In addition to releasing the new EU Cybersecurity Strategy before the holidays (see our post here), the Commission published a revised Directive on measures for high common level of cybersecurity across the Union (“NIS2”) and a Directive on the resilience of critical entities (“Critical Entities Resilience Directive”). In this blog post, we summarize key points relating to NIS2, including more onerous security and incident reporting requirements; extending requirements to companies in the food, pharma, medical device, and chemical sectors, among others; and increased powers for regulators, including the ability to impose multi-million Euro fines.

The Commission is seeking feedback on NIS2 and the Critical Entities Resilience Directive, and recently extended its original deadline of early February to March 11, 2021 (responses can be submitted here and here).

Proposal for NIS2

As many readers will be aware, the European institutions passed Directive 2016/1148 (“NIS Directive”) back in 2016 around the same time as the GDPR.  This was the first-ever “horizontal” cybersecurity law in Europe, i.e., that did not focus exclusively on a single sector.  The NIS Directive imposes baseline security and incident reporting obligations on:

  • “operators of essential services”, designated by Member States, within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and
  • certain “digital service providers” that offer services within the EU, namely online marketplaces, online search engines and cloud computing services, excluding small/micro enterprises. (For more background, see previous posts.)

At the time, it was agreed that supervision by competent authorities should be lighter-touch for emerging digital services providers compared to operators of essential services.  Accordingly, the current law provides that competent authorities should only take action against digital services providers when provided with evidence of non-compliance and “should therefore have no general obligation to supervise digital services providers”.

Evaluation of the law leading to expanding its scope

 Last year, the Commission evaluated the NIS Directive’s effectiveness and identified various concerns, including the expanding threat landscape and volume of cyber-attacks, generally low level of cyber resilience of EU businesses, and inconsistencies in the level of resilience across the EU.  NIS2 is an attempt to respond to and remedy these issues.

To start with, NIS2 eliminates the distinction between operators of essential services and digital service providers, as well as the current complex process to identify operators of essential services.  Instead, the proposed revised law covers “important entities” and “essential entities”, and these designations cover companies in a much broader range of sectors than in the current NIS Directive:

  • “Essential entities” includes operators of essential services in the sectors listed in the NIS Directive (see above); organizations in additional sectors, including food production and distribution, pharmaceutical research and development, and manufacturers of medical devices; and digital infrastructure services (g., cloud computing providers, DNS service providers, and content delivery network providers);
  • “Important entities” includes postal and waste management, food production and distribution, and digital providers (namely online marketplaces, search engines and social networks).

A major shift here is categorizing cloud computing providers as essential entities.

More detailed cybersecurity obligations

Essential and important entities will be subject to the same substantive obligations under NIS2.  Broadly, these are intended to ensure that they can detect and manage the risks to the their networks and information systems, and include requirements to:

  • put governance structures in place to manage cybersecurity risk, including by conducting risk assessments and putting crisis management plans in place. A “management body” of an entity, likely the board, will be required to approve the risk management measures the entity will take and be held accountable for non-compliance;
  • consider security matters when acquiring and developing network and information systems;
  • consider and manage supply chain security risks, including the security of their hardware and software suppliers, and providers of data storage or managed security services;
  • use cryptography and encryption where appropriate and proportionate to the cybersecurity risk; and
  • notify the relevant competent authority and, where applicable, their clients of “any incident having a significant impact on the provision of their services” (Article 20(1)).

One interesting and potentially concerning aspect of NIS2 is that, in addition to having to report “incidents” as described above, it proposes that organizations must report “any significant cyber threat that those entities identify that could have potentially resulted in a significant incident”.

 Oversight, vulnerabilities and enforcement

Like the NIS Directive, NIS2 obliges Member States to establish national cybersecurity frameworks, including a cybersecurity strategy, crisis management framework, competent authorities and computer security incident response team.

A new requirement is that competent authorities must maintain a list of known vulnerabilities in network and information systems, and pool them in a centralized database — similar to the United States’ National Vulnerability Database.  NIS2 proposes that ENISA will manage this database, which will be open to all “interested parties”, such as academics and other researchers.

At a European level, the NIS Cooperation Group (composed of national cybersecurity agencies, ENISA, and the Commission) may conduct “coordinated security risk assessments” of supply chains for ICT systems, services and products specified as “critical” by the Commission.

In terms of specific enforcement, “essential” entities will be subject to ex ante regulation.  This means that competent authorities will be able to carry out inspections, regular audits and information requests on these entities at any time — even if there is no evidence of non-compliance.  Competent authorities are given new powers to issue warnings, suspend authorisations and licenses, designate a monitoring officer to oversee compliance, and temporarily suspend a company’s chief executive or legal representative if they fail to remedy a sustained breach.

By contrast, “important” entities will be regulated ex post.  This means that competent authorities will only assess their compliance with NIS2 as part of an investigation following a breach of the Directive or cybersecurity incident.  Competent authorities have most of the same powers in relation to important entities as they do in relation to essential entities.

Competent authorities can impose administrative fines on essential and important entities. NIS2 states that, at a minimum, Member States must permit competent authorities to impose fines of up to the higher of EUR 10m or 2% of the worldwide annual turnover of the “undertaking” involved (note that this mirrors the language of the GDPR).  However, Member States have the ability to permit competent authorities to impose higher fining thresholds.  The proposed new minimum fine level is notably higher than existing thresholds implemented by many Member States under the NIS Directive.

Finally, essential and important entities will, as a rule, be deemed to be under the jurisdiction of the Member State where they provide their services.  However, certain types of entities, including cloud computing service providers, will be deemed to be under the jurisdiction of the Member State in which they have their “main establishment” in the Union.  NIS2 provides more detail than the current law on what constitutes a “main establishment”, and provides for authorities to provide mutual assistance in cross-border cases.

Critical Entities Resilience Directive

In addition to NIS2, the Commission published a proposed Critical Entities Resilience Directive that expands the scope of the current European Critical Infrastructure Directive (2008/114/EC).  Whereas the Critical Infrastructure Directive only applies in the energy and transport sectors, the Commission’s proposed new law would widen the scope dramatically, bringing (among others) certain financial services entities, the health and space sectors, and digital infrastructure providers into scope.

The proposed Directive would also oblige Member States to adopt a national strategy for ensuring the resilience of critical entities in these sectors, and to carry out regular risk assessments.

Next steps

The two proposed Directives are at the early stages of the legislative process, and are open for feedback until 11 March 2021.  In each case, the European Parliament and Council will need to agree their positions, before the three institutions negotiate the final text and bring them into force.  We will be monitoring developments in all these areas in the coming months.

Print:
EmailTweetLikeLinkedIn
Photo of Mark Young Mark Young

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He…

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He has been recognized in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field.” Recent editions note that he is “deeply knowledgeable in the area of privacy and data protection,” “fast, thorough and responsive,” and has “great insight into the regulators.”

Mr. Young has over 15 years of experience advising global companies, particularly in the technology, health and pharmaceutical sectors, on all aspects of data protection and security. This includes providing practical guidance on analyzing and using personal data, transferring personal data across borders, and potential liability exposure. He specializes in advising in relation to new products and services, and providing strategic advice and advocacy on a range of EU law reform issues and references to the EU Court of Justice.

For cybersecurity matters, he counsels clients on practices to protect business-critical information and comply with national and sector-specific regulation, and on preparing for and responding to cyber-based attacks and internal threats to their networks and information. He has helped a range of organizations respond to cyber and data security incidents – including external data breaches and insider theft of trade secrets – through the stages of initial detection, containment, notification, recovery and remediation.

In the IP enforcement space, Mr. Young represents right owners in the sport, media, publishing, fashion and luxury goods industries, and helps coordinate a team of internet investigators that has nearly two decades of experience conducting global notice and takedown programs to combat internet piracy.