Over the next few months, organisations across the EU and the rest of the world will be coming to terms with two new cyber security laws: the EU General Data Protection Regulation (GDPR) and the Directive on security of network and information systems (NIS Directive). Their requirements overlap in many places, which has inevitably led to questions about whether an organisation can be fined twice for the same incident.
The UK government insists this won’t be the case – at least in most instances. However, it has conceded that there may be reason for organisations be penalised under both regimes for the same event because the penalties might relate to different aspects of the wrongdoing and have different effects.
The penalties for breaches of the GDPR and NIS Directive are severe. The GDPR gives supervisory authorities the power to levy fines of up to €20 million (about £17.5 million) or 4% of annual global turnover – whichever is higher. The NIS Directive allows member states to set their thresholds. In the UK, the maximum penalty is £17 million.
However, the maximum penalties will likely only be handed out for flagrant or repeat offences, and the UK government has said that fines will be a last resort. “Fines would […] not apply to operators which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack,” it said of the NIS Directive.
Similarly, the UK’s supervisory authority for the GDPR, the Information Commissioner’s Office, said: “Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point […] [W]hile fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.”
Want to know more?
You can find out more about the upcoming regulatory changes by reading our free NIS Directive and GDPR compliance guides. They explain each law’s requirements, the terms you need to know and what measures you need to put in place.
The NIS Directive guide also goes into detail about exactly which organisations are within the law’s scope.