International business meeting

Doing Business with the European Union

The European Union (EU) has made Cybersecurity a top priority and those conducting business with the association should be aware of its potential impact on them.

On May 9, 2018, all 28 EU member states will implement the Directive on Security of Network and Information Systems (NIS Directive) in hopes of "achieving a high, common level of network and information systems security across the EU." Effectively, this means those involved with conducting business with the EU in the following sectors must prove that they have established top Cybersecurity protocols, including a policy to immediately report breaches in data:

  • Energy: electricity, oil, gas
  • Transport: air, rail, road, maritime
  • Banking
  • Financial market infrastructure
  • Health
  • Water Supply
  • Digital infrastructure (IXP’s, DNS service providers, TLD name registries)
  • Online service providers
  • Online marketplaces
  • Online search engines
  • Cloud computing services

The scope of this law drastically exceeds any reporting guidelines and/or best practices currently in place in the US, including the New York Cybersecurity law applicable to financial institutions conducting business in Empire state. Clearly, many US companies currently fall short of the Cybersecurity enforcement being implemented by the EU.

If you conduct business in one of the 28 EU countries or plan to do so in the future, please contact Steve Franckhauser at for details on the law and its stringent compliance measures.

About the Author(s)

Steven Franckhauser is a Senior Director working out of the Columbus, Ohio and Pittsburgh, Pennsylvania offices of HBK. He joined HBK in 2011 and works with both the Risk Advisory/Cybersecurity and Energy divisions of the firm.

He is an adjunct Professor of Law at the Duquesne University School of Law, where he teaches business planning and cyber security courses. Steve contributes to the Penn State Extension programs on Shale development, is an adjunct Professor at Penn State University's Beaver campus in Monaca, Penn., and has been a guest lecturer on shale energy and renewable energy at The Ohio State University Fisher School of Business and the School of Arts and Sciences. He is also a past recipient of the “Who’s Who in Energy” by the Pittsburgh Business Times.

He serves on various industry-related boards and is a frequent lecturer and speaker on the economic development and opportunities provided by shale energy, as well as on topics related to the importance and development of Cybersecurity best practices, regulations and standards as they relate to businesses and individuals.

Matthew J. Schiavone is a Senior Manager in HBK’s Quality Control department and works primarily in the Pittsburgh, Pennsylvania office. He specializes in risk advisory services, system and organization control (SOC) reporting, internal controls, IT audit, information security, and cyber security for all types of industries.

Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.