In addition to releasing the new EU Cybersecurity Strategy before the holidays (see our post here), the Commission published a revised Directive on measures for high common level of cybersecurity across the Union (“NIS2”) and a Directive on the resilience of critical entities (“Critical Entities Resilience Directive”). In this blog post, we summarize key points relating to NIS2, including more onerous security and incident reporting requirements; extending requirements to companies in the food, pharma, medical device, and chemical sectors, among others; and increased powers for regulators, including the ability to impose multi-million Euro fines.

The Commission is seeking feedback on NIS2 and the Critical Entities Resilience Directive, and recently extended its original deadline of early February to March 11, 2021 (responses can be submitted here and here).

Proposal for NIS2

As many readers will be aware, the European institutions passed Directive 2016/1148 (“NIS Directive”) back in 2016 around the same time as the GDPR.  This was the first-ever “horizontal” cybersecurity law in Europe, i.e., that did not focus exclusively on a single sector.  The NIS Directive imposes baseline security and incident reporting obligations on:

  • “operators of essential services”, designated by Member States, within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and
  • certain “digital service providers” that offer services within the EU, namely online marketplaces, online search engines and cloud computing services, excluding small/micro enterprises. (For more background, see previous posts.)

At the time, it was agreed that supervision by competent authorities should be lighter-touch for emerging digital services providers compared to operators of essential services.  Accordingly, the current law provides that competent authorities should only take action against digital services providers when provided with evidence of non-compliance and “should therefore have no general obligation to supervise digital services providers”.

Evaluation of the law leading to expanding its scope

 Last year, the Commission evaluated the NIS Directive’s effectiveness and identified various concerns, including the expanding threat landscape and volume of cyber-attacks, generally low level of cyber resilience of EU businesses, and inconsistencies in the level of resilience across the EU.  NIS2 is an attempt to respond to and remedy these issues.

To start with, NIS2 eliminates the distinction between operators of essential services and digital service providers, as well as the current complex process to identify operators of essential services.  Instead, the proposed revised law covers “important entities” and “essential entities”, and these designations cover companies in a much broader range of sectors than in the current NIS Directive:

  • “Essential entities” includes operators of essential services in the sectors listed in the NIS Directive (see above); organizations in additional sectors, including food production and distribution, pharmaceutical research and development, and manufacturers of medical devices; and digital infrastructure services (g., cloud computing providers, DNS service providers, and content delivery network providers);
  • “Important entities” includes postal and waste management, food production and distribution, and digital providers (namely online marketplaces, search engines and social networks).

A major shift here is categorizing cloud computing providers as essential entities.

More detailed cybersecurity obligations

Essential and important entities will be subject to the same substantive obligations under NIS2.  Broadly, these are intended to ensure that they can detect and manage the risks to the their networks and information systems, and include requirements to:

  • put governance structures in place to manage cybersecurity risk, including by conducting risk assessments and putting crisis management plans in place. A “management body” of an entity, likely the board, will be required to approve the risk management measures the entity will take and be held accountable for non-compliance;
  • consider security matters when acquiring and developing network and information systems;
  • consider and manage supply chain security risks, including the security of their hardware and software suppliers, and providers of data storage or managed security services;
  • use cryptography and encryption where appropriate and proportionate to the cybersecurity risk; and
  • notify the relevant competent authority and, where applicable, their clients of “any incident having a significant impact on the provision of their services” (Article 20(1)).

One interesting and potentially concerning aspect of NIS2 is that, in addition to having to report “incidents” as described above, it proposes that organizations must report “any significant cyber threat that those entities identify that could have potentially resulted in a significant incident”.

 Oversight, vulnerabilities and enforcement

Like the NIS Directive, NIS2 obliges Member States to establish national cybersecurity frameworks, including a cybersecurity strategy, crisis management framework, competent authorities and computer security incident response team.

A new requirement is that competent authorities must maintain a list of known vulnerabilities in network and information systems, and pool them in a centralized database — similar to the United States’ National Vulnerability Database.  NIS2 proposes that ENISA will manage this database, which will be open to all “interested parties”, such as academics and other researchers.

At a European level, the NIS Cooperation Group (composed of national cybersecurity agencies, ENISA, and the Commission) may conduct “coordinated security risk assessments” of supply chains for ICT systems, services and products specified as “critical” by the Commission.

In terms of specific enforcement, “essential” entities will be subject to ex ante regulation.  This means that competent authorities will be able to carry out inspections, regular audits and information requests on these entities at any time — even if there is no evidence of non-compliance.  Competent authorities are given new powers to issue warnings, suspend authorisations and licenses, designate a monitoring officer to oversee compliance, and temporarily suspend a company’s chief executive or legal representative if they fail to remedy a sustained breach.

By contrast, “important” entities will be regulated ex post.  This means that competent authorities will only assess their compliance with NIS2 as part of an investigation following a breach of the Directive or cybersecurity incident.  Competent authorities have most of the same powers in relation to important entities as they do in relation to essential entities.

Competent authorities can impose administrative fines on essential and important entities. NIS2 states that, at a minimum, Member States must permit competent authorities to impose fines of up to the higher of EUR 10m or 2% of the worldwide annual turnover of the “undertaking” involved (note that this mirrors the language of the GDPR).  However, Member States have the ability to permit competent authorities to impose higher fining thresholds.  The proposed new minimum fine level is notably higher than existing thresholds implemented by many Member States under the NIS Directive.

Finally, essential and important entities will, as a rule, be deemed to be under the jurisdiction of the Member State where they provide their services.  However, certain types of entities, including cloud computing service providers, will be deemed to be under the jurisdiction of the Member State in which they have their “main establishment” in the Union.  NIS2 provides more detail than the current law on what constitutes a “main establishment”, and provides for authorities to provide mutual assistance in cross-border cases.

Critical Entities Resilience Directive

In addition to NIS2, the Commission published a proposed Critical Entities Resilience Directive that expands the scope of the current European Critical Infrastructure Directive (2008/114/EC).  Whereas the Critical Infrastructure Directive only applies in the energy and transport sectors, the Commission’s proposed new law would widen the scope dramatically, bringing (among others) certain financial services entities, the health and space sectors, and digital infrastructure providers into scope.

The proposed Directive would also oblige Member States to adopt a national strategy for ensuring the resilience of critical entities in these sectors, and to carry out regular risk assessments.

Next steps

The two proposed Directives are at the early stages of the legislative process, and are open for feedback until 11 March 2021.  In each case, the European Parliament and Council will need to agree their positions, before the three institutions negotiate the final text and bring them into force.  We will be monitoring developments in all these areas in the coming months.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.