Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
The directive on security of networks and information systems (NISD): One more critical step towards a ‘connected digital single market’ for the EU
Journal of Data Protection & Privacy,
2
(1),
22-33
(2018)
Abstract
The Directive on the Security of Networks and Information Systems (NISD) is the first EU-wide cybersecurity instrument. It aims to establish a common minimum high level of NIS security across the EU among operators of essential services (OES) within specific sectors — such as electricity, transport, water, energy, health, financial services and telecommunications — as well as digital service providers (DSPs), in order to secure the digital infrastructure that is vital to society and the economy through coordinated intelligence-sharing, capacity-building and cooperation across the EU, and consistent incident detection, reporting and response obligations, and operational risk management approaches. NISD entered into force in August 2016, only months after the General Data Protection Regulation (GDPR). Member states have until 9th May, 2018 to transpose it into their domestic law, and until 9th November, 2018 to identify the OES and DSPs who will be subject to it. Because it is a Directive, there will be variation across the EU. Significantly, an entity may find it is an OES in one member state, but not in another. This variation may raise compliance challenges. NISD is part of the broader EU legislative framework for data protection and cybersecurity that includes the GDPR (which protects personal data), the proposed ePrivacy Regulation (ePr) (which protects the privacy of electronic communications) and the proposed Cybersecurity Act (which will protect the security of information and communications technologies (ICT)). NISD aims to protect the foundational layer — the infrastructure — on which the Digital Single Market depends. Like the GDPR, and the proposed ePr, it is risk-based and outcomes-focused, and has a potentially extraterritorial effect. It comes into effect around the same time as the GDPR, yet has not received the same attention as the GDPR. Some entities working towards GDPR compliance, such as telecommunications companies and DSPs, may also be subject to NISD obligations. GDPR and NISD may converge in certain areas, but they are qualitatively different and therefore diverge in others. Entities seeking to comply with both NISD and GDPR should take care to ensure the approaches to both are aligned and streamlined where possible, and would do well to proactively engage with regulators to ensure they are on the right track.
Keywords: cybersecurity; GDPR; data protection; EU law
The full article is available to subscribers to the journal.
Author's Biography
Abigail Dubiniecki is a Canadian freelance lawyer and privacy professional specialising in data protection and international trade. She is licensed in Ontario and Quebec. Drawing on varied expertise gained in-house and in private practice in Canada and the UK, Abigail advises organisations of all sizes on compliance matters, notably in privacy and data security. An associate of Henley Business School, she delivers executive education on the General Data Protection Regulation (GDPR) implementation to senior executives of top UK and global brands. She also advises a portfolio of ambitious, mid-sized companies on GDPR and ePrivacy compliance as a senior lawyer with My Inhouse Lawyer. Her combined expertise in privacy and trade matters enables her to assist clients in Canada and the EU seeking to benefit from the Comprehensive Economic Trade Agreement (CETA) while navigating complex regulatory terrain.
