The Interplay Between the NIS Directive and the GDPR in a Cybersecurity Threat Landscape

University of Luxembourg Law Working Paper No. 2019-017

20 Pages Posted: 27 Jan 2020 Last revised: 14 Feb 2020

See all articles by Mark D. Cole

Mark D. Cole

University of Luxembourg, FDEF, Department of Law; University of Luxembourg, SnT

Sandra Schmitz

Universite du Luxembourg - Interdisciplinary Center for Security, Reliability and Trust; Universite du Luxembourg - Faculty of Law, Economics and Finance

Date Written: December 31, 2019

Abstract

Modern society places great trust in digital technologies. Since network information services have turned into an everyday commodity, the protection of these services is becoming ever more important. Despite the political will and the knowledge to prevent hostile acts on our IT infrastructure, an increasing number of incidents can be observed. Network and information systems (NIS) have become targets for malicious state and non-state actors; incidents can lead to major disruptions in our infrastructure and economy, causing significant damage to society and individuals’ welfare. 2016 saw the adoption of two important legal instruments in the field of cybersecurity, namely the adoption of the General Data Protection Regulation (GDPR) as well as the Network and Information Systems (NIS) Directive. While the GDPR attracted tremendous attention, considerably less attention has been paid to the NIS Directive, although, like the GDPR, the NIS Directive is an important instrument to support the EU Digital Single Market and protect the interests of European residents and the functioning of essential services in the EU. Irrespective of their common aims, the instruments have distinct interests: the GDPR covers privacy of personal data, while the NIS Directive encompasses the confidentiality of services covered and the underlying data. The latter in most cases is in fact personal data, meaning that the NIS Directive can be regarded as a complementary law to the GDPR, introducing corresponding security obligations as well as new breach reporting obligations to certain industry sectors and digital service providers. In that regard, the GDPR and NIS Directive represent a cross-sectoral approach. This paper provides an overview of the GDPR and the NIS Directive, before identifying and analysing the interplay between the two instruments. A focus will be on the corresponding obligations and their enforcement. The final section will outline problems of processing of personal data under the NIS Directive.

Suggested Citation

Cole, Mark D. and Schmitz, Sandra, The Interplay Between the NIS Directive and the GDPR in a Cybersecurity Threat Landscape (December 31, 2019). University of Luxembourg Law Working Paper No. 2019-017, Available at SSRN: https://ssrn.com/abstract=3512093 or http://dx.doi.org/10.2139/ssrn.3512093

Mark D. Cole (Contact Author)

University of Luxembourg, FDEF, Department of Law ( email )

4, Rue Alphonse Weicker
Campus Kirchberg, Weicker building
Luxembourg, L-2721
Luxembourg

University of Luxembourg, SnT ( email )

JFK Building
29, Avenue J.F Kennedy
Luxembourg, L-1885
Luxembourg

Sandra Schmitz

Universite du Luxembourg - Interdisciplinary Center for Security, Reliability and Trust ( email )

4, rue Alphonse Weicker
Luxembourg, L-2721
Luxembourg

HOME PAGE: http://www.securityandtrust.lu

Universite du Luxembourg - Faculty of Law, Economics and Finance ( email )

162a, avenue de la Faïencerie
Luxembourg-Limpertsberg, L-1511
Luxembourg

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
221
Abstract Views
707
rank
164,074
PlumX Metrics