The NIS regime, which aims to boost the overall level of cyber security in the EU by improving the security of network and information systems across critical sectors, has been under review at both EU and UK level. On 16 December 2020, the European Commission adopted a proposal for a revised Directive (‘NIS2’).
The digital transformation taking place across society (which has been intensified by Covid-19) has brought with it new security challenges which the proposals hope to address. The new EU cyber strategy, published on the same day, also confirms that a revised NIS Directive is necessary to increase the level of cyber resilience across all relevant sectors “that perform an important function for the economy or society” and to reduce inconsistencies across the internal market by aligning scope, security and incident reporting requirements, national supervision and enforcement.
The proposed changes include:
- Widening the scope of the current regime, bringing in new sectors such as the postal services, food and manufacturing of certain critical products such as pharmaceuticals.
- Introducing a clear size cap (meaning all medium and large companies in the relevant sectors would be in scope) while retaining the ability to bring small, high risk entities, in scope.
- Eliminating the current distinction between operators of essential services and digital service providers. Instead entities would be classified based on their importance, with a different regime for those that are essential and those that are important.
- Strengthening the security requirements, providing a minimum list of basic security elements that have to be applied, and introducing more precise incident response reporting requirements.
- Addressing supply chain risk and management accountability.
- Enhancing the enforcement provisions and aiming to harmonise sanctions across Member States.
The Commission has produced an easy to read factsheet which clearly sets out some of the key changes between the NIS Directive and NIS2 proposals.
Next steps:
While a revised NIS regime is a key part of the EU’s new cyber strategy, it will be some time before any new rules take effect. The proposal will now be subject to negotiations between the legislators (notably the Council of the EU and EU Parliament), which can take time. Once agreed and adopted, Member States will then have a further 18 months to transpose it into local law.