In addition to releasing the new EU Cybersecurity Strategy before the holidays (see our post here), the Commission published a revised Directive on measures for high common level of cybersecurity across the Union (“NIS2”) and a Directive on the resilience of critical entities (“Critical Entities Resilience Directive”). In this blog post, we summarize key points relating to NIS2, including more onerous security and incident reporting requirements; extending requirements to companies in the food, pharma, medical device, and chemical sectors, among others; and increased powers for regulators, including the ability to impose multi-million Euro fines.
The Commission is seeking feedback on NIS2 and the Critical Entities Resilience Directive, and recently extended its original deadline of early February to March 11, 2021 (responses can be submitted here and here).
Proposal for NIS2
As many readers will be aware, the European institutions passed Directive 2016/1148 (“NIS Directive”) back in 2016 around the same time as the GDPR. This was the first-ever “horizontal” cybersecurity law in Europe, i.e., that did not focus exclusively on a single sector. The NIS Directive imposes baseline security and incident reporting obligations on:
- “operators of essential services”, designated by Member States, within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and
- certain “digital service providers” that offer services within the EU, namely online marketplaces, online search engines and cloud computing services, excluding small/micro enterprises. (For more background, see previous posts.)
At the time, it was agreed that supervision by competent authorities should be lighter-touch for emerging digital services providers compared to operators of essential services. Accordingly, the current law provides that competent authorities should only take action against digital services providers when provided with evidence of non-compliance and “should therefore have no general obligation to supervise digital services providers”.
Evaluation of the law leading to expanding its scope
Last year, the Commission evaluated the NIS Directive’s effectiveness and identified various concerns, including the expanding threat landscape and volume of cyber-attacks, generally low level of cyber resilience of EU businesses, and inconsistencies in the level of resilience across the EU. NIS2 is an attempt to respond to and remedy these issues.
To start with, NIS2 eliminates the distinction between operators of essential services and digital service providers, as well as the current complex process to identify operators of essential services. Instead, the proposed revised law covers “important entities” and “essential entities”, and these designations cover companies in a much broader range of sectors than in the current NIS Directive:
- “Essential entities” includes operators of essential services in the sectors listed in the NIS Directive (see above); organizations in additional sectors, including food production and distribution, pharmaceutical research and development, and manufacturers of medical devices; and digital infrastructure services (g., cloud computing providers, DNS service providers, and content delivery network providers);
- “Important entities” includes postal and waste management, food production and distribution, and digital providers (namely online marketplaces, search engines and social networks).
A major shift here is categorizing cloud computing providers as essential entities.
More detailed cybersecurity obligations
Essential and important entities will be subject to the same substantive obligations under NIS2. Broadly, these are intended to ensure that they can detect and manage the risks to the their networks and information systems, and include requirements to:
- put governance structures in place to manage cybersecurity risk, including by conducting risk assessments and putting crisis management plans in place. A “management body” of an entity, likely the board, will be required to approve the risk management measures the entity will take and be held accountable for non-compliance;
- consider security matters when acquiring and developing network and information systems;
- consider and manage supply chain security risks, including the security of their hardware and software suppliers, and providers of data storage or managed security services;
- use cryptography and encryption where appropriate and proportionate to the cybersecurity risk; and
- notify the relevant competent authority and, where applicable, their clients of “any incident having a significant impact on the provision of their services” (Article 20(1)).
One interesting and potentially concerning aspect of NIS2 is that, in addition to having to report “incidents” as described above, it proposes that organizations must report “any significant cyber threat that those entities identify that could have potentially resulted in a significant incident”.
Oversight, vulnerabilities and enforcement
Like the NIS Directive, NIS2 obliges Member States to establish national cybersecurity frameworks, including a cybersecurity strategy, crisis management framework, competent authorities and computer security incident response team.
A new requirement is that competent authorities must maintain a list of known vulnerabilities in network and information systems, and pool them in a centralized database — similar to the United States’ National Vulnerability Database. NIS2 proposes that ENISA will manage this database, which will be open to all “interested parties”, such as academics and other researchers.
At a European level, the NIS Cooperation Group (composed of national cybersecurity agencies, ENISA, and the Commission) may conduct “coordinated security risk assessments” of supply chains for ICT systems, services and products specified as “critical” by the Commission.
In terms of specific enforcement, “essential” entities will be subject to ex ante regulation. This means that competent authorities will be able to carry out inspections, regular audits and information requests on these entities at any time — even if there is no evidence of non-compliance. Competent authorities are given new powers to issue warnings, suspend authorisations and licenses, designate a monitoring officer to oversee compliance, and temporarily suspend a company’s chief executive or legal representative if they fail to remedy a sustained breach.
By contrast, “important” entities will be regulated ex post. This means that competent authorities will only assess their compliance with NIS2 as part of an investigation following a breach of the Directive or cybersecurity incident. Competent authorities have most of the same powers in relation to important entities as they do in relation to essential entities.
Competent authorities can impose administrative fines on essential and important entities. NIS2 states that, at a minimum, Member States must permit competent authorities to impose fines of up to the higher of EUR 10m or 2% of the worldwide annual turnover of the “undertaking” involved (note that this mirrors the language of the GDPR). However, Member States have the ability to permit competent authorities to impose higher fining thresholds. The proposed new minimum fine level is notably higher than existing thresholds implemented by many Member States under the NIS Directive.
Finally, essential and important entities will, as a rule, be deemed to be under the jurisdiction of the Member State where they provide their services. However, certain types of entities, including cloud computing service providers, will be deemed to be under the jurisdiction of the Member State in which they have their “main establishment” in the Union. NIS2 provides more detail than the current law on what constitutes a “main establishment”, and provides for authorities to provide mutual assistance in cross-border cases.
Critical Entities Resilience Directive
In addition to NIS2, the Commission published a proposed Critical Entities Resilience Directive that expands the scope of the current European Critical Infrastructure Directive (2008/114/EC). Whereas the Critical Infrastructure Directive only applies in the energy and transport sectors, the Commission’s proposed new law would widen the scope dramatically, bringing (among others) certain financial services entities, the health and space sectors, and digital infrastructure providers into scope.
The proposed Directive would also oblige Member States to adopt a national strategy for ensuring the resilience of critical entities in these sectors, and to carry out regular risk assessments.
Next steps
The two proposed Directives are at the early stages of the legislative process, and are open for feedback until 11 March 2021. In each case, the European Parliament and Council will need to agree their positions, before the three institutions negotiate the final text and bring them into force. We will be monitoring developments in all these areas in the coming months.