The business community is concerned about GDPR 2.0 and the NIS 2 Directive because both regulations bring additional requirements and challenges that may lead to significant adjustments. These new regulations aim to strengthen data protection and cybersecurity, but they create new responsibilities, costs and risks for companies. In detail:
1 GDPR 2.0
The GDPR (General Data Protection Regulation) came into force in 2018 and brought significant changes in the area of data protection. A possible revision, GDPR 2.0, is now pending, which could presumably contain further tightening and clarifications.
Concerns of the economy:
- Extended compliance requirements: Companies that already have to implement extensive data protection measures under the current GDPR fear that new, stricter rules will follow with GDPR 2.0, which could result in additional compliance costs.
- Higher fines: The fines are already very high in the current version (up to 4% of global turnover). Companies fear that these could be raised even further or imposed more frequently.
- Unclear requirements: The cost of implementing data protection guidelines is often difficult to calculate, especially for small and medium-sized companies. An unclear legal situation or new regulations could create uncertainty and impair competitiveness.
- International implications: Companies that operate internationally must adapt to different data protection laws in different countries. Tightening up the GDPR could lead to conflicts or additional work, especially if other countries implement different regulations.
2. the NIS-2 Directive (Network and Information Security Directive)
The NIS-2 Directive is a revision of the original NIS Directive (2016), which focuses on cybersecurity in critical sectors (such as energy, transport, finance, health). NIS-2 extends the scope to more sectors and requires more stringent cybersecurity measures from companies.
Concerns of the economy:
- Increased security requirements: The NIS 2 directive provides for stricter security requirements that require more comprehensive protection of IT systems. Companies must invest more resources in protecting their infrastructures, which is costly and labor-intensive.
- Extended scope: While the original NIS Directive mainly applied to large companies and critical infrastructures, NIS-2 affects more sectors and also smaller companies that were previously unregulated. This means that even companies that previously had little to do with strict security requirements now have to take new measures.
- Reporting obligations and penalties: Companies must report more quickly and comprehensively in the event of a cyberattack. Failure to do so can lead to high penalties, similar to the GDPR. SMEs in particular could have problems meeting these requirements efficiently.
- Increased audit pressure: The monitoring of compliance with cyber security standards is being intensified, which means more audits and inspections. Companies fear a high administrative burden and possible sanctions in the event of non-compliance.
Macroeconomic effects:
- Increased costs and competitiveness: Implementing both sets of regulations can be expensive and resource-intensive for many companies. Medium-sized companies in particular are at risk of falling behind in international competition, as they may not have the same resources as large corporations.
- Shortage of specialists: There is a considerable shortage of specialists, especially in cyber security. Companies are struggling to find the necessary experts to meet the new requirements of NIS-2.
- Administrative burden: Companies are complaining about the increasing administrative burden associated with the implementation of GDPR 2.0 and NIS-2. The regulations require detailed reporting, regular audits and ongoing adaptation of internal processes.
Conclusion:
The GDPR 2.0 and the NIS 2 Directive implement important measures to protect data and cyber security, which is socially and economically significant. However, companies have legitimate concerns about the implementation costs, increasing bureaucracy and potential sanctions associated with the new regulations. It therefore remains to be seen how these regulations will actually be designed and what support will be provided, particularly for smaller companies, in order to meet the new requirements.