Impact of Cybersecurity Regulations on ICT Companies in the European Union

The purpose of this paper is to provide more clarity about the current two cybersecurity requirements in the EU which may apply directly to telecommunication providers and other ICT companies covered under the NIS Directive, as well as to briefly review the upcoming changes to cybersecurity rules that apply to telecommunication providers under the recently adopted EECC Directive. Finally, this paper will analyse whether provisions of the General Data Protection Regulation apply if an entity is already subject to one of the two frameworks.

Impact of Cybersecurity Regulations on ICT Companies in the European Union

Cybersecurity requirements imposed on Information and Communication Technology (“ICT”) entities in the European Union mainly come from two regulatory frameworks. It is often the responsibility of ICT entities to assess which framework applies to their services so they can provide reliable and secure services to customers in line with compliance requirements.

The first is an electronic communication framework adopted by the European Commission in 2002 with the aim of harmonising the EU electronic communication sector. The framework had several objectives, including ensuring privacy and confidentiality of personal data in the electronic communications sector. This framework was later amended to ensure the security and integrity of services and networks. However, the necessary measures only applied to telecommunication providers, and did not affect non-telecommunication ICT entities.

The second framework was adopted by the European Commission in 2016 in the form of a Network and Information Systems Directive (NIS Directive). Its aim was to regulate security measures that apply to critical infrastructure sectors and that have enhanced ICT activities, as they play a crucial role in the wellbeing of people and society. The activities of companies currently affected by the NIS Directive had previously not been covered by the electronic communication framework, and affected entities had to evaluate to what extent provisions applied to their services. The framework distinguishes between operators of essential services (including digital infrastructure) and digital service providers. The NIS Directive imposes different obligations on them but specifically excludes telecommunication and trust service providers from its requirements.

The purpose of this paper is to provide an overview of these two frameworks, highlight the differences between them, examine what type of entities could be affected, and identify when and under what conditions one framework may exclude the other. Additionally, due to the different implementation of the NIS Directive in EU Member States, we will demonstrate “mixed” cases where one entity could potentially be considered a digital service provider in one EU member state, and an operator of essential services in another. In addition, we will discuss “mixed” cases where certain services could fall under the electronic communication framework and the NIS Directive, highlighting that affected entities must closely evaluate their services to determine which framework applies to each of their services.

This paper will also examine new requirements imposed under the recently adopted EECC Directive. The directive broadens the definition of telecommunication providers, potentially encompassing entities that are currently subject to the NIS Directive, and amends security obligations that apply to telecommunication providers. Finally, this paper will briefly assess whether provisions of the General Data Protection Regulation apply if an entity is already subject to one of the above-mentioned frameworks.

Download the report

Related Articles

AI for All in Thailand: Building an AI-ready economy with Google

AI for All in Thailand: Building an AI-ready economy with Google

อ่านบทความนี้เป็นภาษาไทย A doctor in Bangkok analyzes medical images with AI, leading to a faster, more accurate diagnosis for her patient....

19 Dec 2024 AI Policy Lab
Transforming Trade: Cross-border E-commerce Trends in Taiwan

Transforming Trade: Cross-border E-commerce Trends in Taiwan

While physical retail remains popular, the cross-border e-commerce market has experienced remarkable growth, with global retail e-commerce sales more than...

17 Dec 2024 Reports
Tech Policy Trends 2025

Tech Policy Trends 2025

Unlocking the future: The impact of AI on industry, society, and policy AI is transforming the way we live, work,...

3 Dec 2024 Reports
Economic Impact Report: Driving digital growth in Vietnam with Google

Economic Impact Report: Driving digital growth in Vietnam with Google

Vietnam’s economic development journey has been impressive. From one of the world’s lowest-income countries, Vietnam has risen to become a...

14 Nov 2024 General