Political agreement on new cybersecurity rules brings the EU's data strategy a step closer to its 2023 deadline, while compromise is reached on the second Network and Information Systems Directive (NIS2).
Following a successful vote in the European Parliament, the European Council has approved a new law that promotes data availability, building a trustworthy environment to facilitate its use for research, and the creation of innovative new services and products.
The Data Governance Act (DGA) aims to set up robust mechanisms to facilitate the reuse of specific categories of protected public-sector data, increase trust in data intermediation services and encourage the responsible use of data across the EU.
The DGA creates a framework to foster a new business model for data intermediation service, which the EU believes will provide a secure environment in which companies or individuals can share data.
For companies, these services can take the form of digital platforms, which will support voluntary data-sharing between companies.
This will facilitate the fulfilment of data-sharing obligations set not only by the DGA but also by other legislation, be it at the European or national level.
Through using these services, companies will be able to share data without fear of it being misused or of losing their competitive advantage.
Personal data right
For personal data, these services and their providers are intended to help individuals exercise their rights under the General Data Protection Regulation (GDPR).
It will mean that EU citizens have full control over their data, allowing consumers to share personal data with companies that they trust.
This can be done by means of new types of personal information management tools, such as personal data spaces or data wallets, apps which allow the sharing of personal information subject to the holder’s consent.
To ensure user trust in these new services, data intermediation service providers will be required to join a new EU register.
Service providers will not be allowed to use shared data for any other purpose than specified, so will not be able to benefit from selling the data on to other service providers.
However, they are allowed to charge for the service that they do carry out.
Brussels also plans on establishing a voluntary certification in the form of a logo that will make it easier to identify compliant providers of data intermediation services.
A new European Data Innovation Board will be created to advise and assist the commission in enhancing the interoperability of data intermediation services and issuing guidelines on how to facilitate the development of data spaces, among other tasks.
The DGA will also create safeguards against the unlawful international transfer of, or governmental access, to non-personal data, reflecting EU law on personal data.
In particular, the European Commission, through secondary legislation, may adopt adequacy decisions similar to that of the GDPR that declare whether specific non-EU countries provide appropriate safeguards for the use of non-personal data transferred from the EU.
Such safeguards should be considered to exist when the country in question has equivalent measures in place that ensure a level of protection similar to that provided by EU or member state law.
The commission may also adopt model contractual clauses to support public-sector bodies and other institutions in the case of transfers of non-personal data covered by the DGA to third countries.
When approached for comment by VIXIO, the European Commission declined the opportunity. However, at the time that the European Parliament and national representatives reached an agreement, Margrethe Vestager, who serves as the EU’s digital transition chief, said that it was the “first building block for establishing a solid and fair data-driven economy”.
“It is about setting up the right conditions for trustful data sharing in line with our European values and fundamental rights,” she said. “We are creating a safe environment in which data can be shared across sectors and member states for the benefit of society and the economy.”
NIS2
Following news last week of reaching a political agreement on the Digital Operational Resilience Act (DORA), the EU’s institutions have also announced a compromise on a related directive, NIS2.
This will replace the current NIS directive, which was signed into law in 2016.
NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors in scope, such as digital services.
The revised directive aims to remove divergences in cybersecurity requirements and in the implementation of cybersecurity measures in different member states.
To achieve this, the legislation sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state, while updating the list of sectors and activities subject to cybersecurity obligations, and providing remedies and sanctions to ensure enforcement.
The directive will also formally establish the European Cyber Crisis Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.
While under the old NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 directive introduces a size-cap rule.
This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.
Although the agreement between the European Parliament and the Council maintains this general rule, the provisionally agreed text includes additional provisions to ensure proportionality, a higher level of risk management and clear-cut criticality criteria for determining the entities covered.
The text now needs to be approved by the Council and Parliament before the ramp-up phase to enforcement begins.
The EU’s 27 member states will have 21 months to transpose the directive into national law once it has entered into force.
Vestager welcomed the latest development. “This is another important breakthrough of our European digital strategy, this time to ensure that citizens and businesses are protected and trust essential services.”
Meanwhile, her colleague Thierry Breton said: "Cyber threats have become bolder and more complex. It was imperative to adapt our security framework to the new realities and to make sure our citizens and infrastructures are protected.”
In today's cybersecurity landscape, cooperation and rapid information sharing are of paramount importance, the internal market chief said. “With the agreement of NIS2, we modernise rules to secure more critical services for society and economy. This is therefore a major step forward. We will complement this approach with the upcoming Cyber Resilience Act that will ensure that digital products are also more secure whenever they are used.”