Next week we expect to find out if the Council of the EU will finally agree (“adopt a general approach”) on its version of the proposed General Data Protection Regulation (GDPR).  Progress with a “little brother” of the GDPR – namely the proposed Network and Information Security (NIS) Directive, tagged the Cybersecurity Directive – continues in parallel.  Before providing news next week on the GDPR, we thought that it would be useful to provide a quick update on NIS, especially as some of the issues with the GDPR – such as jurisdiction and supervision of companies – also are proving to be difficult in relation to NIS.


As we have explained previously, the Commission proposed the NIS Directive back in February 2013.  One of the main aims, in relation to the private sector, is to require companies in the energy, transport, financial services and health sectors, and possibly a range of online companies, to implement mandatory security measures and report significant security incidents to national authorities.  Broadly speaking, this would mirror existing obligations that apply to telecommunications providers.


The scope of the NIS Directive has been controversial from the outset.  Several Member States have expressed doubts about subjecting online companies – referred to at times as providers of information society services, digital services, internet enablers or other strained phrases – to the same obligations as operators of truly critical infrastructures.  The Parliament agreed to exclude internet enablers from scope in March last year (see our summary here), but Member States have continued to discuss this issue in Council meetings since then and have still to come to an agreement.

The Commission is becoming increasingly frustrated with lack of progress on this issue in the Council.  The Commission recently suggested that instead of leaving it up to Member States to decide which companies that provide critical services are in scope of the Directive (which is one option under consideration), this could be addressed via delegated acts.  This essentially would allow the Commission to define the type of companies within scope at a later date without having to go through the usual legislative procedure.  This is not the first time that the Commission has made this suggestion.  It’s fair to say that it has not been universally well received.


Another challenge is how to determine which national regulator has jurisdiction over a company that operates across the Union.  Strangely, for a directive, the rules on both applicable law and allocating the jurisdiction of national regulators have been vague from the outset.  The Commission recently proposed possible solutions in a “working document”, based on (a) where companies are “established” (which may mean “headquartered”), (b) where their network and information systems are physically located, or (c) where they provide core services to customers.  The Commission favours the “country of origin principle” and a combination of (a) and (b).  The document seems in places to borrow from existing ideas in the Data Protection Directive 95/46/EC (DPD), e.g., requiring companies to appoint a representative if they are not established in the Union.  This may not bode well given that the rules under the DPD are complicated and the jurisprudence on jurisdiction is still being formed 20 years after the DPD was adopted (see Google, the CJEU and the Long Arm of European Data Protection Law).

More welcome are reports from the UK that, regardless of the rules on jurisdiction, there is broad agreement that Member States may use existing sector-specific competent authorities to work directly with companies that are in scope, and then nominate a single point of contact for cross-border communications (see update from Rachael Bishop, policy officer at the Department for Business, Innovation and Skills).  It is our understanding that this has always been the intention, even if it has not been made very clear in the original proposal.

Next steps

The Italian Presidency of the Council hoped to reach a conclusion by the end of 2014, but was unsuccessful.  The Latvian Presidency similarly has pushed hard these past 6 months, but NIS was not on the agenda for today’s Council meeting and it looks like time is running out.  Although further talks may take place later this month (possibly on 22 or 29 June), Brussels media report that it is unlikely an agreement will be reached on NIS before the Presidency of Luxembourg starts on 1 July.

There are some interesting potential ways being suggested to break the gridlock, so we’ll continue to monitor and report developments in the coming weeks and months.  And, who knows, perhaps NIS will still beat the GDPR when it comes to which legislation is adopted first!

Photo of Mark Young Mark Young

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.


Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He has been recognized in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field.” Recent editions note that he is “deeply knowledgeable in the area of privacy and data protection,” “fast, thorough and responsive,” and has “great insight into the regulators.”

Mr. Young has over 15 years of experience advising global companies, particularly in the technology, health and pharmaceutical sectors, on all aspects of data protection and security. This includes providing practical guidance on analyzing and using personal data, transferring personal data across borders, and potential liability exposure. He specializes in advising in relation to new products and services, and providing strategic advice and advocacy on a range of EU law reform issues and references to the EU Court of Justice.

For cybersecurity matters, he counsels clients on practices to protect business-critical information and comply with national and sector-specific regulation, and on preparing for and responding to cyber-based attacks and internal threats to their networks and information. He has helped a range of organizations respond to cyber and data security incidents – including external data breaches and insider theft of trade secrets – through the stages of initial detection, containment, notification, recovery and remediation.

In the IP enforcement space, Mr. Young represents right owners in the sport, media, publishing, fashion and luxury goods industries, and helps coordinate a team of internet investigators that has nearly two decades of experience conducting global notice and takedown programs to combat internet piracy.