Update on the Cybersecurity Directive – over to Luxembourg?
Next week we expect to find out if the Council of the EU will finally agree (“adopt a general approach”) on its version of the proposed General Data Protection Regulation (GDPR). Progress with a “little brother” of the GDPR – namely the proposed Network and Information Security (NIS) Directive, tagged the Cybersecurity Directive – continues in parallel. Before providing news next week on the GDPR, we thought that it would be useful to provide a quick update on NIS, especially as some of the issues with the GDPR – such as jurisdiction and supervision of companies – also are proving to be difficult in relation to NIS.
As we have explained previously, the Commission proposed the NIS Directive back in February 2013. One of the main aims, in relation to the private sector, is to require companies in the energy, transport, financial services and health sectors, and possibly a range of online companies, to implement mandatory security measures and report significant security incidents to national authorities. Broadly speaking, this would mirror existing obligations that apply to telecommunications providers.
The scope of the NIS Directive has been controversial from the outset. Several Member States have expressed doubts about subjecting online companies – referred to at times as providers of information society services, digital services, internet enablers or other strained phrases – to the same obligations as operators of truly critical infrastructures. The Parliament agreed to exclude internet enablers from scope in March last year (seeour summary here), but Member States have continued to discuss this issue in Council meetings since then and have still to come to an agreement.
The Commission is becoming increasingly frustrated with lack of progress on this issue in the Council. The Commission recently suggested that instead of leaving it up to Member States to decide which companies that provide critical services are in scope of the Directive (which is one option under consideration), this could be addressed via delegated acts. This essentially would allow the Commission to define the type of companies within scope at a later date without having to go through the usual legislative procedure. This is not the first time that the Commission has made this suggestion. It’s fair to say that it has not been universally well received.
Another challenge is how to determine which national regulator has jurisdiction over a company that operates across the Union. Strangely, for a directive, the rules on both applicable law and allocating the jurisdiction of national regulators have been vague from the outset. The Commission recently proposed possible solutions in a “working document”, based on (a) where companies are “established” (which may mean “headquartered”), (b) where their network and information systems are physically located, or (c) where they provide core services to customers. The Commission favours the “country of origin principle” and a combination of (a) and (b). The document seems in places to borrow from existing ideas in the Data Protection Directive 95/46/EC (DPD), e.g., requiring companies to appoint a representative if they are not established in the Union. This may not bode well given that the rules under the DPD are complicated and the jurisprudence on jurisdiction is still being formed 20 years after the DPD was adopted (see Google, the CJEU and the Long Arm of European Data Protection Law).
More welcome are reports from the UK that, regardless of the rules on jurisdiction, there is broad agreement that Member States may use existing sector-specific competent authorities to work directly with companies that are in scope, and then nominate a single point of contact for cross-border communications (see update from Rachael Bishop, policy officer at the Department for Business, Innovation and Skills). It is our understanding that this has always been the intention, even if it has not been made very clear in the original proposal.
The Italian Presidency of the Council hoped to reach a conclusion by the end of 2014, but was unsuccessful. The Latvian Presidency similarly has pushed hard these past 6 months, but NIS was not on the agenda for today’s Council meeting and it looks like time is running out. Although further talks may take place later this month (possibly on 22 or 29 June), Brussels media report that it is unlikely an agreement will be reached on NIS before the Presidency of Luxembourg starts on 1 July.
There are some interesting potential ways being suggested to break the gridlock, so we’ll continue to monitor and report developments in the coming weeks and months. And, who knows, perhaps NIS will still beat the GDPR when it comes to which legislation is adopted first!