On December 7, 2015, the European institutions reached an informal agreement on the EU Network and Information Security (NIS) Directive — dubbed the Cybersecurity Directive (see press release from the Council).  Among other things, the NIS Directive imposes security and incident reporting obligations on operators of essential services in critical sectors and on some digital service providers.

As we reported in the summer, the scope of the NIS Directive has been controversial since the Commission published its original proposal back in February 2013.  Several stakeholders, including some Member States, have expressed reservations about subjecting online companies to the same obligations as operators of essential services in the energy, transport and other critical sectors.  Following many months of negotiations, a compromise has now been reached by introducing a lighter-touch regime for certain digital service providers that fall within the scope of the Directive.

Operators of essential services in critical sectors

The NIS Directive imposes two key obligations on operators of essential services in the energy, transport, banking, financial market infrastructure, health and water supply sectors:

  • to implement security measures to manage the risks posed to the security of networks and information systems that they control and use in their operations; and
  • to report to the competent authorities security incidents that have a significant impact on the continuity of the essential services that they provide.

Supervision by competent authorities will be stricter for these operators than for providers of digital services.

Digital service providers 

Some digital service providers — specifically cloud services, e-commerce platforms, and search engines — will be subject to similar security and incident reporting requirements, but we understand that supervision will be lighter (i.e., authorities will only be empowered to act on an ex post basis).  The European Parliament’s press release specifically identifies Amazon, eBay and Google as examples of companies that will likely be covered.  The European Parliament initially wanted to remove online companies from scope entirely, but the Commission and Council resisted this — creating a lighter oversight regime for the digital service providers in scope seems to have facilitated a compromise.

The precise nature of the obligations and oversight arrangements will become clear once a consolidated text becomes publicly available.

Next steps and other key points for the private sector

  • The immediate next step in the legislative process is for the European Parliament’s Internal Market Committee and the Council’s Committee of Permanent Representatives to approve formally the provisionally agreed text.  It is anticipated that Parliament will give its approval on December 17, and the Presidency of the Council will present the agreed text for approval by Member States at the Permanent Representatives Committee (Coreper) on December 18.
  • Once the NIS Directive is published in the Official Journal of the European Union and enters into force early next year, Member States will have 21 months to transpose it into national law.  Member States will then have a further 6 months to apply criteria laid down in the Directive to identify specific companies covered by national rules.  These processes are likely to be complicated and companies that may fall within scope should participate in consultations and monitor developments across the EU over the coming months.
  • The NIS Directive is a minimum harmonisation measure, meaning that it establishes minimum security and reporting requirements that Member States must introduce, while granting them leeway to adopt or maintain stricter rules.  ENISA, the principal EU agency on NIS, will be tasked with providing recommendations and guidelines on technical issues, for example in relation to security measures and incident reporting, next year and beyond.  ENISA’s role and input is likely to be important to try to avoid significant variances in practices from emerging across the EU.
  • Although separate from the proposed General Data Protection Regulation (GDPR) and the security and personal data breach notification requirements that it sets out, legislators have indicated that they will try to ensure that requirements to report security incidents under NIS and to notify personal data breaches under the GDPR will be aligned.  Negotiations on the GDPR are expected to conclude in the coming weeks, so hopefully we will find out soon more details about the interaction between these potentially overlapping security and reporting obligations.


*Victoria Gilbert is a trainee and attended BPP Law School.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.