Articles

The new EU Network and Information Systems Directive has entered in force

The new EU Network and Information Systems Directive has entered in f

The new EU Network and Information Systems Directive has entered in force

13.10.2016 EU law

The NIS (network and information systems) Directive was adopted on 6 July 2016 and entered into force on 8 August 2016. This is the first European-wide legislation on cybersecurity.

Andrus Ansip, the EU Commission Vice- President for the Digital Single Market declared, “If we want people and businesses to make the most of digital services, they need to trust them. A Digital Single Market can only be created in a secure online environment.” The Directive aims to generate a global approach towards cybersecurity in Europe based on common, minimum capacity-building and planning requirements, exchange of information, cooperation, and common security and notification requirements for operators of essential services and digital service providers. To these ends, the NIS Directive also set up two working groups: (i) the Cooperation Group to facilitate cooperation and exchange of information between Member States and (ii) a network of computer security incident response teams (a “CSIRTs network”).

The NIS Directive applies to both digital service providers and operators of essential services. The latter will have to be identified by Members States and can be private or public entities operating in the following industries: energy, transportation, banking and financial markets, health care, drinking water supply and distribution, and digital infrastructure. Digital service providers include online market places (e.g. e-commerce platforms), cloud computing services, and online search engines. Because digital service providers bear a lesser risk than operators of essential services, the security obligations imposed on them are lighter. It is also worth mentioning that hardware manufacturers and software developers do not qualify as operators of essential services. In addition, micro- and small-enterprises do not have to abide by the requirements imposed on digital service providers, although they would qualify as such.

A Member State will have jurisdiction over the operators of essential services that it will have identified as such, as well as over digital service providers having their main establishment in this Member State, i.e. generally if the provider has its head office in that country. A digital service provider based outside the EU can also fall under the scope of the NIS Directive if it offers services within the EU (the mere accessibility in the EU of the service offered or an intermediary’s website being not sufficient). In such scenario, this non-EU entity will have to designate a representative in the Member State where it offers its services.

Member States have now up to 9 May 2018 to implement in their national laws the provisions of the NIS Directive. Companies should, as from now, get themselves prepared and ask themselves whether they fall under the scope of the NIS Directive. If they do, they should start reviewing their security processes and follow the implementing laws and practical guidance closely that will be adopted in their respective countries.

Team

Related news

22.07.2021 NL law
Towards a European legal framework for the development and use of Artificial Intelligence

Short Reads - Back in 2014, Stephen Hawking said, “The development of full artificial intelligence could spell the end of the human race.” Although the use of artificial intelligence is nothing new and dates back to Alan Turing (the godfather of computational theory), prominent researchers – along with Stephen Hawking – have expressed their concerns about the unregulated use of AI systems and their impact on society as we know it.

Read more

18.06.2021 NL law
FAQ: Wat houdt het Wetsvoorstel elektronische gegevensuitwisseling in de zorg (Wegiz) in en wat is de verhouding tot de AVG?

Short Reads - (Digitale) gegevensuitwisseling in de zorg is een actueel thema. Illustratief is een item bij EenVandaag van april 2021 waarin de analoge werkwijze bij gegevensuitwisseling in de zorg wordt aangekaart, maar ook dit artikel in het NRC van afgelopen maand waarin verslag werd gedaan van een datalek waardoor duizenden gevoelige patiëntgegevens op straat kwamen te liggen. 

Read more

19.07.2021 BE law
One year of Schrems II: a state of affairs for international data transfers

Articles - International data transfers have been the subject of intense debates ever since the Court of Justice issued its landmark judgement of Schrems I, on 6 October 2015. The intensity of the debate was further reinforced since the Schrems II decision one year ago, on 16 July 2020. The decision annulled the U.S. Privacy Shield and severely tightened the rules on the use of standard contractual clauses (“SCCs”).

Read more

18.05.2021 NL law
Kroniek: De bestuursrechtelijke aspecten van de AVG

Articles - Tom Barkhuysen, Steven Bastiaans en Fatma Çapkurt (Universiteit Leiden) schreven samen de eerste editie van de nieuwe jaarlijkse NTB kroniek: de bestuursrechtelijke aspecten van de AVG. Hierin bespreken zij onder meer de meest relevante (bestuursrechtelijke) jurisprudentie van het afgelopen jaar op het gebied van de AVG.

Read more