Impact of Cybersecurity Regulations on ICT Companies in the European Union

The purpose of this paper is to provide more clarity about the current two cybersecurity requirements in the EU which may apply directly to telecommunication providers and other ICT companies covered under the NIS Directive, as well as to briefly review the upcoming changes to cybersecurity rules that apply to telecommunication providers under the recently adopted EECC Directive. Finally, this paper will analyse whether provisions of the General Data Protection Regulation apply if an entity is already subject to one of the two frameworks.

Impact of Cybersecurity Regulations on ICT Companies in the European Union

Cybersecurity requirements imposed on Information and Communication Technology (“ICT”) entities in the European Union mainly come from two regulatory frameworks. It is often the responsibility of ICT entities to assess which framework applies to their services so they can provide reliable and secure services to customers in line with compliance requirements.

The first is an electronic communication framework adopted by the European Commission in 2002 with the aim of harmonising the EU electronic communication sector. The framework had several objectives, including ensuring privacy and confidentiality of personal data in the electronic communications sector. This framework was later amended to ensure the security and integrity of services and networks. However, the necessary measures only applied to telecommunication providers, and did not affect non-telecommunication ICT entities.

The second framework was adopted by the European Commission in 2016 in the form of a Network and Information Systems Directive (NIS Directive). Its aim was to regulate security measures that apply to critical infrastructure sectors and that have enhanced ICT activities, as they play a crucial role in the wellbeing of people and society. The activities of companies currently affected by the NIS Directive had previously not been covered by the electronic communication framework, and affected entities had to evaluate to what extent provisions applied to their services. The framework distinguishes between operators of essential services (including digital infrastructure) and digital service providers. The NIS Directive imposes different obligations on them but specifically excludes telecommunication and trust service providers from its requirements.

The purpose of this paper is to provide an overview of these two frameworks, highlight the differences between them, examine what type of entities could be affected, and identify when and under what conditions one framework may exclude the other. Additionally, due to the different implementation of the NIS Directive in EU Member States, we will demonstrate “mixed” cases where one entity could potentially be considered a digital service provider in one EU member state, and an operator of essential services in another. In addition, we will discuss “mixed” cases where certain services could fall under the electronic communication framework and the NIS Directive, highlighting that affected entities must closely evaluate their services to determine which framework applies to each of their services.

This paper will also examine new requirements imposed under the recently adopted EECC Directive. The directive broadens the definition of telecommunication providers, potentially encompassing entities that are currently subject to the NIS Directive, and amends security obligations that apply to telecommunication providers. Finally, this paper will briefly assess whether provisions of the General Data Protection Regulation apply if an entity is already subject to one of the above-mentioned frameworks.

Download the report

Related Articles

The State of Healthcare Supply Chains in APEC: A Year-in-Review

The State of Healthcare Supply Chains in APEC: A Year-in-Review

Healthcare companies across APEC have made big moves to strengthen their resilience in 2023. As a follow-up to our study...

4 Oct 2024 Reports
Advantage Southeast Asia: Emerging AI Leader

Advantage Southeast Asia: Emerging AI Leader

Artificial intelligence (AI) is offering a once-in-a-generation opportunity for economic growth and societal transformation, with the conversation dominated by the...

2 Oct 2024 General
Advancing Malaysia’s Digital Potential through AI with Google

Advancing Malaysia’s Digital Potential through AI with Google

Malaysia’s ambition to become a high-income, digital-first nation is clear in the MADANI Economy framework. Recent discussions on investor-friendly policies...

1 Oct 2024 General
Google and Korea: 20 years of partnership and AI innovation

Google and Korea: 20 years of partnership and AI innovation

Korean entertainment groups like Blackpink and BTS have continually taken the world by storm, while Android revolutionized mobile access for...

26 Sep 2024 General