Commission proposes to update NIS Directive only two years after implementation
5 min to read

Commission proposes to update NIS Directive only two years after implementation

Date
11 January 2021

Following criticism of both the scope and application of the Directive on Security of Network and Information Systems, otherwise known as the “NIS2 Directive”, the European Commission published its proposal for a review in December 2020. As the name suggests, the NIS2 Directive is designed to update the current NIS Directive, although that Directive was only being implemented in Member States from 9 May 2018.

The current NIS Directive (also known as the cybersecurity directive) contains targeted rules (e.g. breach notification obligations) for operators of essential services (providers in the energy, transport, banking and finance, health, water supply, and digital infrastructure) and digital service providers (namely, providers of online marketplace, online search engine and cloud computing services). Member States were also required to prepare a Computer Security Incident Response Team (“CSIRT”) and a competent national NIS authority.

Services in Scope

The proposed NIS2 Directive aims to abolish the distinction between (i) operators of essential services and (ii) digital service providers and explore a new approach to classification based on the importance of the service. This would provide a lighter touch regime for services that are categorised as “important” rather than “essential”. However, the proposal does allow Member States to “gold-plate” the requirements.

Essential and important services are categorised using the following sectors, but simply being in one of these sectors is not sufficient and the service also has to be of a type listed in the Annex to the proposal (which sets out the type of entity on a more granular level):

EssentialImportant
EnergyPostal and courier services
TransportWaste management
BankingManufacture, production and distribution of chemicals
Financial Market infrastructuresFood production, processing and distribution
HealthManufacturing
Drinking waterDigital Providers
Wastewater
Digital infrastructure
Public administration
Space

It should be noted that cloud service providers have moved to the higher level of essential services (under the category of “digital infrastructure”), whereas the remaining categories of digital service providers (falling under “important”) have been expanded to include providers of social networking services platforms.

The new proposal therefore seeks to expand the scope of the current NIS Directive by adding new sectors based on their criticality for the economy and society. It also introduces a size cap that will mean that only medium and large companies in selected sectors will be included in the scope whilst retaining some flexibility for Member States to identify smaller entities with a high security risk profile. However, this carve-out for smaller companies does not apply in all contexts, for example where the provider of a designated essential or important service is a provider of  public electronic communications networks or publicly available electronic communications services.

The jurisdictional scope of the NIS2 Directive is still determined by where the main establishment of the provider is in the EU for Top Level Domain name registries, cloud computing service providers, data centre service providers and content delivery network providers, providers of electronic communications networks or publicly available electronic communications services as well as certain digital providers. Otherwise, the competence of the regulatory authority is the determining element.

Further, under the NIS2, the main establishment is deemed to be where the decisions related to the cybersecurity risk management measures are taken rather than the place where the provider has its head office in the EU. If such decisions are not taken in any establishment in the EU, the main establishment is deemed to be in the Member State where the entities have the establishment with the highest number of employees in the EU and if there are no EU entities and the provider offers services in the EU, then a NIS representative is required.

Other Significant Changes

The proposal strengthens security requirements for the companies subject to the rules, by imposing a risk management approach (technical and organisational measures), whilst providing a minimum list of basic security elements that have to be applied. This takes a more prescriptive approach than is currently applied under the current NIS Directive. The proposal also introduces more precise requirements for incident reporting, including in relation to the content of the reports and timelines for reporting (within 24 hours in some cases). It is also interesting to note that the NIS2 Directive seeks to replace the specific security requirements for providers of electronic communication networks and services in the EU Electronic Communications Code and for trust service providers under Regulation (EU) No 910/2014.

The security of supply chains and supplier relationships has been a particularly hot topic in recent years and the NIS2 Directive consequently requires individual companies to address cybersecurity risks in supply chains and supplier relationships.

On a more general basis, the proposal for the NIS2 Directive also:

a. introduces more stringent supervisory measures for national authorities (maintaining the requirement to have CSIRTs);

b. includes stricter enforcement requirements;

c. enhances cooperation and information sharing between Member States, including through the creation of a new body (CyCLONe) for the coordinated management of large-scale cybersecurity incidents and crises and to ensure the regular exchange of information among Member States and EU bodies; and

d. aims at harmonising sanctions regimes across Member States (including fines of up to 10,000,000 EUR or up to 2% of the total worldwide annual turnover of the undertaking).

Next Steps

The proposal for the NIS2 Directive will be subject to negotiations between the Council and the European Parliament and, once it is adopted, Member States will have to transpose the NIS2 Directive within 18 months.

For further information contact Matthew Buckwell

Share
Written by
Matthew Buckwell
Matthew Buckwell
Matthew is an associate in our Commercial Group, advising clients on the global challenges facing the digital and communications sector as well as providing counsel on new technologies and their relationships with the use of data.
Related articles
Internet of Things: Future Legislation
3 min to read
21 May 2021
Internet of Things: Future Legislation
The government recently published an update on its planned IoT cybersecurity legislation. Currently, IoT devices tend to be less secure than other parts of consumer networks. The legislation aims to make...
Digital Compass: EU outlines its digital ambitions for 2030
1 min to read
18 May 2021
Digital Compass: EU outlines its digital ambitions for 2030
The Commission recently presented a vision for Europe’s digital transformation by 2030 which revolves around four main pillars: skills, government, infrastructure and business. These four areas are part...
New Report aims to increase awareness among smaller enterprises of the checks and balances in the P2B Regulation
3 min to read
05 May 2021
New Report aims to increase awareness among smaller enterprises of the checks and balances in the P2B Regulation
Bird & Bird has contributed to a new report on the EU Platform to Business Regulation recently published by the Digital Future Society, a non-profit transnational initiative aiming to engage stakeholders...
Bundestag debates fast-charging law
1 min to read
01 May 2021
Bundestag debates fast-charging law
The German Parliament is currently debating a draft bill aimed at providing nationwide fast-charging infrastructure for electric vehicles (Fast Charging Act – “Schnellladegesetz, SchnellLG”, in German)....
Cookies
We use analytics cookies to help us understand if our website is working well and to learn what content is most useful to visitors. We also use some cookies which are essential to make our website work. You can accept or reject our analytic cookies (including the collection of associated data) and change your mind at any time. Find out more in our Cookie Notice.