Following criticism of both the scope and application of the Directive on Security of Network and Information Systems, otherwise known as the “NIS2 Directive”, the European Commission published its proposal for a review in December 2020. As the name suggests, the NIS2 Directive is designed to update the current NIS Directive, although that Directive was only being implemented in Member States from 9 May 2018.
The current NIS Directive (also known as the cybersecurity directive) contains targeted rules (e.g. breach notification obligations) for operators of essential services (providers in the energy, transport, banking and finance, health, water supply, and digital infrastructure) and digital service providers (namely, providers of online marketplace, online search engine and cloud computing services). Member States were also required to prepare a Computer Security Incident Response Team (“CSIRT”) and a competent national NIS authority.
Services in Scope
The proposed NIS2 Directive aims to abolish the distinction between (i) operators of essential services and (ii) digital service providers and explore a new approach to classification based on the importance of the service. This would provide a lighter touch regime for services that are categorised as “important” rather than “essential”. However, the proposal does allow Member States to “gold-plate” the requirements.
Essential and important services are categorised using the following sectors, but simply being in one of these sectors is not sufficient and the service also has to be of a type listed in the Annex to the proposal (which sets out the type of entity on a more granular level):
|Energy||Postal and courier services|
|Banking||Manufacture, production and distribution of chemicals|
|Financial Market infrastructures||Food production, processing and distribution|
|Drinking water||Digital Providers|
It should be noted that cloud service providers have moved to the higher level of essential services (under the category of “digital infrastructure”), whereas the remaining categories of digital service providers (falling under “important”) have been expanded to include providers of social networking services platforms.
The new proposal therefore seeks to expand the scope of the current NIS Directive by adding new sectors based on their criticality for the economy and society. It also introduces a size cap that will mean that only medium and large companies in selected sectors will be included in the scope whilst retaining some flexibility for Member States to identify smaller entities with a high security risk profile. However, this carve-out for smaller companies does not apply in all contexts, for example where the provider of a designated essential or important service is a provider of public electronic communications networks or publicly available electronic communications services.
The jurisdictional scope of the NIS2 Directive is still determined by where the main establishment of the provider is in the EU for Top Level Domain name registries, cloud computing service providers, data centre service providers and content delivery network providers, providers of electronic communications networks or publicly available electronic communications services as well as certain digital providers. Otherwise, the competence of the regulatory authority is the determining element.
Further, under the NIS2, the main establishment is deemed to be where the decisions related to the cybersecurity risk management measures are taken rather than the place where the provider has its head office in the EU. If such decisions are not taken in any establishment in the EU, the main establishment is deemed to be in the Member State where the entities have the establishment with the highest number of employees in the EU and if there are no EU entities and the provider offers services in the EU, then a NIS representative is required.
Other Significant Changes
The proposal strengthens security requirements for the companies subject to the rules, by imposing a risk management approach (technical and organisational measures), whilst providing a minimum list of basic security elements that have to be applied. This takes a more prescriptive approach than is currently applied under the current NIS Directive. The proposal also introduces more precise requirements for incident reporting, including in relation to the content of the reports and timelines for reporting (within 24 hours in some cases). It is also interesting to note that the NIS2 Directive seeks to replace the specific security requirements for providers of electronic communication networks and services in the EU Electronic Communications Code and for trust service providers under Regulation (EU) No 910/2014.
The security of supply chains and supplier relationships has been a particularly hot topic in recent years and the NIS2 Directive consequently requires individual companies to address cybersecurity risks in supply chains and supplier relationships.
On a more general basis, the proposal for the NIS2 Directive also:
a. introduces more stringent supervisory measures for national authorities (maintaining the requirement to have CSIRTs);
b. includes stricter enforcement requirements;
c. enhances cooperation and information sharing between Member States, including through the creation of a new body (CyCLONe) for the coordinated management of large-scale cybersecurity incidents and crises and to ensure the regular exchange of information among Member States and EU bodies; and
d. aims at harmonising sanctions regimes across Member States (including fines of up to 10,000,000 EUR or up to 2% of the total worldwide annual turnover of the undertaking).
The proposal for the NIS2 Directive will be subject to negotiations between the Council and the European Parliament and, once it is adopted, Member States will have to transpose the NIS2 Directive within 18 months.
For further information contact Matthew Buckwell