Does the NIS2 Directive reinforce GDPR?
The General Data Protection Regulation is a fundamental regulation in terms of personal data protection. It has defined the key principles to be respected to ensure active protection of personal data, increased sanctions, strengthened people’s rights, and more generally changed the way organizations must use and process personal data. However, it does not seem to be the only one to have such an impact, and to promote awareness of the need to manage people’s data in a way that respects their privacy.
Another regulation likely to have just as significant an impact as the GDPR is the Network and Information Security Directive, known as NIS2. This European directive on securing information systems was published on December 27, 2022, in the Official Journal of the European Union1. NIS2 is an enriched version of the original NIS Directive and aims to strengthen cybersecurity on a European scale and harmonize rules in this field.
A strengthening of data protection
Although the GDPR focuses on the protection of personal data and the NIS2 Directive focuses on the security of networks and information systems, both regulations aim to protect personal data and the privacy of individuals. Their principles complement each other and are designed to strengthen the protection of personal data.
Data cybersecurity is at the heart of personal data protection and is a pillar of GDPR compliance, as it represents the technical aspect of personal data protection.
The essential role that security plays in the protection of personal data is set out clearly in the GDPR, particularly in Article 32 2, which requires technical and organizational measures to be put in place. This means that any organization processing personal data is required to secure the data it holds by implementing adequate measures.
NIS2 lays down the rules to be followed by CIOs to meet these requirements and guarantee the security of networks and information systems. Organizations handling personal data, or responsible for network and information system security, must comply with these rules, and implement appropriate measures in line with the risks of potential security breaches.
What is new in NIS2?
The scope of this new directive is broader, covering a wide range of players in a variety of sectors, such as healthcare, digital infrastructure, transport, and energy.
A proportionality mechanism has also been adopted, meaning that not all rules apply to all players. A distinction is made between entities qualified as “essential” or “important”, employing more than 250 people and having annual sales of over €50 million and/or an annual turnover of over €43 million, and other entities which are not subject to all these obligations.
NIS2 also imposes more specific and stringent cybersecurity and risk management requirements, while strengthening the sanctions and fines that can be imposed in the event of non-compliance. In a comparable way to the GDPR, companies failing to comply with these rules can be fined up to €10 million or 2% of their annual worldwide revenues.
A proactive approach to data protection is also required, similar to the one introduced by the GDPR. Appropriate technical, operational, and organizational measures must be put in place to manage security risks according to an “all-hazards” approach. These measures include, by way of example, policies relating to risk analysis and the security of an information system, incident management processes and measures guaranteeing business continuity, etc. Similarly, regarding the protection of personal data, technical and organizational measures must be tailored to the risks inherent to data processing.
In addition, the NIS2 Directive requires that the executive management of the organizations concerned approve the risk management measures taken regarding cybersecurity and supervise their implementation. EU Member States must therefore ensure that organizations’ executives and staff receive cyber security training, to acquire the knowledge needed to identify risks and assess risk management practices (as well as their impact on the services provided).
Detailed guidelines also apply to the notification of security incidents. Thus, entities must notify the competent authority of any incident having a significant impact on the provision of their services. Details are also given of the deadlines to be respected. Notification must also be given to service recipients likely to be affected by a significant cyberthreat, indicating the measures or remedies that service recipients can take in response to the incident.
Preparing for NIS2 deployment now?
Although EU Member States have been given 21 months to transpose these rules, it is important that organizations start now to define the strategy they need to adopt to ensure that the new obligations are effectively taken on board. This may require a major effort, depending on the company and the policies it has already defined. By prioritizing NIS2 compliance now, organizations can ensure that they will meet the deadline, and avoid difficulties as it approaches.
Sources
1 NIS 2 Regulation, Lex Europa
