Author
Abstract
The Directive on the Security of Networks and Information Systems (NISD) is the first EU-wide cybersecurity instrument. It aims to establish a common minimum high level of NIS security across the EU among operators of essential services (OES) within specific sectors — such as electricity, transport, water, energy, health, financial services and telecommunications — as well as digital service providers (DSPs), in order to secure the digital infrastructure that is vital to society and the economy through coordinated intelligence-sharing, capacity-building and cooperation across the EU, and consistent incident detection, reporting and response obligations, and operational risk management approaches. NISD entered into force in August 2016, only months after the General Data Protection Regulation (GDPR). Member states have until 9th May, 2018 to transpose it into their domestic law, and until 9th November, 2018 to identify the OES and DSPs who will be subject to it. Because it is a Directive, there will be variation across the EU. Significantly, an entity may find it is an OES in one member state, but not in another. This variation may raise compliance challenges. NISD is part of the broader EU legislative framework for data protection and cybersecurity that includes the GDPR (which protects personal data), the proposed ePrivacy Regulation (ePr) (which protects the privacy of electronic communications) and the proposed Cybersecurity Act (which will protect the security of information and communications technologies (ICT)). NISD aims to protect the foundational layer — the infrastructure — on which the Digital Single Market depends. Like the GDPR, and the proposed ePr, it is risk-based and outcomes-focused, and has a potentially extraterritorial effect. It comes into effect around the same time as the GDPR, yet has not received the same attention as the GDPR. Some entities working towards GDPR compliance, such as telecommunications companies and DSPs, may also be subject to NISD obligations. GDPR and NISD may converge in certain areas, but they are qualitatively different and therefore diverge in others. Entities seeking to comply with both NISD and GDPR should take care to ensure the approaches to both are aligned and streamlined where possible, and would do well to proactively engage with regulators to ensure they are on the right track.
Suggested Citation
Download full text from publisher
As the access to this document is restricted, you may want to search for a different version of it.
Corrections
All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:aza:jdpp00:y:2018:v:2:i:1:p:22-33. See general information about how to correct material in RePEc.
If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.
We have no bibliographic references for this item. You can help adding them by using this form .
If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.
For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Henry Stewart Talks (email available below). General contact details of provider: .
Please note that corrections may take a couple of weeks to filter through
the various RePEc services.
Printed from https://ideas.repec.org/a/aza/jdpp00/y2018v2i1p22-33.html
