EU - Country Commercial Guide

Information on Network and Information Systems (NIS) Security Directive

Last published date: 2022-08-11

Revision of the Network and Information Systems (NIS) Directive

The Directive on security of network and information systems (NIS), applicable since 2016, sets baseline requirements to ensure better protection of critical infrastructures in the European Union.  The NIS Directive sets basic principles for Member States for common minimum capacity building and strategic cooperation.  It also directs operators of essential services and digital service providers to ensure that they apply basic common security requirements.  Obligations for operators of both groups include taking technical and organizational measures for risk management; to prevent and minimize the impact of security incidents; and to notify, without undue delay, incidents having a significant impact on the continuity of the essential services they provide.  Member States have implemented this directive in different ways, particularly with respect to operators of essential services, which led to a proposed legislative modification of the NIS Directive (the NIS 2 Directive) in December 2020.  If adopted into law, the NIS 2 Directive would obligate more entities and sectors to strengthen security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisor measures and stricter enforcement requirements.   The proposed expansion of the scope of the NIS 2 Directive, by effectively obliging more entities and sectors to take measures, would strengthen cybersecurity in the European Union in the long term.  The European Parliament is expected to vote on a draft of the NIS 2 Directive, which had been agreed to by the Council of the European Union, in the second half of 2022.

Cybersecurity Act

The March 2019 Cybersecurity Act set up a mechanism to develop a voluntary certification scheme for information and communications technology security products, processes, and services.  The European Commission has not yet proposed the specific areas that would benefit from certification schemes, and the European Union Agency for Cybersecurity has created ad-hoc stakeholder groups to help it create certification schemes, which includes industry participation in accordance with the Act.

The Data Governance Act

The Data Governance Act focuses on providing a legal framework, processes, and structures to promote data sharing.  While the General Data Protection Regulation regulates international transfers of personal data, the Data Governance Act regulates international transfers of non-personal data by a user who was granted access to such data by the public sector.  The Data Governance Act focuses on the transfer of non-personal data, rules around the reuse of public sector data, and introduces a regime for data intermediaries, It also facilitates the collection and processing of data made available through a voluntary registration system for “data altruism organizations” and creates a European Data Innovation Board to enable the sharing of best practices by Member States as well as advise the Commission on cross-sector interoperability standards.  The Data Governance Act will be applicable across 27 Member States starting from September 2023.

The EU Data Act

The EU Data Act makes data sharing and the use/reuse of data easier for all by setting standards at an EU-wide level.  It covers aspects of the use of various business-to-business and government-to-business data across all sectors in relation to the use of various data.

It includes measures to allow users of connected devices to gain access to data generated by them and to share such data with third parties to provide aftermarket or other data-driven innovative services.  It also includes measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts.  The Act includes mechanisms for public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in case of a public emergency or to implement a legal mandate if data are not otherwise available.  The Act also includes rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer.

The proposal is now being evaluated by the co-legislators, expected to be ongoing until late 2023.  

Digital Markets Act

The Digital Markets Act regulates the market power of large online platforms to achieve fairer and more open digital markets within the European Union.  The Act regulates certain “gatekeeper firms” – large online platforms that impact how other companies interact with users online through digital services such as searching, social networking, cloud computing, and advertising services.  It prohibits gatekeepers from engaging in self-preferencing activities and restricting access to services connected to their platforms, such as online marketplaces like an app store, and be barred from preventing users from removing pre-installed software or apps.  Under the Act, EU regulators can levy fines of up to ten percent of global annual turnover of these firms, and, limitedly, break up certain parts of their corporate operations.  The companies designated as gatekeepers will have to comply with the respective obligations and prohibitions by February 2024.

Digital Services Act

The Digital Services Act will harmonize mechanisms throughout the European Union for the removal of illegal content for online service providers, including internet access providers, domain name registrants, cloud and webhosting services, and online platforms.  The Act bans targeted advertising aimed at children or based on sensitive data such as religion, gender, race, and political opinions, and it bans tactics that mislead people into giving personal data to companies online.  It regulates “very large online platforms” – those online platforms that would reach at least ten percent of the population in the European Union.  The Commission would be able to charge them a supervisory fee of up to one percent of their annual turnover.  Sanctions would be gradual and unprecedented in their scope.  Fines will amount to up to six percent of the global turnover of the conglomerate for violations of the Act.  In the event of serious and repeated breaches, national courts can go as far as a ban on operating on European territory.  The text will be in force across the European Union from January 2024.