NIS2 Directive – new European cybersecurity requirements

The Directive on measures for a high common level of cybersecurity across the Union (NIS2), was proposed by the European Commission on 16 December 2020 and is expected to come into force by the end of 2022. It aims to replace and update the NIS Directive (NIS1), which entered into force in 2016 and is one of the most important pieces of EU-wide cybersecurity legislation. The EU legislator felt that a revision of NIS1 was needed to keep pace with rapid digitalisation and the accompanying growth in cybersecurity threats, as well as to harmonise application across the EU. Member States will have 21 months to implement it once it comes into force.

NIS1 Directive

One of the aims of NIS1 was to increase Member State capability in the field of cybersecurity. The Member States had to designate competent authorities for monitoring compliance with the Directive as well as central contact points as liaison offices for supranational cooperation, and set up computer security incident response teams (CSIRTs). In order to strengthen cooperation at Union level, a cooperation group consisting of representatives of the Member States, the Commission and the EU Agency for Cyber Security (ENISA) was established. A network of representatives of the national CSIRTs was also set up to promote the exchange of information between Member States.

The core of NIS1, however, is the bundle of obligations on operators of so-called "essential services" as well as on providers of "digital services" which became subject to special security precautions and reporting obligations. An essential service must, according to NIS1, be indispensable for the maintenance of critical social and economic activities, be dependent on a network and information system and a possible security incident would have to lead to a significant disruption in the provision. The sectors of essential services covered by NIS1 are listed in its Annex II, and include healthcare, transport, energy and water supply. The question of who specifically qualifies as an operator of an essential service in the sectors designated by NIS1 is specified by the Member States themselves on the basis of predefined criteria.

Providers of digital services, which, according to Annex III of the Directive, include online marketplaces, cloud computing services and online search engines, are subject to similar obligations (in particular implementation of appropriate measures and security incident reporting, as well as - for non-EU providers - the appointment of a representative in the EU).

The European Commission considers NIS1 to have been a success in principle as it has led to a general improvement in cybersecurity. However, things move quickly in the cyber world and it is now seen as out of date and no longer sufficient to ensure cyber defence capability. Member State implementation has also been in the spotlight, in particular, often poorly enforced sanctions, insufficient exchanges at Union level in certain areas and, a lack of harmonisation on categorisation of cybersecurity incidents. The Commission has also recognised shortcomings of the old Directive including the high regulatory burden for the competent authorities of the Member States and the overly narrow scope of application, which does not cover all digitalised sectors in which essential services are offered to the community.

NIS2 Directive

Within the framework of the "Programme to Ensure Efficiency and Performance of Legislation", which aims to reduce administrative burdens and make EU law more efficient and cost-effective, the initiative was therefore taken to revise the NIS Directive. The following statements refer to the text of the European Parliament legislative resolution of 10 November 2022.

Extended scope

In line with the criticism expressed by the European Commission on the state of implementation of NIS1, the scope of application was extended in NIS2 to include further sectors: in addition to the sectors already covered by the old Directive, essential entities in the sewage, ICT-service management, public administration and space sectors are now also included. The differentiation between operators of essential services and providers of digital services was abandoned; instead, a distinction is now made between so-called "essential" and "important" entities based on the degree of criticality of the sector.

In addition to the newly added sectors, essential entities can also be found in familiar sectors such as energy, transport, healthcare or water supply, with the energy, healthcare and digital infrastructure sectors being expanded. Sectors in which important entities are present include postal and courier services, waste management, the manufacture of certain goods (including medical devices and motor vehicles) and the providers of digital services already identified in NIS1. Also, under certain circumstances, educational institutions may now be classified as important entities, insofar as they perform critical research activities.

Uniform threshold

In order to avoid significant differences between the Member States, the exact thresholds for essential (and now also important) services are no longer determined by the Member States, but directly by the Directive, in that the scope of application now includes all medium-sized and large enterprises in the critical sectors. This generally includes all entities that either employ more than 50 people or have an annual turnover or balance sheet of more than €10 million. Some facilities are covered by the scope even if they do not meet the threshold. Regardless of whether the threshold is met, public administration entities that conduct defence, national security, public security, or law enforcement activities are explicitly excluded. Also excluded from the scope of application are, in principle, all entities that already have to comply with equivalent risk management and notification obligations under sector-specific EU legal acts (e.g. the DORA Regulation).

Monitoring and enforcement

In future, the national authorities are to take on more responsibility for monitoring and enforcing national legislation implementing NIS2. The NIS2 Directive contains a catalogue of measures and powers that the Member States must follow (Art. 31 et seq. NIS2 Directive). The framework for penalties throughout Europe provides for fines of at least up to €10 million or 2% of the worldwide annual turnover for essential entities and up to €7 million or 1.4% of the worldwide annual turnover for important entities.

Cooperation between Member States

NIS2 also considerably expands cooperation between the authorities of the Member States throughout the Union: among other things, competent authorities are required to exchange cybersecurity information,  the cooperation group and CSIRT networks have an expanded remit, and provision is made to establish a European network for massive cybersecurity incidents (EU-CyCLONe) made up of the competent national authorities as well as in some cases the European Commission. In other cases, however, the European Commission acts as an observer alongside any invited representatives of relevant stakeholders.

Risk management measures

The measures prescribed by NIS2 for operators of essential and important services are now described more comprehensively and uniformly: Member States shall ensure that essential and important entities take appropriate measures to manage the risks to their network and information systems security. Art. 21 of NIS2 contains a catalogue of measures listing, among other things, minimum standards for risk analysis and security concepts, prevention of security incidents, cybersecurity training and crisis management, which must be implemented by the companies. The management bodies of the entities play an important role in risk management. This is because the measures taken to comply with Article 21 requirements must be approved and monitored by the management bodies of essential and important institutions. In addition, the members of the management bodies must also participate in cybersecurity training.

Reporting obligations

Member States shall ensure that essential and important entities notify the CSIRT or (where relevant) the (other) competent authority of incidents that have a significant impact on the provision of their services. The term "incident" is defined by NIS2 as any event that compromises the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data, or of the services offered by or accessible via network and information systems. When an incident is to be classified as significant is determined by Article 23.

The reporting obligations on companies are now more clearly formulated; the Directive contains precise specifications on the procedure, content and timeframe for reporting a security incident. Essential and important entities are required to submit an "early warning" to the CSIRT (or, where relevant, to the competent authority) without undue delay, but in any case within 24 hours of becoming aware of the incident, stating whether the security incident is likely to have been caused by illegal and malicious action and may have cross-border effects. Further, affected entities must submit an interim report containing relevant status updates at any time upon request by the CSIRT or the responsible authority. Affected entities must also submit a final report containing required elements.

Finally, an EU-wide coordinated risk assessment of supply chains has also been newly introduced.

Outlook

The NIS2 Directive goes significantly further than the previous framework of NIS1 in an attempt to tackle the issues with NIS1 identified by the Commission.  As a result, the impact is expected to be significantly greater than that of NIS1. Potentially affected organisations should take advantage of the now uniform regulation of the threshold value to clarify whether they fall within the scope of the Directive and, if so, prepare for the new regulatory requirements.