European Directives & Regulations followed by SPHINX
Supported by European Union’s Horizon 2020 Research and Innovation Programme SPHINX is taking into account the current, existing and emerging, standards on cybersecurity and the corresponding directives and regulations from the European Union. In this context, two key EU regulations are establishing the framework of SPHINX development in addition to the prevailing contemporary security standards set across the globe.
The Directive on the security of information systems and networks (NIS Directive) is the first cyber security directive introduced by the European Union (EU). It was Adopted in July 2016 and enforced in August 2016, with the EU Member States having 21 months to incorporate its requirements into their national legislation and an additional 6 months to identify companies subject to NIS compliance. NIS defines a set of network and information security requirements applicable to Operators of Essential Services (OESs) and Digital Service Providers (DSPs). Businesses in the energy, transport, banking, health, drinking water supply and distribution sectors and the digital infrastructure sectors are recognised as OESs. The NIS Directive requires each EU Member State to draw up a list of organisations in the areas that are considered key service providers.
The General Data Protection Regulation (GDPR) is a legal framework setting the regulations on how to collect and process the personal information of EU citizens. GDPR sets the principles for information management and citizens’ rights. These regulations also contain safeguards to ensure that healthcare data is safe for any cyberattacks, misuse, or embezzlement. Misuse of healthcare data by any citizen of the European Union or improper law enforcement can have particularly serious long-term consequences. Anyone in the EU who controls data and/or undertakes data processing, is bound by the GDPR. This includes the health care sector and also affects organisations located outside the EU. In addition, the GDPR has extensive responsibilities and obligations for data controllers and processors.
Key points of difference and overlap
With these in mind, the European Directives of NIS and GDPR deal with different issues: GDPR focuses on the protection of the personal data of any Organisation that holds European citizens’ data, while NIS focuses on the security of the organisations’ systems operating within the European Union.
NIS is about the security of the networks, the information systems and digital data in them. By using the term “digital data”, it is understood that any physical data is not covered by NIS. By contrast, with GDPR, personal data can be, for example, a filing system etc. On the other hand, the NIS is wider than the GDPR because it covers “digital data”, which not only includes personal data, but any data about an organisation’s networks and information systems that ensure its functionality and continuity.
Another aspect to be taken into account, is the fact that there is an overlap between the two regulations due to the security requirements of GDPR and those of NIS. For example, GDPR also includes the classical information security concept of the CIA Triplet (Confidentiality Integrity Availability). This means that there is much greater alignment between the requirements of the GDPR Directive and the NIS Directive. GDPR security provisions and the likelihood that most organisations are already covered by NIS, go to the effect that they will also control personal data or even process personal data.
Finally, GDPR is a law to be followed by all Member States. The law will not differ from one EU Member State to another. An excellent example is the size of the fines and penalties imposed on them. While the GDPR has set the number of fines imposed on law enforcement agencies, there is no such clarity in the case of NIS. It is the responsibility of the individual governments of the States to determine the fines. While the GDPR applies to all organisations dealing with the personal data of EU residents within the EU and abroad, NIS only deals with a specific set of agencies operating within the EU.
More information about cybersecurity standards and European regulations can be found in Deliverable 2.1 that is publicly available here.