This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
THE LENS
Digital developments in focus
| 4 minute read

EU expands scope of its cyber rules as NIS 2 agreed

The EU has agreed changes to its cybersecurity rules. On 22 November 2022, the “NIS 2 Directive” received approval from the European Parliament. Yesterday, the text was also adopted by the Council of the EU, clearing the path for this to become law.

What is “NIS”?

The original Network and Information Security Directive of 2016 aimed to achieve “a high common level of cybersecurity across the Member States.” It focuses on critical infrastructure in sectors such as health, transport and energy (operators of essential services), as well as certain digital services. Its provisions include security and breach notification obligations on key organisations in these sectors.

It contains an inbuilt review mechanism to accommodate changes to “societal, political, technological or market conditions.” The latest review led to a report, which was followed by legislative proposals and has culminated in the draft text of the NIS 2 Directive (see the full text here).

Why NIS 2?

The impetus for amending the original directive included a surge in cyber-attacks and the growing threats associated with increased digitalisation. The European Parliament’s press release also referred to improving the resilience of critical infrastructure in the face of the climate crisis and “the increasing occurrence of sabotage in the European Union because of Russia’s war of aggression against Ukraine”. Topics such as “the cybersecurity of undersea communications cables” are therefore expressly called out in the draft text.

The review of the Directive has also shown a wide divergence in its implementation by Member States, for example in the security and incident reporting obligations and in relation to enforcement. To this end, NIS 2 (for example) formally establishes the European cyber crisis liaison organisation network (EU-CyCLONe), to support the coordinated management of large-scale cybersecurity incidents.

Despite concerns around a lack of harmonisation, the 2020 proposal made it clear that a directive (rather than a directly-effective regulation) was chosen, to allow for “a certain degree of flexibility for competent authorities” in individual Member States.

Expanded sectors

One eye-catching feature of the NIS 2 text is the expansion to cover a wider range of sectors deemed of “high criticality” (11 in total), as well as further “critical” sectors:

Original NIS Directive        Draft NIS 2 text 
Operator of essential services Sectors of high criticality
Energy (electricity, oil and gas)Energy (expanded to include district heating and cooling, and hydrogen subsectors)
Transport (air, rail, water, road)Transport (air, rail, water, road)
BankingBanking
Financial market infrastructuresFinancial market infrastructures
HealthHealth
Drinking waterDrinking water
Digital Infrastructure (Internet Exchange Point providers, DNS service providers, top-level domain name registries)Digital Infrastructure (expanded to include data centre service providers, content delivery network providers, trust service providers, providers of public electronic communications networks and publicly available electronic communications services)
 XWaste water
 XICT service management (business-to-business)
 XPublic administration
 XSpace
Relevant digital service providers Other critical sectors
Providers of the following digital services: online marketplace, online search engine, cloud computing serviceDigital providers (online marketplaces, online search engines, social networking services platforms)
 XWaste management
 XManufacture, production and distribution of chemicals
 XProduction, processing and distribution of food
 XManufacturing
 XPostal and courier services
 XResearch organisations

Other changes 

In addition to expanding the list of sectors, NIS 2 makes a number of other changes to the previous NIS regime, including: 

  • removing the distinction between operators of essential services and digital service providers and instead classifying entities based on importance into either essential or important entities (which are subject to different supervisory regimes). It also harnesses the general EU legislative concepts of micro-, small- and medium-sized enterprises to help clarify which entities are in-scope;
  • setting out a minimum list of basic security requirements that need to be applied, requiring that companies address cybersecurity risks in their supply chains and supplier relationships and streamlining the reporting process;
  • providing for senior management responsibility of in-scope entities for infringement by those entities;
  • providing consistent remedies and enforcement measures, which include fines up to a maximum of EUR 10 million or of a maximum of at least 2% of the total worldwide annual turnover for essential entities and EUR 7 million or of a maximum of at least 1.4% of the total worldwide annual turnover for important entities;
  • setting minimum rules regarding the functioning of a coordinated regulatory framework and laying down mechanisms for effective cooperation among the authorities in the Member Stares.

What next?

Having now been formally adopted by MEPs and the Council of the EU, the directive will be published in the Official Journal of the EU “in the coming days”. The NIS2 Directive will enter into force 20 days after publication and Member States will then have 21 months to transpose the Directive into national law.

What about the UK?

The UK is also keeping its NIS regime under review. As discussed in our blog this summer, the UK Government published its second review of the UK’s equivalent regime – the Network and Information Systems Regulations 2018 – in July 2022. The review assessed how well the current regime had been working in the UK, and recommended proposed amendments. Meanwhile, sector-specific guidance in the UK is also being updated. For example, in November 2022, Ofcom launched a consultation on proposed changes to guidance for the digital infrastructure subsector under the NIS Regulations for which it is responsible.

Comment

Organisations which could be subject to the UK, and newly expanded EU, regimes will continue to have to monitor both landscapes. Despite attempts at greater harmonisation in NIS 2, this could include divergence under the updated EU regime due to national requirements. As for the UK specifically, whilst there may be political pressure to forge its own path, industry concerns and the “Brussels effect” may nevertheless lead to some overlap in forthcoming updates.

“This Directive aims to overcome the shortcomings of the differentiation between operators of essential services and digital service providers, which has been proven to be obsolete, since it does not reflect the importance of the sectors or services for the societal and economic activities in the internal market.” (Recital 6 of NIS 2)

Sign up to receive the latest insights. Click here to subscribe to The Lens Blog.

Tags

regulating digital, cyber, tech procurement and cloud