On December 7, 2015, the European institutions reached an informal agreement on the EU Network and Information Security (NIS) Directive — dubbed the Cybersecurity Directive (see press release from the Council).  Among other things, the NIS Directive imposes security and incident reporting obligations on operators of essential services in critical sectors and on some digital service providers.

As we reported in the summer, the scope of the NIS Directive has been controversial since the Commission published its original proposal back in February 2013.  Several stakeholders, including some Member States, have expressed reservations about subjecting online companies to the same obligations as operators of essential services in the energy, transport and other critical sectors.  Following many months of negotiations, a compromise has now been reached by introducing a lighter-touch regime for certain digital service providers that fall within the scope of the Directive.

Operators of essential services in critical sectors

The NIS Directive imposes two key obligations on operators of essential services in the energy, transport, banking, financial market infrastructure, health and water supply sectors:

  • to implement security measures to manage the risks posed to the security of networks and information systems that they control and use in their operations; and
  • to report to the competent authorities security incidents that have a significant impact on the continuity of the essential services that they provide.

Supervision by competent authorities will be stricter for these operators than for providers of digital services.

Digital service providers 

Some digital service providers — specifically cloud services, e-commerce platforms, and search engines — will be subject to similar security and incident reporting requirements, but we understand that supervision will be lighter (i.e., authorities will only be empowered to act on an ex post basis).  The European Parliament’s press release specifically identifies Amazon, eBay and Google as examples of companies that will likely be covered.  The European Parliament initially wanted to remove online companies from scope entirely, but the Commission and Council resisted this — creating a lighter oversight regime for the digital service providers in scope seems to have facilitated a compromise.

The precise nature of the obligations and oversight arrangements will become clear once a consolidated text becomes publicly available.

Next steps and other key points for the private sector

  • The immediate next step in the legislative process is for the European Parliament’s Internal Market Committee and the Council’s Committee of Permanent Representatives to approve formally the provisionally agreed text.  It is anticipated that Parliament will give its approval on December 17, and the Presidency of the Council will present the agreed text for approval by Member States at the Permanent Representatives Committee (Coreper) on December 18.
  • Once the NIS Directive is published in the Official Journal of the European Union and enters into force early next year, Member States will have 21 months to transpose it into national law.  Member States will then have a further 6 months to apply criteria laid down in the Directive to identify specific companies covered by national rules.  These processes are likely to be complicated and companies that may fall within scope should participate in consultations and monitor developments across the EU over the coming months.
  • The NIS Directive is a minimum harmonisation measure, meaning that it establishes minimum security and reporting requirements that Member States must introduce, while granting them leeway to adopt or maintain stricter rules.  ENISA, the principal EU agency on NIS, will be tasked with providing recommendations and guidelines on technical issues, for example in relation to security measures and incident reporting, next year and beyond.  ENISA’s role and input is likely to be important to try to avoid significant variances in practices from emerging across the EU.
  • Although separate from the proposed General Data Protection Regulation (GDPR) and the security and personal data breach notification requirements that it sets out, legislators have indicated that they will try to ensure that requirements to report security incidents under NIS and to notify personal data breaches under the GDPR will be aligned.  Negotiations on the GDPR are expected to conclude in the coming weeks, so hopefully we will find out soon more details about the interaction between these potentially overlapping security and reporting obligations.

 

*Victoria Gilbert is a trainee and attended BPP Law School.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.