EU seeks to bolster cybersecurity regulation with the introduction of NIS 2.0

Hogan Lovells
Contact

Hogan Lovells

On 16 December 2020, the EU released its proposed revisions to the existing Directive 2016/1148 on the security of network and information systems (NIS2).

The proposals, which were announced as a key component of the EU’s new Cybersecurity Strategy, are intended to build on and repeal the existing NIS framework. They involve a number of significant changes being made to the existing regime, including widening the scope of the law’s application to additional industry sectors, strengthening the existing rules on security requirements and incident reporting, while also increasing the maximum fines that can be applied.

NIS2 comes just over two years after the original NIS Directive 2016/1148 ("NIS1") was intended to take effect across EU Member States. It has been introduced in order to address various criticisms and issues identified with NIS1 and to reflect the increasingly widespread digitisation of the European economy, which has accelerated further during the COVID-19 pandemic.

Key changes to existing regime

While the underlying purpose of NIS2 remains the same, there are various notable changes that are being proposed which may substantially impact organisations in the future, including:

  • New sectors introduced

A number of additional industry sectors will fall within the scope of NIS2, as part of a new definition of ‘important entities’. These include digital providers (social networks, marketplaces and search engines), pharmaceutical companies, manufacturers of medical and electronic equipment and courier services.

  • Distinction between operators of essential services and digital service providers removed

The previous distinction between ‘operators of essential services’ and ‘digital service providers’ will be dispensed with and combined into a single category of ‘essential entities’ who will be subject to the most stringent standards of supervision. Relevant sectors that will fall within this category include financial services, energy, transport and digital infrastructure (e.g. cloud service providers and data centres).

  • 24 hour breach notification requirements

The obligation under NIS1 to notify security incidents without undue delay has been notably strengthened. Organisations that are considered either essential or important entities will now be required to provide an initial notification, to both the relevant authority and affected users, within 24 hours of becoming aware of a security incident which has a significant impact on the provision of the services being provided.

  • Enhanced risk management and security measures

Information security obligations have been bolstered through the introduction of specific requirements. Both essential and important entities will be expected to have in place various measures, such as risk analysis and information security policies, plans for incident response, business continuity and crisis management, as well as robust processes for managing cyber risks within the supply chain.

  • Governance by senior management

Senior management will take on additional responsibilities for approving the adequacy of the risk management and security measures referred to above. This will include both supervising the implementation of appropriate security standards and being accountable for non-compliance.

  • Enhanced supervision and enforcement

Member States will be required to provide their relevant competent authority with specific powers, including the right to issue fines of up to €10m or 2% of annual worldwide turnover (whichever is the highest) for the most serious infringements. Essential entities will be subject to proactive supervision (‘ex ante’) which shall include the potential for random inspections and security scans of an organisation’s systems for vulnerabilities. By comparison, important entities will only be subject to reactive enforcement ("ex post") if an infringement comes to the attention of competent authority. However, the same level of fines will apply and audits can be undertaken.

The introduction of NIS2 will occur in parallel to a new proposed directive concerning the resilience of critical entities in sectors such as energy and transport. This also forms part of the same package of measures announced as part of the EU’s new cybersecurity strategy. The directive will require Member States to identify critical entities that operate within their jurisdiction and imposes additional obligations on such entities which go beyond the scope of NIS2, such as undertaking appropriate technical and organisational measures to ensure the resilience of their operations.

Next steps

The NIS2 proposal will now be subject to negotiations between the Council of the EU and European Parliament. Following the publication of the final version, Member States will be given 18 months to transpose the Directive into national law.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.