The EU has agreed changes to its cybersecurity rules. On 22 November 2022, the “NIS 2 Directive” received approval from the European Parliament. Yesterday, the text was also adopted by the Council of the EU, clearing the path for this to become law.
What is “NIS”?
The original Network and Information Security Directive of 2016 aimed to achieve “a high common level of cybersecurity across the Member States.” It focuses on critical infrastructure in sectors such as health, transport and energy (operators of essential services), as well as certain digital services. Its provisions include security and breach notification obligations on key organisations in these sectors.
It contains an inbuilt review mechanism to accommodate changes to “societal, political, technological or market conditions.” The latest review led to a report, which was followed by legislative proposals and has culminated in the draft text of the NIS 2 Directive (see the full text here).
Why NIS 2?
The impetus for amending the original directive included a surge in cyber-attacks and the growing threats associated with increased digitalisation. The European Parliament’s press release also referred to improving the resilience of critical infrastructure in the face of the climate crisis and “the increasing occurrence of sabotage in the European Union because of Russia’s war of aggression against Ukraine”. Topics such as “the cybersecurity of undersea communications cables” are therefore expressly called out in the draft text.
The review of the Directive has also shown a wide divergence in its implementation by Member States, for example in the security and incident reporting obligations and in relation to enforcement. To this end, NIS 2 (for example) formally establishes the European cyber crisis liaison organisation network (EU-CyCLONe), to support the coordinated management of large-scale cybersecurity incidents.
Despite concerns around a lack of harmonisation, the 2020 proposal made it clear that a directive (rather than a directly-effective regulation) was chosen, to allow for “a certain degree of flexibility for competent authorities” in individual Member States.
Expanded sectors
One eye-catching feature of the NIS 2 text is the expansion to cover a wider range of sectors deemed of “high criticality” (11 in total), as well as further “critical” sectors:
Operator of essential services | Sectors of high criticality |
Original NIS Directive | Draft NIS 2 text |
Energy (electricity, oil and gas) | Energy (expanded to include district heating and cooling, and hydrogen subsectors) |
Transport (air, rail, water, road) | Transport (air, rail, water, road) |
Banking | Banking |
Financial market infrastructures | Financial market infrastructures |
Health | Health |
Drinking water | Drinking water |
Digital Infrastructure (Internet Exchange Point providers, DNS service providers, top-level domain name registries) | Digital Infrastructure (expanded to include data centre service providers, content delivery network providers, trust service providers, providers of public electronic communications networks and publicly available electronic communications services) |
X | Waste water |
X | ICT service management (business-to-business) |
X | Public administration |
X | Space |
Relevant digital service providers | Other critical sectors |
Providers of the following digital services: online marketplace, online search engine, cloud computing service | Digital providers (online marketplaces, online search engines, social networking services platforms) |
X | Waste management |
X | Manufacture, production and distribution of chemicals |
X | Production, processing and distribution of food |
X | Manufacturing |
X | Postal and courier services |
X | Research organisations |
The Directive includes a distinction between “essential” and “important” entities, with different supervisory and enforcement regimes for these. It also harnesses the general EU legislative concepts of micro-, small- and medium-sized enterprises to help clarify which entities are in-scope.
What next?
Having now been formally adopted by MEPs and the Council of the EU, the directive will be published in the Official Journal of the EU “in the coming days”. The NIS2 Directive will enter into force 20 days after publication and Member States will then have 21 months to transpose the Directive into national law.
What about the UK?
The UK is also keeping its NIS regime under review. As discussed in our blog this summer, the UK Government published its second review of the UK’s equivalent regime – the Network and Information Systems Regulations 2018 – in July 2022. The review assessed how well the current regime had been working in the UK, and recommended proposed amendments. Meanwhile, sector-specific guidance in the UK is also being updated. For example, in November 2022, Ofcom launched a consultation on proposed changes to guidance for the digital infrastructure subsector under the NIS Regulations for which it is responsible.
Comment
Organisations which could be subject to the UK, and newly expanded EU, regimes will continue to have to monitor both landscapes. Despite attempts at greater harmonisation in NIS 2, this could include divergence under the updated EU regime due to national requirements. As for the UK specifically, whilst there may be political pressure to forge its own path, industry concerns and the “Brussels effect” may nevertheless lead to some overlap in forthcoming updates.