Regulatory Outlook

Cyber security | Regulatory Outlook June 2022

Published on 20th Jun 2022

This month we look at the EU's NIS2 Directive and the new fining guidelines under GDPR

Structure cabling in data center

European Parliament and EU Member States agree on the NIS2 Directive

The Directive on measures for a high common level of cybersecurity across the Union (the NIS2 Directive), which was adopted by the Commission in 2020, has been agreed upon by the European Parliament and EU Member States. 

The NIS2 Directive aims to address the deficiencies of and future-proof the existing NIS Directive – the first EU-wide law on cybersecurity - through measures such as: expanding the sectoral scope; introducing a clear size cap; eliminating the distinction between operators of essential services and digital service providers; strengthening security requirements for companies; and requiring  companies to address cybersecurity risks in supply chains and supplier relationships. 

The agreement reached is now subject to formal approval by the European Parliament and Council, and will enter into force 20 days after publication in the Official Journal. Following this, Member States will have 21 months to incorporate the Directive into national law. 

EDPB publishes new GDPR fining guidelines

On 12 May, the European Data Protection Board (EDPB) published its Guidelines on the calculation of administrative fines under the GDPR, introducing a standardised method for calculating fines which has been in the works since at least 2020. 

Data Protection Authorities should follow the five-step method contained within the guidelines: (1) establish whether there were one or multiple infringing acts; (2) identify the appropriate fining category – certain offences can warrant fines of up to €20 million or 4% of turnover; (3) account for any aggravating or mitigating circumstances, such as action taken to mitigate the damage suffered by data subjects; (4) identify the relevant legal maximums for the different infringements; and finally (5) analyse the effectiveness, proportionality, and dissuasiveness of the fine.

All companies that have customers in the EU may be subject to enforcement action by a European data protection watchdog, so it is important to be aware of the potential penalties. 


* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?