Europe Redoubles Cybersecurity and Data Privacy Efforts
 

The business community has welcomed last month’s political agreement on a revised cybersecurity framework for the European Union, called Network and Information Systems 2 (NIS2).

“NIS2 will require more critical entities from more sectors and sizes to implement a more complex set of obligations,” wrote DigitalEurope. Despite the additional burdens this represents for businesses, “raising our levels of cyber resilience is urgent,” the trade association added.[1]

Following publication of the directive, the EU’s 27 countries will have 21 months to bring their national cybersecurity frameworks in line with NIS2, during which companies will be preparing to meet the new requirements. 

Meanwhile, in another major policy development, the Court of Justice of the European Union (CJEU) gave the green light for consumer protection associations to sue companies that neglect or abuse individuals‘ data privacy.[2] The ruling is expected to spark a wave of privacy litigation,[3] on top of growing regulatory enforcement of the EU privacy law known as the General Data Protection Regulation (GDPR).

Amid ongoing change, Mimecast’s State of Email Security 2022 survey showed that security professionals in Denmark, Germany, and the Netherlands have mixed feelings about cyber regulation. For example, only about 20% to 25% believe that their businesses‘ risk would decrease significantly if the government placed cybersecurity minimums on companies. But the vast majority expect it would increase their compliance costs.

NIS2 Strengthens Cybersecurity Requirements

The European Commission summarized the changes coming with NIS2, including:

• Stronger cybersecurity requirements imposed on companies
• Measures to secure supply chains and supplier relationships
• Accountability of top management for non-compliance with cybersecurity obligations
• More stringent supervisory measures for national authorities
• Stricter enforcement requirements
• Streamlined reporting obligations

NIS2 would also expand the types of companies that must comply, including more of the healthcare sector, for example, digital services companies, manufacturers of critical products, and others.[4]

While applauding the new directive, DigitalEurope also called for European regulators to take a pragmatic approach, given a cyber workforce shortage of almost 200,000 in Europe. “Implementation will have to be practical to achieve real results rather than act as a burden on our stretched cyber resources,” the trade association wrote.

GDPR Continues to Evolve

Under GDPR, now entering its fourth year, companies must protect the personal information of EU citizens that it collects, retains, uses, and shares. Limits are placed on these activities, and citizens can ask companies to correct or erase their information.

Companies and regulators continue to learn just how far-reaching and costly GDPR can be. Even as private lawsuits are expected to increase under the new CJEU ruling described above, enforcement also appears to be expanding, with fines increasing fivefold to $1.2 billion between roughly January 2021 and January 2022.[5] But politicians are also listening to concerns about the rules and working to help companies comply.

At the same time, calls for even broader reform of GDPR, though faint, remain constant. For example, critics say the reliance on national authorities to enforce the EU-wide GDPR is problematic, with regulators slow to react in some countries.[6] European Commission Vice President Věra Jourová would like to see a single European enforcement agency along the lines of the European Commission’s centralized handling of monopoly and anti-money laundering regulations. “Either we will all collectively show that GDPR enforcement is effective or it will have to change and ... any potential changes will go toward more centralization,” she said.

That level of reform is unlikely any time soon, but European Data Protection Supervisor Wojciech Wiewiórowski has already called a June conference to talk about alternative enforcement models. “There is much scope for discussion and much potential improvement in the way current governance models are implemented in practice,” he said when announcing the conference in December.

In any case, European politicians are already looking to expand data protections beyond personal data. They’re developing a new law (the Data Act) to ensure people can access and control the non-personal information generated by Internet of Things (IoT) devices like smart home systems and connected cars.[7] If you own the device, they argue, you own the information it generates.

More likely than a near-term rewrite of GDPR is the continued interpretation and refinement of the existing law. The European Data Protection Board (EDPB), for example, recently suggested a more uniform approach to enforcement penalties across the EU, subject to public comment.[8]

The EDPB is also trying to clarify the efforts companies must make when responding to a request for personal information, with draft guidelines for citizens’ right of access. The draft said that companies can refuse to release information if it would infringe on the data privacy of others or if a request is excessive, but cautioned that no other limits can be placed on responding to data requests — not even preemptively through contracts.[9]

Legal experts noted that the clarification goes against the proportionality principle otherwise so prominent in GDPR — that is, that companies should be able to weigh whether the efforts required for them to search for and find personal information related to a data request is in proportion to the company’s relationship with that individual.

The UK regulator, the Information Commissioner’s Office (IOC), has previously upheld the proportionality principle. Companies were able to comment on the guidelines until mid-March, and the final draft has yet to be released. 

The Bottom Line

European companies are charged with shoring up their cybersecurity defenses and improving their data privacy strategies as Brussels updates and refines two major policies: NIS2 and GDPR. The consequences are also mounting, with more enforcement activity and private litigation on the horizon. Explore how Mimecast can help with building cyber resilience and enabling archiving and management of personal data to meet regulators’ changing expectations. 

[1] “NIS2 essential step towards more cyber resilient Europe, need for pragmatic implementation,“ DigitalEurope

[2] “Consumer protection associations may bring representative actions against infringements of personal data protection,” Court of Justice of the European Union

[3] “Europe’s top court unblocks more GDPR litigation against Big Tech,” TechCrunch

[4] “Commission welcomes political agreement on new rules on cybersecurity of network and information systems,” European Commission 

[5] “Fines for breaches of EU GDPR privacy law spike sevenfold,” Politico

[6] “Top EU official warns privacy rules may need to change,” Politico

[7] “Data Act: The EU makes its next move for industrial data,” International Association of Privacy Professionals

[8] “Guidelines 04/2022 on the Calculation of Administrative Fines under the GDPR,” European Data Protection Board

[9] “EU guidance on data subject access requests,” Pinsent Masons