In his Opinion published on 11 March 2021, the EDPS welcomes the Proposal for the NIS 2.0 Directive, which aims to replace the existing Directive on security of network and information systems (NIS). The goal of the Proposal is to harmonise and strengthen cybersecurity practices across the European Union (EU). The Proposal is part of the EU’s Cybersecurity Strategy to ensure a global and open internet with strong safeguards to mitigate the risks for individuals’ fundamental rights, including the right to data protection. The EDPS’ Opinion includes remarks and recommendations on both the Strategy and the proposed Directive.
Wojciech Wiewiórowski, EDPS, said: “It is essential that privacy and data protection are embedded in the proposed Directive and in all future initiatives stemming from the EU’s Cybersecurity Strategy. This will allow a holistic approach when managing cybersecurity risks and protecting individuals’ personal data. In addition, to ensure that the Cybersecurity Strategy, and, by extension, the proposed Directive are effective, it is necessary to fully integrate the EU institutions, offices, bodies and agencies in the overall EU-wide cybersecurity framework to achieve a uniformed level of protection”.
The EDPS appreciates that the proposed Directive envisages systemic and structural changes that will have a positive impact on the security of personal data, electronic communications and the security of the internet. The EDPS also strongly supports the additional initiatives that aim to improve cybersecurity practices in the EU and, more generally, technological sovereignty.
To further enhance the objectives of the proposed Directive, the EDPS reiterates that compliance of all practical measures, such as the use of cybersecurity systems to prevent, detect and respond to cyber threats, with EU data protection laws is imperative.
In his Opinion, the EDPS also stresses that the use of encryption, in particular end-to-end encryption, is crucial. Encryption is an irreplaceable technology to protect individuals’ personal data and right to privacy. Any weakening or circumvention of encryption (e.g. using mandatory backdoors, mandatory key escrow, and hidden communication channels) would completely devoid the mechanism of any effective protection capability and result in a loss of trust. The proposed Directive should therefore be clarified: nothing in the proposal should be construed as an endorsement of weakening end-to-end encryption through “backdoors” or similar solutions.
The EDPS also calls on the EU’s co-legislators to provide for a closer cooperation of cybersecurity actors with the European Data Protection Board, as well as a more comprehensive legal basis for the cooperation and exchange of relevant information with data protection authorities.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
Processing of personal data: According to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. See the glossary on the EDPS website.
The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725 which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.
The EDPS opinions are published on our website, and later on in the Official Journal of the EU, and officially transmitted to the European Parliament, the Council and the Commission.
The EDPS also has the power to issue opinions on any issue of relevance to the protection of personal data, addressed to the EU legislator or to the general public, in response to a consultation by another institution or on his own initiative.