The Interplay Between the NIS Directive and the GDPR in a Cybersecurity Threat Landscape

Abstract

Modern society places great trust in digital technologies. Since network information services have turned into an everyday commodity, the protection of these services is becoming ever more important. Despite the political will and the knowledge to prevent hostile acts on our IT infrastructure, an increasing number of incidents can be observed. Network and information systems (NIS) have become targets for malicious state and non-state actors; incidents can lead to major disruptions in our infrastructure and economy, causing significant damage to society and individuals’ welfare. 2016 saw the adoption of two important legal instruments in the field of cybersecurity, namely the adoption of the General Data Protection Regulation (GDPR) as well as the Network and Information Systems (NIS) Directive. While the GDPR attracted tremendous attention, considerably less attention has been paid to the NIS Directive, although, like the GDPR, the NIS Directive is an important instrument to support the EU Digital Single Market and protect the interests of European residents and the functioning of essential services in the EU. Irrespective of their common aims, the instruments have distinct interests: the GDPR covers privacy of personal data, while the NIS Directive encompasses the confidentiality of services covered and the underlying data. The latter in most cases is in fact personal data, meaning that the NIS Directive can be regarded as a complementary law to the GDPR, introducing corresponding security obligations as well as new breach reporting obligations to certain industry sectors and digital service providers. In that regard, the GDPR and NIS Directive represent a cross-sectoral approach. This paper provides an overview of the GDPR and the NIS Directive, before identifying and analysing the interplay between the two instruments. A focus will be on the corresponding obligations and their enforcement. The final section will outline problems of processing of personal data under the NIS Directive.