Impact of Cybersecurity Regulations on ICT Companies in the European Union

The purpose of this paper is to provide more clarity about the current two cybersecurity requirements in the EU which may apply directly to telecommunication providers and other ICT companies covered under the NIS Directive, as well as to briefly review the upcoming changes to cybersecurity rules that apply to telecommunication providers under the recently adopted EECC Directive. Finally, this paper will analyse whether provisions of the General Data Protection Regulation apply if an entity is already subject to one of the two frameworks.

Impact of Cybersecurity Regulations on ICT Companies in the European Union

Cybersecurity requirements imposed on Information and Communication Technology (“ICT”) entities in the European Union mainly come from two regulatory frameworks. It is often the responsibility of ICT entities to assess which framework applies to their services so they can provide reliable and secure services to customers in line with compliance requirements.

The first is an electronic communication framework adopted by the European Commission in 2002 with the aim of harmonising the EU electronic communication sector. The framework had several objectives, including ensuring privacy and confidentiality of personal data in the electronic communications sector. This framework was later amended to ensure the security and integrity of services and networks. However, the necessary measures only applied to telecommunication providers, and did not affect non-telecommunication ICT entities.

The second framework was adopted by the European Commission in 2016 in the form of a Network and Information Systems Directive (NIS Directive). Its aim was to regulate security measures that apply to critical infrastructure sectors and that have enhanced ICT activities, as they play a crucial role in the wellbeing of people and society. The activities of companies currently affected by the NIS Directive had previously not been covered by the electronic communication framework, and affected entities had to evaluate to what extent provisions applied to their services. The framework distinguishes between operators of essential services (including digital infrastructure) and digital service providers. The NIS Directive imposes different obligations on them but specifically excludes telecommunication and trust service providers from its requirements.

The purpose of this paper is to provide an overview of these two frameworks, highlight the differences between them, examine what type of entities could be affected, and identify when and under what conditions one framework may exclude the other. Additionally, due to the different implementation of the NIS Directive in EU Member States, we will demonstrate “mixed” cases where one entity could potentially be considered a digital service provider in one EU member state, and an operator of essential services in another. In addition, we will discuss “mixed” cases where certain services could fall under the electronic communication framework and the NIS Directive, highlighting that affected entities must closely evaluate their services to determine which framework applies to each of their services.

This paper will also examine new requirements imposed under the recently adopted EECC Directive. The directive broadens the definition of telecommunication providers, potentially encompassing entities that are currently subject to the NIS Directive, and amends security obligations that apply to telecommunication providers. Finally, this paper will briefly assess whether provisions of the General Data Protection Regulation apply if an entity is already subject to one of the above-mentioned frameworks.



Related Articles

Digital Latam

Digital Latam

Welcome to the second edition of Digital Latam, our executive insight into what is moving technology markets in Latin America....

25 Nov 2020 Opinion
Wi-Fi as a Key Technology to Meet the Increase in Online Activity in Brazil Due to Restrictions Imposed by COVID-19

Wi-Fi as a Key Technology to Meet the Increase in Online Activity in Brazil Due to Restrictions Imposed by COVID-19

This report, commissioned by the Dynamic Spectrum Alliance, calls for the allocation of additional spectrum throughout the 6 GHz band…
4 Nov 2020 Reports
Cybersecurity Policy for Operational Technology: A Guide for Governments

Cybersecurity Policy for Operational Technology: A Guide for Governments

This report will highlight some use cases and advantages of OT, describe the cybersecurity risks involving OT, and provide recommendations…
7 Oct 2020 Reports
Facial Recognition Technology: A Primer

Facial Recognition Technology: A Primer

At Access Partnership, we recognize the importance of balancing the interests of consumers, citizens, and governments with enabling sustainable market...

29 Sep 2020 Reports