Draft proposal for the cybersecurity directive ‘NIS2’
“More companies subject to EU cybersecurity legislation, CSP’s subject to stricter regime & new provisions on incident reporting and administrative sanctions”
I. NIS Directive: first piece of EU-wide cybersecurity legislation
The safety and security of network and information systems are important elements for the European Commission in realising an internal digital market. For that purpose, in 2016 the ‘Network and Information Security Directive’ (NIS Directive) entered into force. The NIS Directive aims at harmonising security requirements and encouraging cooperation. The NIS Directive applies to ‘network and information systems’ (incl. the Internet and a company’s ICT infrastructure), and addresses the following two groups: ‘Operators of essential services’ (OES) and ‘Digital service providers’ (DSP).
OESs are public or private entities that provide services that are essential for the maintenance of critical societal and/or economic activities, for which they depend on network and information systems, and on which provision of services an incident would have significant disruptive effects. The NIS Directive lists the sectors providing essential services: energy, transport, banking, the infrastructure of financial markets, the health sector, drinking water supply and distribution and digital infrastructure. It is up to the Member States to designate the entities that will qualify as operators of essential services.
DSPs are divided into providers of online marketplaces, online search engines and cloud computing services. This group is not further specified and the Member States do not have to designate digital service providers. Every ‘large’ company operating as a DSP (with >50 employees and/or 10+ million turnover) falls within the scope of the NIS Directive.
In summary, the NIS Directive stipulates that OESs and DSPs must take appropriate and proportionate technical and organisational measures to adequately protect their ICT, and notify incidents with significant effects to the competent authority or the Computer Security Incident Response Team (CSIRT). Please do note in this context that the NIS Directive does not only address wilful attacks (like hacking) but also ICT incidents caused by human error or incidents that endanger the availability of data or services. The NIS Directive seeks minimum harmonisation, which means that the Member States must transpose their national laws to comply with the minimum requirements of the Directive but still have the possibility to pursue a higher level of protection. In the Netherlands the ‘Network and Information Security Systems Act’ (Wbni) has transposed the NIS Directive into Dutch law.
The NIS Directive raised questions about the identification of OESs and DSPs (thus its ‘scope’) as result of which implementation proved difficult. That in combination with the increased dependence on information technology especially since Covid19, evaluation of the NIS Directive was necessary.
II. Draft proposal NIS2
The European commission ran an open public consultation to evaluate the NIS Directive. One of the main conclusions was the lack of a harmonized approach, resulting in significant inconsistencies in the way Member States draw up lists of OESs and DSPs. As a result, companies of the same type might be identified as an OES or DSP in one Member State but not in another Member State, and thus being excluded from the scope of the NIS Directive depending on the Member State in which they operate and have their main office. For instance, a major hospital in a Member State is not considered an OES and therefore not required to take security measures and report IT-incidents whilst a similar large hospital located in another Member State falls under the NIS Directive and is subject to the security and notification obligations. Also, the supervision and enforcement regime of the NIS Directive proved to be ineffective.
To further enhance the level of cybersecurity in the EU, the European Commission presented the ‘NIS2’ which eventually would repeal and replace the NIS Directive. The NIS2 makes systemic and structural changes to the current NIS Directive, such as:
- significantly extending the scope of the NIS Directive, by among others adding new sectors such as telecoms, social media platforms and the public administration;
- *removing the distinction between OESs and DSPs, and replacing by ‘Essential Entities’ and ‘Important Entities’ (both categories subjected to different supervisory regimes); *
- there is no ‘size cap’; all medium-sized and large companies active in the sectors covered by the NIS2 would automatically need to comply with the security rules;
- more strict cybersecurity measures, by including a list of 7 basic security elements which companies must address or implement (e.g. incident handling, supply chain security and use of cryptography and encryption);
- it recognizes the importance of ‘Internet of Things’ (IoT), by addressing cybersecurity of the ICT supply chain and supplier relationships by requiring individual companies to address cybersecurity risks in supply chains and supplier relationships;
- more precise provisions on incident reporting (including a two-stage approach by filing an initial report within 24 hours after becoming aware of an incident followed by a final report one month later);
- a minim list of administrative sanctions in case an entity is in breach of the NIS2, including binding instructions, an order to implement recommendations provided as result of audits or administrative fines up to € 10 million or 2% of the entities’ total turnover worldwide;
- increasing information sharing and cooperation between Member State authorities;
- a European vulnerability registry providing access to information on the vulnerabilities of ICT products and services.
The NIS2 is in its early stages and among others the European Parliament and the Council of the European Union have to take a position on it. Hopefully the NIS2 will be adopted end of 2021 or somewhere in the course of 2022 after which Member States need to transpose it into their national laws (likely within 18 months after the date of entry into force of the NIS2).
The draft proposal for the NIS2 extends the scope of the current NIS Directive, by adding new sectors and eliminating the size-cap. This would essentially mean that a larger group of companies could be subject to cybersecurity requirements laid down in the NIS and various national legislations. For instance, social media platforms and manufacturers of medical devices and computer, electronic and optical products are in the current draft considered as Important Entities and thus falling under the scope of the NIS2. In addition, the NIS2 provides for stricter cybersecurity measures, more precise provisions on incident reporting and a list of administrative sanctions.
Interestingly, ‘cloud computing service providers’ (CSP’s) apparently are not included in the category DSP (which is currently the situation under the NIS Directive). According to the NIS2 those CPS’s are to be considered OES entities. That could mean that companies offering cloud services will become subject to fully-fledged supervisory regime (ex-ante and ex-post), with stricter rules on compliancy and security/notifying measures. Under the current NIS CSP’s are considered DSP’s facing a light supervisory regime (ex-post only).
It’s clear that in the near future more and more companies will be subject to European and national cybersecurity legislation containing security measures and notification obligations.
NIS2 might have the same ‘impact’ GDPR had back in May 2018……
For any further inquiries on this topic please do not hesitate to contact me at firstname.lastname@example.org or 020-2060734.
Deel dit bericht
In februari van dit jaar heb ik een [artikel](https://www.de... Lees meer
HOE MATTHEW FISHER VAN PROCOL HARUM NA VEERTIG JAAR STILZITTEN ALSNOG MEDE-AUTEUR WERD VAN ‘A WHITER SHADE OF PALE’
## Inleiding Een aantal jaren geleden werd ik betrokken bij... Lees meer