Legal experts have warned organizations in certain highly regulated industries that they could be fined twice under new EU security laws with huge maximum penalties.
The GDPR has received most press since it was introduced at the end of May, but for operators of essential services (OES) and digital service providers (DSPs), there’s also a second piece of legislation to consider: the EU directive on the Security of Networks and Information Systems (NIS Directive), introduced a few weeks previously.
This means a serious breach could result in two fines for organizations in energy, health, transport, water and “digital infrastructure” sectors — i.e. providers of certain cloud and search, services and online marketplaces.
Crucially, both laws could result in maximum fines of £17m, or 4% of global annual turnover, whichever is higher.
“The NIS Directive and UK NIS Regulations say that NIS regulators should 'consult and cooperate' with data protection regulators, and the UK government had previously agreed that organizations should not be tried for the same offence twice,” explained Kuan Hon, a director in Fieldfisher's Privacy, Security and Information group.
“However, it has also said, 'there may be reason for them to be penalized under different regimes for the same event because the penalties might relate to different aspects of the wrongdoing and different impacts'.”
The ICO also recently confirmed that NIS Directive enforcement powers are separate from its own.
“In cases where a NIS incident impacts on personal data, we are able to take action under both NIS and data protection law if it is appropriate and proportionate to do so,” it said.
Hon advised EU organizations to register as OES or DSPs if required, adding that the deadline for UK DSPs is November 1. Pan-regional firms will have to comply with each member state’s individual NIS Directive legislation, while non-EU DSPs should first assess each service as to where its EU "main establishment,” or head office, is located, she added.