Impact of Cybersecurity Regulations on ICT Companies in the European Union

The purpose of this paper is to provide more clarity about the current two cybersecurity requirements in the EU which may apply directly to telecommunication providers and other ICT companies covered under the NIS Directive, as well as to briefly review the upcoming changes to cybersecurity rules that apply to telecommunication providers under the recently adopted EECC Directive. Finally, this paper will analyse whether provisions of the General Data Protection Regulation apply if an entity is already subject to one of the two frameworks.

Impact of Cybersecurity Regulations on ICT Companies in the European Union

Cybersecurity requirements imposed on Information and Communication Technology (“ICT”) entities in the European Union mainly come from two regulatory frameworks. It is often the responsibility of ICT entities to assess which framework applies to their services so they can provide reliable and secure services to customers in line with compliance requirements.

The first is an electronic communication framework adopted by the European Commission in 2002 with the aim of harmonising the EU electronic communication sector. The framework had several objectives, including ensuring privacy and confidentiality of personal data in the electronic communications sector. This framework was later amended to ensure the security and integrity of services and networks. However, the necessary measures only applied to telecommunication providers, and did not affect non-telecommunication ICT entities.

The second framework was adopted by the European Commission in 2016 in the form of a Network and Information Systems Directive (NIS Directive). Its aim was to regulate security measures that apply to critical infrastructure sectors and that have enhanced ICT activities, as they play a crucial role in the wellbeing of people and society. The activities of companies currently affected by the NIS Directive had previously not been covered by the electronic communication framework, and affected entities had to evaluate to what extent provisions applied to their services. The framework distinguishes between operators of essential services (including digital infrastructure) and digital service providers. The NIS Directive imposes different obligations on them but specifically excludes telecommunication and trust service providers from its requirements.

The purpose of this paper is to provide an overview of these two frameworks, highlight the differences between them, examine what type of entities could be affected, and identify when and under what conditions one framework may exclude the other. Additionally, due to the different implementation of the NIS Directive in EU Member States, we will demonstrate “mixed” cases where one entity could potentially be considered a digital service provider in one EU member state, and an operator of essential services in another. In addition, we will discuss “mixed” cases where certain services could fall under the electronic communication framework and the NIS Directive, highlighting that affected entities must closely evaluate their services to determine which framework applies to each of their services.

This paper will also examine new requirements imposed under the recently adopted EECC Directive. The directive broadens the definition of telecommunication providers, potentially encompassing entities that are currently subject to the NIS Directive, and amends security obligations that apply to telecommunication providers. Finally, this paper will briefly assess whether provisions of the General Data Protection Regulation apply if an entity is already subject to one of the above-mentioned frameworks.

Download the report

Related Articles

Impact Assessments: Supporting AI Accountability

Impact Assessments: Supporting AI Accountability

Artificial intelligence’s applications span everything from healthcare and education to manufacturing and energy. Automation is influencing strategies across industry, but...

28 Jan 2023 Reports
Exploring the benefits of a future metaverse: What can we learn from current virtual reality applications?

Exploring the benefits of a future metaverse: What can we learn from current virtual reality applications?

The metaverse has the potential to redefine almost every sphere of our daily lives, from healthcare and education to work,...

23 Jan 2023 Metaverse Policy Lab
Tech Policy Trends 2023

Tech Policy Trends 2023

What does 2023 have in store for technology, policy, and regulation? 2023 represents a defining year for the tech sector....

17 Jan 2023 Reports
The Growing Digital Economy in the Philippines

The Growing Digital Economy in the Philippines

The Growing Digital Economy in the Philippines: Opportunities, Challenges, and Google’s Contributions Backed by strong government support, the Philippines’ digital...

7 Jan 2023 Reports