HighlightsPrivacy espresso seriesResourcesJune 15, 2023EU framework series, episode 2: The NIS II and its step forward from the NIS

In this privacyespresso we discuss with Jan Tomisek from the law firm ROWAN LEGAL about the EU Directive on Security of Network and Information Systems. This directive, called NIS has recently been updated by a new version also known as NIS2.

As the first point of the conversation, Jan and Alessandro delve into the differences between the NIS and the NIS II Directive. NIS II is broader in scope compared to its previous version, and the obligations imposed by the latest version seem much stricter. Probably, the scope of the legislator is to enhance the level of harmonization lacking under the NIS.

Secondly, it is worth noticing that the czech republic is the first EU country to have already published a draft transposition of the NIS II Directive. As the exclusive member expert for the Czech Republic and Slovakia, Jan explains the transposition process and the unexpected challenges and questions it raised according to their experience. In particular, the expert underlined the unclarity on which are the companies’ obligations according to the law. The Czech authority approach provided a lot of clarity, identifying the following areas of application:

– Identification of assets

risk management

data breach notification

Also, thanks to the authority intervention we can learn the key takeaways that NIS II does not seem apply to all information systems of an organisation, but its scope should be reduced to information systems which are relevant to the services provided by the organisation only.

Finally, we discuss with Jan the specificities of the Czech regulation over the scope of the NIS2. In particular, he notes that:

– The national authority has also included in the directive measures additional to the ones of the NIS II, such as on 5g security.

– The national authority has also added data localization requirements. This seems to be going a bit against the EU law on non-personal data, but Jan notes that even that law has some exceptions for national application.

To know more about this complex topic, take 10 minutes and listen to this privacyespresso!