On 6 December 2020, the EU Commission published its proposal for a Directive on Security of Network and Information Systems, otherwise known as the “NIS2 Directive”. As the name suggests, the NIS2 Directive is designed to update the current NIS Directive (despite that Directive only being implemented in Member States from 9 May 2018), which has been criticised on both its scope and application.
The current NIS Directive (also known as the cybersecurity directive) contains targeted rules (e.g. breach notification obligations) for operators of essential services (providers in the energy, transport, banking and finance, health, water supply, and digital infrastructure) and digital service providers (namely, providers of online marketplace, online search engine and cloud computing services). Member States were also required to prepare a Computer Security Incident Response Team (“CSIRT”) and a competent national NIS authority.
Services in Scope of the NIS2 Directive Proposal
The proposed NIS2 Directive suggests to abolish the distinction between (i) operators of essential services and (ii) digital service providers and explore a new approach to classification based on the importance of the service, providing a lighter touch regime for services that are categorised as “important” rather than “essential”. However, the proposal does allow Member States to “gold-plate” the requirements.
Essential and important services are categorised using the following sectors, but simply being in one of these sectors is not sufficient and the service also has to be of a type listed in the Annex to the proposal (which sets out the type of entity on a more granular level):
- Financial Market infrastructures
- Drinking water
- Waste water
- Digital infrastructure
- Public administration
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Food production, processing and distribution
- Digital Providers
It should be noted that cloud service providers have moved to the higher level of essential services (under the category of “digital infrastructure”) whereas the remaining categories of digital service providers (falling under “important”) have been expanded to include providers of social networking services platforms.
The new proposal therefore seeks to expand the scope of the current NIS Directive by adding new sectors based on their criticality for the economy and society, but it also introduces a size cap that will mean that only medium and large companies in selected sectors will be included in the scope whilst retaining some flexibility for Member States to identify smaller entities with a high security risk profile. However, this carve-out for smaller companies does not apply in all contexts, for example where the provider of a designated essential or important service is a provider of an public electronic communications networks or publicly available electronic communications services.
The jurisdictional scope of the NIS2 Directive is still determined by where the main establishment of the provider is in the EU for TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers, providers of electronic communications networks or publicly available electronic communications services as well as certain digital providers. Otherwise, the competence of the regulatory authority is the determining element. Further, under the NIS2 the main establishment is deemed to be where the decisions related to the cybersecurity risk management measures are taken rather than the place where the provider has its head office in the EU. If such decisions are not taken in any establishment in the EU, the main establishment is deemed to be in the Member State where the entities have the establishment with the highest number of employees in the EU and if there are no EU entities and the provider offers services in the EU, then a NIS representative is required.
Other Significant Changes in the NIS2 Directive Proposal
The proposal strengthens security requirements for the companies subject to the rules, by imposing a risk management approach (technical and organisational measures), whilst providing a minimum list of basic security elements that have to be applied. This takes a more prescriptive approach than is currently applied under the current NIS Directive. The proposal also introduces more precise requirements for incident reporting, including in relation to the content of the reports and timelines for reporting (within 24 hours in some cases). It is also interesting to note that the NIS2 Directive seeks to replace the specific security requirements for providers of electronic communication networks and services in the EU Electronic Communications Code and for trust service providers under Regulation (EU) No 910/2014.
The security of supply chains and supplier relationships has been a particularly hot topic in recent years and the NIS2 Directive consequently requires individual companies to address cybersecurity risks in supply chains and supplier relationships.
On a more general basis, the proposal for the NIS2 Directive also:
- introduces more stringent supervisory measures for national authorities (maintaining the requirement to have CSIRTs);
- includes stricter enforcement requirements;
- enhances cooperation and information sharing between Member States, including through the creation of a new body (CyCLONe) for the coordinated management of large-scale cybersecurity incidents and crises and to ensure the regular exchange of information among Member States and EU bodies; and
- aims at harmonising sanctions regimes across Member States (including fines of up to 10,000,000 EUR or up to 2% of the total worldwide annual turnover of the undertaking).
The proposal for the NIS2 Directive will be subject to negotiations between the EU Council and the EU Parliament and, once it is adopted, Member States will have to transpose the NIS2 Directive within 18 months. The NIS2 Directive has also been published alongside a proposed Directive on the resilience of critical entities which has a similar scope to the essential services under the NIS2 Directive but with the additional requirement that Member States designate the provider as a “critical entity”.
For those who wonder about the UK, the UK NIS Regulations were updated at the end of 2020 to prepare for Brexit and to introduce changes resulting from the 2020 Post-Implementation Review of the NIS Regulations, published in May 2020, and previous reviews on the implementation of the NIS Directive. There will be another Post-Implementation Review in 2022.