On 16 December 2020, the EU released its proposed revisions to the existing Directive 2016/1148 on the security of network and information systems (NIS2).
The proposals, which were announced as a key component of the EU’s new Cybersecurity Strategy, are intended to build on and repeal the existing NIS framework. They involve a number of significant changes being made to the existing regime, including widening the scope of the law’s application to additional industry sectors, strengthening the existing rules on security requirements and incident reporting, while also increasing the maximum fines that can be applied.
NIS2 comes just over two years after the original NIS Directive 2016/1148 ("NIS1") was intended to take effect across EU Member States. It has been introduced in order to address various criticisms and issues identified with NIS1 and to reflect the increasingly widespread digitisation of the European economy, which has accelerated further during the COVID-19 pandemic.
Key changes to existing regime
While the underlying purpose of NIS2 remains the same, there are various notable changes that are being proposed which may substantially impact organisations in the future, including:
A number of additional industry sectors will fall within the scope of NIS2, as part of a new definition of ‘important entities’. These include digital providers (social networks, marketplaces and search engines), pharmaceutical companies, manufacturers of medical and electronic equipment and courier services.
- Distinction between operators of essential services and digital service providers removed
The previous distinction between ‘operators of essential services’ and ‘digital service providers’ will be dispensed with and combined into a single category of ‘essential entities’ who will be subject to the most stringent standards of supervision. Relevant sectors that will fall within this category include financial services, energy, transport and digital infrastructure (e.g. cloud service providers and data centres).
- 24 hour breach notification requirements
The obligation under NIS1 to notify security incidents without undue delay has been notably strengthened. Organisations that are considered either essential or important entities will now be required to provide an initial notification, to both the relevant authority and affected users, within 24 hours of becoming aware of a security incident which has a significant impact on the provision of the services being provided.
- Enhanced risk management and security measures
Information security obligations have been bolstered through the introduction of specific requirements. Both essential and important entities will be expected to have in place various measures, such as risk analysis and information security policies, plans for incident response, business continuity and crisis management, as well as robust processes for managing cyber risks within the supply chain.
- Governance by senior management
Senior management will take on additional responsibilities for approving the adequacy of the risk management and security measures referred to above. This will include both supervising the implementation of appropriate security standards and being accountable for non-compliance.
- Enhanced supervision and enforcement
Member States will be required to provide their relevant competent authority with specific powers, including the right to issue fines of up to €10m or 2% of annual worldwide turnover (whichever is the highest) for the most serious infringements. Essential entities will be subject to proactive supervision (‘ex ante’) which shall include the potential for random inspections and security scans of an organisation’s systems for vulnerabilities. By comparison, important entities will only be subject to reactive enforcement ("ex post") if an infringement comes to the attention of competent authority. However, the same level of fines will apply and audits can be undertaken.
The introduction of NIS2 will occur in parallel to a new proposed directive concerning the resilience of critical entities in sectors such as energy and transport. This also forms part of the same package of measures announced as part of the EU’s new cybersecurity strategy. The directive will require Member States to identify critical entities that operate within their jurisdiction and imposes additional obligations on such entities which go beyond the scope of NIS2, such as undertaking appropriate technical and organisational measures to ensure the resilience of their operations.
The NIS2 proposal will now be subject to negotiations between the Council of the EU and European Parliament. Following the publication of the final version, Member States will be given 18 months to transpose the Directive into national law.