It has been an eventful week in the European Parliament in relation to data privacy and security matters.  Having already voted in favor of the General Data Protection Regulation (“GDPR”) and endorsed a controversial report into allegations of mass surveillance, the European Parliament voted yesterday on the proposed Network and Information Security (“NIS”) Directive.  In line with previous committee reports, the Parliament vote ensures that the Proposed Network and Information Security Directive focuses on protecting critical infrastructure in the energy, transport, financial services and health sectors. 

The EU legislative bodies will now enter into negotiations to agree a final text.  Commissioner Kroes called earlier this week for this work to be completed this year, but this timeframe seems ambitious.

Recap on the Proposed NIS Directive

The Commission proposed the NIS Directive in February 2013.  In addition to provisions aimed at Member State governments (e.g., to improve cyber security capabilities and cooperation to prevent and respond to cyber-attacks), the Directive targets private companies in the energy, transport, financial services and health sectors.  The Commission draft also applied to “enablers of key internet services”, such as providers of cloud computing services, app stores, e-commerce platforms, internet payment gateways, search engines and social networks.   

The two main requirements on private sector companies under the Directive are (i) to implement security measures to “guarantee a level of security appropriate to the risk presented . . . having regard to the state of the art”, and (ii) to notify competent national authorities of any security incident that has a significant impact on the continuity of core services they provide.  The basic idea is to extend EU-level security and incident reporting requirements, which currently only apply to communication network and service providers, to a broad universe of private sector companies. 

Scope 

Including “enablers of key internet services” within the scope of the Directive has been controversial.  One view, which rapporteur Andreas Schwab (IMCO) expressed in his report, is that the security and reporting requirements should be “limited to infrastructures that are critical in a stricter sense”.  The Parliament yesterday agreed that these requirements should only be imposed on companies in the energy, transport, financial services and health sectors, and that “internet enablers” should be excluded.  This is consistent with the view of several Member States that such companies should not be covered by the proposal (see the Council’s Progress Report of 22 November 2013).  The Parliament also has removed public administrations from scope.      

The Parliament agreed with the Commission’s original proposal that software developers and hardware manufacturers should be excluded from the scope of the Directive.

Overlap with the General Data Protection Regulation – and who to notify… 

One of the concerns that has been raised in relation to the Directive is the overlap with the proposed General Data Protection Regulation, specifically regarding whether it creates double reporting requirements (in relation to security incidents and personal data breaches).  More work will need to be done to clarify how this is to work in practice. 

Several other issues (such as applicable national law) still need to be resolved in relation to the NIS Directive, but one of the more significant challenges will be deciding which regulators should supervise private sector companies and receive reports of incidents.  As we know from the GDPR debate, determining which national regulators have scope to act and how they should cooperate is a thorny issue, which is arguably even more complicated in relation to the NIS Directive as energy, transport, financial services and health companies are already supervised by sector-specific national regulators.  The Parliament has made some progress in this area by proposing to amend the Directive to require each Member State to appoint one single point of contact, but it remains to be seen whether this plan will survive negotiations with the Council.

Print:
EmailTweetLikeLinkedIn
Photo of Mark Young Mark Young

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He…

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He has been recognized in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field.” Recent editions note that he is “deeply knowledgeable in the area of privacy and data protection,” “fast, thorough and responsive,” and has “great insight into the regulators.”

Mr. Young has over 15 years of experience advising global companies, particularly in the technology, health and pharmaceutical sectors, on all aspects of data protection and security. This includes providing practical guidance on analyzing and using personal data, transferring personal data across borders, and potential liability exposure. He specializes in advising in relation to new products and services, and providing strategic advice and advocacy on a range of EU law reform issues and references to the EU Court of Justice.

For cybersecurity matters, he counsels clients on practices to protect business-critical information and comply with national and sector-specific regulation, and on preparing for and responding to cyber-based attacks and internal threats to their networks and information. He has helped a range of organizations respond to cyber and data security incidents – including external data breaches and insider theft of trade secrets – through the stages of initial detection, containment, notification, recovery and remediation.

In the IP enforcement space, Mr. Young represents right owners in the sport, media, publishing, fashion and luxury goods industries, and helps coordinate a team of internet investigators that has nearly two decades of experience conducting global notice and takedown programs to combat internet piracy.