockchain-related matters when the law is implemented by the EU member states. However, it already gives us an idea how various regulations may, sometimes surprisingly, apply to applications of blockchain technology.

Cyber law image via Shutterstock