What about telecoms companies?
Under the agreed Directive, telecoms companies are neither considered as being operators of essential services or digital services providers. They are therefore not subject to the new rules. Telecoms companies are already subject to rules on the security and integrity of their networks and services under the Framework Directive of 2002.
A recital in the NIS Directive confirms the position: "To cover all relevant incidents and risks, this Directive should apply to both operators of essential services and digital service providers. The obligations on operators of essential services and digital service providers should however not apply to undertakings providing public communication networks or publicly available electronic communication services … which are subject to the specific security and integrity requirements laid down in Article 13a of [the Framework] Directive nor should they apply to trust service providers … which are subject to the requirements laid down in Article 19 of [the EU's e-ID] Regulation."
The European Union Agency for Network and Information Security (ENISA) published updated guidance on what is expected of telecoms companies under the Framework Directive in relation to network and service security and integrity in October 2014. Ofcom set out its own guidance for UK telecoms providers in August last year.
The Directive confirms that both operators of essential services and digital service providers will not be absolved from their obligations on security and incident reporting where "the maintenance of their network and information systems" is outsourced to a third party.
Security obligations to vary across different digital service providers
For in-scope digital service providers, the precise security measures they will have to put in place will vary from business to business, as is explained in a recital to the Directive. The security measures operators of essential services must put in place will need to be more stringent. The European Commission will be able to specify in more detail what security measures DSPs should implement.
"DSPs should ensure a level of security commensurate to the degree of risk posed to the security of the services they provide, given the importance of their services to the operations of other businesses within the EU," according to the Directive. "In practice the degree of risk for operators of essential services, which are often essential for the maintenance of critical societal and economic activities, will be higher than for DSPs. Therefore the security requirements for DSPs should be lighter."
In addition, according to the Directive a "light-touch and reactive" system of supervision will apply to DSPs. EU countries should not place authorities tasked with compliance monitoring and enforcement under a "general obligation to supervise DSPs", it said.
"[Competent authorities] should therefore only take action when provided with evidence (for example by the DSP itself, by another competent authority, including a competent authority of another member state, or by a user of the service) that a DSP does not comply with the requirements of [the] Directive, in particular following an incident that has occurred", according to the Directive.
Double regulation avoided?
As highlighted above, the Directive specifically addresses the fact that some companies that would be subject to the new NIS rules might already face similar network and information security or incident reporting obligations under existing or forthcoming EU laws. Where businesses would be subject to duplicate obligations, the NIS rules would not apply to those companies.
"Whenever those Union legal acts contain provisions imposing requirements concerning the security of networks and information systems or notifications of incidents, these provisions should apply instead of the corresponding provisions of this Directive if they contain requirements which are at least equivalent in effect to the obligations contained in this Directive," the Directive said.
"In determining whether the requirements on the security of networks and information systems and/or the notification of incidents contained in sector specific Union legal acts are equivalent to those contained in … this Directive, regard should only be had to the provisions of relevant Union legal acts and their application in the member states," it said.
In terms of overlap with the General Data Protection Regulation, the NIS Directive makes it clear that processing of personal data under the Directive must be carried out in accordance with the general data protection legal regime.
But the Directive's statements regarding non-applicability where sector – specific Union laws prevail should not be taken as an indication that compliance with the General Data Protection Regulation will remove responsibility for compliance with the NIS Directive. While there may be overlap between the two where a security incident also involves a personal data breach, the two pieces of legislation are designed to address different subject matter.
The NIS Directive relates to both the commercial data of legal entities and individuals, that is, 'natural persons', while the GDPR relates only to data capable of identifying individuals. It remains to be seen whether EU countries choose to designate data protection authorities also as competent authorities for receiving notification of security incidents and ensuring compliance with the NIS Directive. The NIS Directive does however contemplate the existence of the two regulators operating side by side.
A recital says that "competent authorities and data protection authorities should cooperate and exchange information on all relevant matters to tackle the personal data breaches resulting from incidents".
It is as yet unclear whether the stiff security obligations and requirement to report major operational or security incidents that banks and other payment service providers face under the newly revised Payment Services Directive, would be considered equivalent to the NIS regime. The NIS Directive does single out payment systems, as opposed to payment services, and states that the "Directive does not affect the regime under Union law for the Eurosystem's oversight of payment and settlement systems".
Luke Scanlon is a technology law expert at Pinsent Masons, the law firm behind Out-Law.com
Copyright © 2016, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.