Next week we expect to find out if the Council of the EU will finally agree (“adopt a general approach”) on its version of the proposed General Data Protection Regulation (GDPR).  Progress with a “little brother” of the GDPR – namely the proposed Network and Information Security (NIS) Directive, tagged the Cybersecurity Directive – continues in parallel.  Before providing news next week on the GDPR, we thought that it would be useful to provide a quick update on NIS, especially as some of the issues with the GDPR – such as jurisdiction and supervision of companies – also are proving to be difficult in relation to NIS.

Recap

As we have explained previously, the Commission proposed the NIS Directive back in February 2013.  One of the main aims, in relation to the private sector, is to require companies in the energy, transport, financial services and health sectors, and possibly a range of online companies, to implement mandatory security measures and report significant security incidents to national authorities.  Broadly speaking, this would mirror existing obligations that apply to telecommunications providers.

Scope

The scope of the NIS Directive has been controversial from the outset.  Several Member States have expressed doubts about subjecting online companies – referred to at times as providers of information society services, digital services, internet enablers or other strained phrases – to the same obligations as operators of truly critical infrastructures.  The Parliament agreed to exclude internet enablers from scope in March last year (see our summary here), but Member States have continued to discuss this issue in Council meetings since then and have still to come to an agreement.

The Commission is becoming increasingly frustrated with lack of progress on this issue in the Council.  The Commission recently suggested that instead of leaving it up to Member States to decide which companies that provide critical services are in scope of the Directive (which is one option under consideration), this could be addressed via delegated acts.  This essentially would allow the Commission to define the type of companies within scope at a later date without having to go through the usual legislative procedure.  This is not the first time that the Commission has made this suggestion.  It’s fair to say that it has not been universally well received.

Jurisdiction

Another challenge is how to determine which national regulator has jurisdiction over a company that operates across the Union.  Strangely, for a directive, the rules on both applicable law and allocating the jurisdiction of national regulators have been vague from the outset.  The Commission recently proposed possible solutions in a “working document”, based on (a) where companies are “established” (which may mean “headquartered”), (b) where their network and information systems are physically located, or (c) where they provide core services to customers.  The Commission favours the “country of origin principle” and a combination of (a) and (b).  The document seems in places to borrow from existing ideas in the Data Protection Directive 95/46/EC (DPD), e.g., requiring companies to appoint a representative if they are not established in the Union.  This may not bode well given that the rules under the DPD are complicated and the jurisprudence on jurisdiction is still being formed 20 years after the DPD was adopted (see Google, the CJEU and the Long Arm of European Data Protection Law).

More welcome are reports from the UK that, regardless of the rules on jurisdiction, there is broad agreement that Member States may use existing sector-specific competent authorities to work directly with companies that are in scope, and then nominate a single point of contact for cross-border communications (see update from Rachael Bishop, policy officer at the Department for Business, Innovation and Skills).  It is our understanding that this has always been the intention, even if it has not been made very clear in the original proposal.

Next steps

The Italian Presidency of the Council hoped to reach a conclusion by the end of 2014, but was unsuccessful.  The Latvian Presidency similarly has pushed hard these past 6 months, but NIS was not on the agenda for today’s Council meeting and it looks like time is running out.  Although further talks may take place later this month (possibly on 22 or 29 June), Brussels media report that it is unlikely an agreement will be reached on NIS before the Presidency of Luxembourg starts on 1 July.

There are some interesting potential ways being suggested to break the gridlock, so we’ll continue to monitor and report developments in the coming weeks and months.  And, who knows, perhaps NIS will still beat the GDPR when it comes to which legislation is adopted first!

Tags: ENISA, Network and Information Security (NIS) Directive
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” has “great insight into the regulators;” and “is technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 20 years of experience, Mark specializes in:

Providing practical guidance and advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services.
Handling complex regulatory investigations and enforcement actions involving data privacy regulators in the UK, EU and globally, and advising on follow-on litigation risk.
Helping clients respond to cybersecurity incidents, including ransomware, supply chain incidents, state-sponsored attacks, insider threats, personal data breaches, and IP and trade secret theft.
Advising various clients on the EU NIS2 Directive, Cyber Resilience Act (CRA), and other emerging EU, UK, and global cybersecurity laws and regulations.
Advising life sciences companies on industry-specific data privacy issues, including clinical trials, pharmacovigilance, and digital health products and services.
Advising on data privacy compliance in relation to employees and international transfers of data in connection with white collar investigations.
Providing strategic advice and advocacy on a range of UK and EU technology law reform issues relating to data privacy, cybersecurity, eIDs, and software.
Representing clients in connection with references to the Court of Justice of the EU.

Read more about Mark YoungEmail
Show more Show less