The directive on security of networks and information systems (NISD): One more critical step towards a ‘connected digital single market’ for the EU

Abstract

The Directive on the Security of Networks and Information Systems (NISD) is the first EU-wide cybersecurity instrument. It aims to establish a common minimum high level of NIS security across the EU among operators of essential services (OES) within specific sectors — such as electricity, transport, water, energy, health, financial services and telecommunications — as well as digital service providers (DSPs), in order to secure the digital infrastructure that is vital to society and the economy through coordinated intelligence-sharing, capacity-building and cooperation across the EU, and consistent incident detection, reporting and response obligations, and operational risk management approaches. NISD entered into force in August 2016, only months after the General Data Protection Regulation (GDPR). Member states have until 9th May, 2018 to transpose it into their domestic law, and until 9th November, 2018 to identify the OES and DSPs who will be subject to it. Because it is a Directive, there will be variation across the EU. Significantly, an entity may find it is an OES in one member state, but not in another. This variation may raise compliance challenges. NISD is part of the broader EU legislative framework for data protection and cybersecurity that includes the GDPR (which protects personal data), the proposed ePrivacy Regulation (ePr) (which protects the privacy of electronic communications) and the proposed Cybersecurity Act (which will protect the security of information and communications technologies (ICT)). NISD aims to protect the foundational layer — the infrastructure — on which the Digital Single Market depends. Like the GDPR, and the proposed ePr, it is risk-based and outcomes-focused, and has a potentially extraterritorial effect. It comes into effect around the same time as the GDPR, yet has not received the same attention as the GDPR. Some entities working towards GDPR compliance, such as telecommunications companies and DSPs, may also be subject to NISD obligations. GDPR and NISD may converge in certain areas, but they are qualitatively different and therefore diverge in others. Entities seeking to comply with both NISD and GDPR should take care to ensure the approaches to both are aligned and streamlined where possible, and would do well to proactively engage with regulators to ensure they are on the right track.