NIS2 is intended to update the existing Directive 2016/1148 (the Network and Information Security Directive (NIS1)) which took effect in May 2018. It seeks to address a number of limitations that the European Commission identified with the current framework. These included concerns about being able to adequately protect against and collectively respond to major cybersecurity incidents that affect the single market and ensuring that the rules adequately reflect the increased digitisation across sectors which provide essential services.
The final detail of NIS2 is subject to the outcome of negotiations between the EU institutions and the following is primarily based on the latest text proposed by the Council of the EU.
What are the key changes in NIS2?
Widened scope of application
While NIS1 includes distinct rules for ‘operators of essential services’ (OESs) and ‘digital service providers’ (DSPs), NIS2 proposes to merge these entities under the heading of ‘essential and important entities’ and expand their scope to cover a wider group of sectors.
Organisations that are proposed to be subject to NIS2, which were not previously subject to NIS1, include (among others) certain healthcare providers, pharmaceuticals, ICT managed service providers, courier services, manufacturers, entities involved in the food chain, waste and water management, public administration entities, operators of ground-based infrastructure, supporting space-based services, digital infrastructure (eg content delivery networks and data centre service providers) , social networks and providers of electronic communications networks or services.
The text of NIS2 proposed by the Council of the EU in December 2021 suggests a number of significant changes as compared with the initial proposals, including further exclusions for certain entities operating in defence or national security, public security, law enforcement and the judiciary, as well as parliaments and central banks.
Strengthening of security governance measures
The requirement for relevant organisations to implement appropriate and proportionate technical and organisational security measures to manage the risks posed by network and information systems is retained, but further supplemented with additional governance requirements. This includes making senior management accountable for ensuring that the security standards deployed by their organisation are sufficient, through approving the risk management measures that are in place and having oversight over their implementation.
Additionally, NIS2 expands on what practical steps organisations are expected to take in order to meet their security governance obligations. This includes ensuring that appropriate risk analyses are performed, supply-chain security risks are adequately addressed and processes are in place to sufficiently prevent, detect, respond and recover from security incidents. Where an organisation detects vulnerabilities or deficiencies in its current security measures, then all necessary corrective measures need to be taken without undue delay.
Expansion of incident reporting obligations
The obligation to notify the relevant competent authorities about security incidents has been retained, with notifications being triggered where the incident results in a ‘significant impact’ on the provision of that organisation’s services. What constitutes a significant impact has been modified as compared with NIS1, with the emphasis for DSPs on the total users impacted being removed. Instead, an incident will be considered significant where it either causes (or has the potential to cause) severe operational disruption of the service, financial losses for the entity concerned or results in considerable material or non-material losses for other natural or legal persons.
Additionally, the timelines and process for making notifications to competent authorities have been modified. NIS2 envisages that the maximum 72-hour notification window will be reduced to 24 hours, but with only an initial notification needing to be provided. Organisations will then be generally expected to follow-up with a final report within one month.
Finally, and perhaps most notably, the reforms include proposals to expand incident reporting to include the recipients of the relevant organisation’s services and, in the most serious cases, the general public. The Commission’s text is somewhat ambiguous on when reports to recipients would be required, with the trigger currently being where it is considered ‘appropriate’ to notify. By comparison, the public would only be informed by the relevant authorities where it is considered ‘necessary’ to prevent an incident or deal with an ongoing incident or where disclosure of the incident is otherwise in the public interest.
Increased fines and broadening of sanctions
Whereas NIS1 delegates the determination of sanctions to each Member State, NIS2 mandates a more comprehensive set of powers that it expects to be conferred on competent authorities. This includes requiring that the maximum level of administrate fines set in each Member State is at least equal to a fixed amount or 2% of worldwide turnover for essential entities. However, the minimum fixed amount remains uncertain, with the Council of the EU proposing €4m rather than €10m.
Other investigatory and enforcement options are also introduced, including the right for competent supervisory authorities to undertake on-site inspections, perform security audits, request the delivery of information, order the cessation of certain conduct and order remediation of inadequate risk management measures.
What about parallel reforms in the UK?
The NIS2 proposals offer a useful comparator with the UK government’s own proposals for reforming the legacy Network and Information Systems Regulations 2018, SI 2018/506, which remain in place following Brexit. While the UK is not envisaging the same degree of wholesale reform that is contemplated by the EU, the proposals published for consultation in January 2022 suggests the following changes to the current law:
- expansion of the definition of DSPs to include managed service providers, which would be broadly defined and incorporate a wider set of infrastructure-based services and data centres
- introducing a proactive regulatory regime for DSPs that are considered critical to the UK, while retaining the existing reactionary position for other organisations
- expansion of the incident reporting requirements to cover incidents that do not affect the continuity of the service directly, but nonetheless pose a significant risk to the security and resilience of the entity in question (eg ransomware attacks)
Assuming the UK and EU reforms are implemented as planned, the result will be a significant new divergence between UK and EU cybersecurity laws.
What are the next steps?
The current French presidency of the Council of the European Union has indicated that they are looking to reach a deal on the NIS2 text within the course of their current term, which is due to end in June 2022. From the date on which the final text is published, organisations will then likely have a period of two years to prepare prior to the NIS2 Directive taking effect.
Authored by Dan Whitehead.
This article was first published by LexisNexis on 24 February 2022.