GDPR And NIS: Is Your Business Subject To Additional Breach Reporting Obligations?

Author:Ms Áine Cadogan
Profession:Mason Hayes & Curran

Just as businesses have begun to come to terms with the GDPR, another regulatory regime has come into force, its arrival having gone largely unnoticed by many businesses. This incoming regulatory regime is called the Network and Information Systems Directive (“NIS Directive”) and the Irish legislation implementing the NIS Directive (“NIS Regulations”) was signed into law in September of this year.

The GDPR was designed to reshape the way that businesses approach data privacy and to strengthen the privacy rights of individuals. In contrast, the NIS Directive was adopted by the EU legislature as a response to the growing number of cyberattacks on critical infrastructure and online services, and as an attempt to boost the overall level of cybersecurity in the EU.

Importantly, Irish authorities will have responsibility for dealing with the security of services provided by multinational companies across the EU. This is because many of these companies have their European headquarters located in Ireland.

What does the NIS regime do?

The NIS regime seeks to achieve a high common level of security of network and information systems throughout the EU. It will impose wide ranging obligations on both Member States and certain businesses. These include risk management and breach reporting obligations that fall within the scope of the NIS regime.

In practice, this means that, as well as having mandatory breach reporting obligations for personal data breaches under the GDPR, many businesses will also be subject to mandatory breach reporting obligations under the NIS regime.

What businesses will be affected?

The NIS Regulations provide that these obligations will only apply to the following two types of businesses:

Operators of essential services (OES): These are businesses that are established in Ireland and provide essential services in Ireland within specific sectors and sub-sectors. These sectors are set out in the NIS Regulations and include energy, transport, banking, financial market infrastructure, health, water and digital infrastructure. A list of essential services will be maintained by the competent authority in each Member State. Therefore, there is a level of certainty for businesses operating within these sectors as to whether they will be subject to this regime. Relevant digital service providers (RDSP): Providers of online marketplaces, online search engines and cloud computing services that have their head office in Ireland, or that have...

To continue reading