The EU has agreed changes to its cybersecurity rules. On 22 November 2022, the “NIS 2 Directive” received approval from the European Parliament. Yesterday, the text was also adopted by the Council of the EU, clearing the path for this to become law.
What is “NIS”?
The original Network and Information Security Directive of 2016 aimed to achieve “a high common level of cybersecurity across the Member States.” It focuses on critical infrastructure in sectors such as health, transport and energy (operators of essential services), as well as certain digital services. Its provisions include security and breach notification obligations on key organisations in these sectors.
It contains an inbuilt review mechanism to accommodate changes to “societal, political, technological or market conditions.” The latest review led to a report, which was followed by legislative proposals and has culminated in the draft text of the NIS 2 Directive (see the full text here).
Why NIS 2?
The impetus for amending the original directive included a surge in cyber-attacks and the growing threats associated with increased digitalisation. The European Parliament’s press release also referred to improving the resilience of critical infrastructure in the face of the climate crisis and “the increasing occurrence of sabotage in the European Union because of Russia’s war of aggression against Ukraine”. Topics such as “the cybersecurity of undersea communications cables” are therefore expressly called out in the draft text.
The review of the Directive has also shown a wide divergence in its implementation by Member States, for example in the security and incident reporting obligations and in relation to enforcement. To this end, NIS 2 (for example) formally establishes the European cyber crisis liaison organisation network (EU-CyCLONe), to support the coordinated management of large-scale cybersecurity incidents.
Despite concerns around a lack of harmonisation, the 2020 proposal made it clear that a directive (rather than a directly-effective regulation) was chosen, to allow for “a certain degree of flexibility for competent authorities” in individual Member States.
Expanded sectors
One eye-catching feature of the NIS 2 text is the expansion to cover a wider range of sectors deemed of “high criticality” (11 in total), as well as further “critical” sectors:
| Original NIS Directive | Draft NIS 2 text |
|---|---|
| Operator of essential services | Sectors of high criticality |
| Energy (electricity, oil and gas) | Energy (expanded to include district heating and cooling, and hydrogen subsectors) |
| Transport (air, rail, water, road) | Transport (air, rail, water, road) |
| Banking | Banking |
| Financial market infrastructures | Financial market infrastructures |
| Health | Health |
| Drinking water | Drinking water |
| Digital Infrastructure (Internet Exchange Point providers, DNS service providers, top-level domain name registries) | Digital Infrastructure (expanded to include data centre service providers, content delivery network providers, trust service providers, providers of public electronic communications networks and publicly available electronic communications services) |
| X | Waste water |
| X | ICT service management (business-to-business) |
| X | Public administration |
| X | Space |
| Relevant digital service providers | Other critical sectors |
| Providers of the following digital services: online marketplace, online search engine, cloud computing service | Digital providers (online marketplaces, online search engines, social networking services platforms) |
| X | Waste management |
| X | Manufacture, production and distribution of chemicals |
| X | Production, processing and distribution of food |
| X | Manufacturing |
| X | Postal and courier services |
| X | Research organisations |
Other changes
In addition to expanding the list of sectors, NIS 2 makes a number of other changes to the previous NIS regime, including:
- removing the distinction between operators of essential services and digital service providers and instead classifying entities based on importance into either essential or important entities (which are subject to different supervisory regimes). It also harnesses the general EU legislative concepts of micro-, small- and medium-sized enterprises to help clarify which entities are in-scope;
- setting out a minimum list of basic security requirements that need to be applied, requiring that companies address cybersecurity risks in their supply chains and supplier relationships and streamlining the reporting process;
- providing for senior management responsibility of in-scope entities for infringement by those entities;
- providing consistent remedies and enforcement measures, which include fines up to a maximum of EUR 10 million or of a maximum of at least 2% of the total worldwide annual turnover for essential entities and EUR 7 million or of a maximum of at least 1.4% of the total worldwide annual turnover for important entities;
- setting minimum rules regarding the functioning of a coordinated regulatory framework and laying down mechanisms for effective cooperation among the authorities in the Member Stares.
What next?
Having now been formally adopted by MEPs and the Council of the EU, the directive will be published in the Official Journal of the EU “in the coming days”. The NIS2 Directive will enter into force 20 days after publication and Member States will then have 21 months to transpose the Directive into national law.
What about the UK?
The UK is also keeping its NIS regime under review. As discussed in our blog this summer, the UK Government published its second review of the UK’s equivalent regime – the Network and Information Systems Regulations 2018 – in July 2022. The review assessed how well the current regime had been working in the UK, and recommended proposed amendments. Meanwhile, sector-specific guidance in the UK is also being updated. For example, in November 2022, Ofcom launched a consultation on proposed changes to guidance for the digital infrastructure subsector under the NIS Regulations for which it is responsible.
Comment
Organisations which could be subject to the UK, and newly expanded EU, regimes will continue to have to monitor both landscapes. Despite attempts at greater harmonisation in NIS 2, this could include divergence under the updated EU regime due to national requirements. As for the UK specifically, whilst there may be political pressure to forge its own path, industry concerns and the “Brussels effect” may nevertheless lead to some overlap in forthcoming updates.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-11-18-10-35-44-542-673b1880983090b59d1562ae.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-11-13-10-02-07-675-6734791f635b40298fca2d46.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-11-12-13-03-04-189-67335208ae085c4dad7812cc.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-11-08-17-47-48-823-672e4ec463375295ef3129df.jpg)