Draft Network and Information Security Directive: entering final negotiation phase?

When we published our last Cyber Alert in late October 2014, the first trilogue negotiation between the three EU institutions had just taken pace, a second took place in November and the third and final meeting was scheduled for 9 December. The outgoing Italian Council Presidency published a statement that it was “confident the EP and the Council…will reach a deal before the end of the year”. However, progress updates then went quiet. It was not until 11 March that the (now Latvian) Council Presidency announced that the Council’s negotiating mandate had been agreed at the Permanent Representatives Committee. This means that negotiations with the Commission and Parliament can resume, and this third trilogue is scheduled for late April.

It appears that one of the main sticking points within the Council has been the scope of the “market operators” who will be caught by the new obligations to report cyber attacks. The Commission’s original proposal sought to catch not only classic critical infrastructure providers, but also online platforms. In contrast, last year the European Parliament voted to exclude online platforms from scope. It is reported that within the Council, Member States are split 50/50 over whether the new rules should apply to ecommerce and social media or not. This 126 page leaked Council draft comparing the relative positions of the Commission, the Parliament and the Council’s proposed negotiating stance seems to indicate that the Council favours a middle position, extending the new rules to certain providers of “essential services in the fields of Internet infrastructure and digital service platforms” which meet a set of strict criteria (which also apply to more conventional critical infrastructures such as energy, transport, banking, health and drinking water).

There has been intense lobbying activity by ecommerce and software providers to stay out of scope of the NISD – see for example this open letter sent by the CCIA (Computer and Communications Industry Association) late last year. It remains to be seen where the perimeters of the “market operator” definition will be drawn. We will provide a full analysis of the “what, who and when” of the new cyber security and reporting rules once the text is agreed. Member States will then have between 18 and 24 months to transpose it into national law – so, even if it agreed in April it is unlikely to take effect until late 2016 at the very earliest, or more likely 2017.

Draft GDPR: latest predictions – agreement at Council level by Summer?

Meanwhile, the draft General Data Protection Regulation is inching forward. In our October update we reported that the Council had recently formulated its position on the data security and breach notification provisions. However, the Council has still only reached a “partial general approach” on a few of the text’s eleven chapters (although the frequency with which new documents are being posted on the Council’s Consilium website indicates that there is no shortage of activity and discussion among the Member States. On 13 March the Council announced it had reached a partial general approach on two further (and important) aspects of the draft Regulation. These are the provisions on the One Stop Shop approach to enforcement as set out in Chapters 6 and 7 and the principles for processing personal data in Chapter 2.

Until the Council has formulated its negotiating stance on all aspects of the draft Regulation it cannot enter into trilogue negotiations with the Commission and Parliament. The latest official statements on the timetable for adoption of the draft Regulation include a statement in January by Digital Single Market Vice President Ansip that the Council could agree its common position by June 2015.
Our best guess of the likely timescale is that the Council will agree the text this summer with at least 6 months of trilogue negotiations to follow after that. Once there is an agreed text it will then need to be translated which, for a regulation of this complexity, could take a further three months. Adding those steps together, we do not expect to see the Regulation published until the end of June 2016. There is likely to be a two year transposition with the Regulation coming into force in 2018.


We report on the latest progress of the draft IT Security Act here.


Belgium has recently established its Center for Cyber Security and its Center of Excellence for Training, Research and Education.  Read more on our Datonomy blog here.


The Cybersecurity Agency (CSA) of Singapore is due to go live on 1 April 2015. Read more from Olswang’s blogging team in Asia here.

United States

We report on the latest US moves to promote a culture of cyber attack information sharing between the private and public sectors here.

Leave a Reply

Your email address will not be published. Required fields are marked *