Anticipate the entry into force of the NIS II directive and the future IA ACT in light of the RGPD

📅 Calendar of these various European standards
While the RGPD has been in force for more than 5 years, the new directive 2022/2555 “NIS II” will be applicable as of October 18, 2024. The artificial intelligence regulation “IA Act”, for its part, should be applicable 24 months after its entry into force.

Anticipating these various European standards
🔰 NIS II and the GDPR
Some provisions of the NIS II Directive are intertwined with those of the RGPD so that the actors concerned must anticipate the obligations and the intersecting challenges that these texts cover.

Since the entry into force of the GDPR in 2018, entities have in fact been obliged to take appropriate technical and organizational measures to guarantee the security of personal data. The NIS II Directive provides for a related obligation concerning the cybersecurity of networks and information systems, which includes the taking of technical, operational and organizational measures based on risk.

It should be noted that the cybersecurity requirements provided for by NIS II provide that: “The security of networks and information systems should include the security of data stored, transmitted and processed”¹. In fact, these measures will promote compliance with personal data security obligations, provided for in article 32 of the RGPD, by strengthening the technical measures of entities.

In addition, the directive provides for a risk analysis and security policy.² which may be relevant to combine with a data protection impact assessment as provided for in article 35 RGPD.

Thus, while any PIA contains a technical part on data security risks and makes it possible to determine the technical and organizational measures necessary to protect data, these measures can easily be integrated with other cybersecurity measures.

✒️IA ACT and RGPD
The IA Act is an extension of the GDPR. It is interesting to note that these regulations also have a common legal basis “data protection”. Thus, AI systems will have to take into account personal data protection law and guarantee its effectiveness through certain tools, such as impact assessments (PIA).

This regulation should make it possible to combat biases and discrimination that may result from the processing of sensitive data.³ and should be intertwined with the RGPD on the issue of automated decision-making. Indeed, the RGPD provides that a “data subject has the right not to be the subject of a decision based exclusively on automated processing...”⁴ and if that is not the case, it may have the right to obtain human intervention. The IA Act will go in this direction by providing for a supervisory role by a “human control” explicitly enshrined.

This will aim to prevent or minimize the risks associated with the use of high-risk AI. It is indeed interesting to note that the IA Act regulation is also based on a risk approach, like the GDPR.

More information

1) Recital 77 NIS II directive
2) Art. 21 (2) (a) NIS II directive
3) Art.9 GDPR
4) Art.22 GDPR