It has been an eventful week in the European Parliament in relation to data privacy and security matters.  Having already voted in favor of the General Data Protection Regulation (“GDPR”) and endorsed a controversial report into allegations of mass surveillance, the European Parliament voted yesterday on the proposed Network and Information Security (“NIS”) Directive.  In line with previous committee reports, the Parliament vote ensures that the Proposed Network and Information Security Directive focuses on protecting critical infrastructure in the energy, transport, financial services and health sectors. 

The EU legislative bodies will now enter into negotiations to agree a final text.  Commissioner Kroes called earlier this week for this work to be completed this year, but this timeframe seems ambitious.

Recap on the Proposed NIS Directive

The Commission proposed the NIS Directive in February 2013.  In addition to provisions aimed at Member State governments (e.g., to improve cyber security capabilities and cooperation to prevent and respond to cyber-attacks), the Directive targets private companies in the energy, transport, financial services and health sectors.  The Commission draft also applied to “enablers of key internet services”, such as providers of cloud computing services, app stores, e-commerce platforms, internet payment gateways, search engines and social networks.   

The two main requirements on private sector companies under the Directive are (i) to implement security measures to “guarantee a level of security appropriate to the risk presented . . . having regard to the state of the art”, and (ii) to notify competent national authorities of any security incident that has a significant impact on the continuity of core services they provide.  The basic idea is to extend EU-level security and incident reporting requirements, which currently only apply to communication network and service providers, to a broad universe of private sector companies. 

Scope 

Including “enablers of key internet services” within the scope of the Directive has been controversial.  One view, which rapporteur Andreas Schwab (IMCO) expressed in his report, is that the security and reporting requirements should be “limited to infrastructures that are critical in a stricter sense”.  The Parliament yesterday agreed that these requirements should only be imposed on companies in the energy, transport, financial services and health sectors, and that “internet enablers” should be excluded.  This is consistent with the view of several Member States that such companies should not be covered by the proposal (see the Council’s Progress Report of 22 November 2013).  The Parliament also has removed public administrations from scope.      

The Parliament agreed with the Commission’s original proposal that software developers and hardware manufacturers should be excluded from the scope of the Directive.

Overlap with the General Data Protection Regulation – and who to notify… 

One of the concerns that has been raised in relation to the Directive is the overlap with the proposed General Data Protection Regulation, specifically regarding whether it creates double reporting requirements (in relation to security incidents and personal data breaches).  More work will need to be done to clarify how this is to work in practice. 

Several other issues (such as applicable national law) still need to be resolved in relation to the NIS Directive, but one of the more significant challenges will be deciding which regulators should supervise private sector companies and receive reports of incidents.  As we know from the GDPR debate, determining which national regulators have scope to act and how they should cooperate is a thorny issue, which is arguably even more complicated in relation to the NIS Directive as energy, transport, financial services and health companies are already supervised by sector-specific national regulators.  The Parliament has made some progress in this area by proposing to amend the Directive to require each Member State to appoint one single point of contact, but it remains to be seen whether this plan will survive negotiations with the Council.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.