On 16 December 2020, the European Commission launched the EU’s new Cybersecurity Strategy for the Digital Decade, seeking to bolster Europe’s cyber resilience and step up the EU’s leadership in cybersecurity regulation.
The announcement could not have come at a better time, just days after a cyberattack against the European Medicines Agency exposed sensitive information on two Covid-19 vaccines and at a moment when the SolarWinds breach unravels into possibly the most consequential cyber incident ever, affecting businesses across all sectors, public administrations and governments worldwide. “The time of innocence is over. We know that we are a target,” Commission Vice-President Margaritis Schinas told reporters when presenting the proposals last week.
In addition to announcing a number of investment and policy instruments, including the set-up of a ‘EU Cyber Shield’ (a European early detection system powered by artificial intelligence) and a ‘Joint Cyber Unit’ to respond collectively to cyber incidents and threats, the new strategy anticipates significant regulatory change. The highlights of the proposed regulatory package, which will affect many public and private entities doing business in the EU, are summarised below.
Proposal for a NIS 2 Directive
In 2016, the NIS Directive introduced the first piece of EU-wide legislation imposing cybersecurity requirements and incident reporting obligations on operators of essential services and digital service providers. Just two years after the deadline for EU Member States to transpose the NIS Directive into national law, and following a review process accelerated by the Covid-19 pandemic, the European Commission is now proposing a revamp announced as the ‘NIS 2 Directive’.
The Commission’s proposal seeks to “modernise” the current regime to take account of the evolving cybersecurity threat landscape and address “several weaknesses that prevented the NIS Directive from unlocking its full potential” (see Explanatory Memorandum, at p. 1). Here are the key changes proposed:
If adopted, the proposed NIS 2 Directive would apply alongside sector-specific lex specialis, including the proposed Directive on the Resilience of Critical Entities for critical infrastructure (discussed below) and the recently proposed ‘DORA’ Regulation on digital operational resilience for the financial sector. However, a sector-specific lex specialis will prevail to the extent it imposes cybersecurity risk management or notification obligations of at least an equivalent effect to the obligations set out in the NIS 2 Directive.
The proposed NIS 2 Directive is open for feedback until 15 February 2021.
Proposal for a Critical Entities Resilience Directive
Acknowledging the increasing interconnection and interdependency between physical and digital infrastructures, in addition to the proposed NIS 2 Directive, the European Commission is also looking to enhance the resilience of critical entities against physical threats by replacing the current 2008 European Critical Infrastructure Directive with a new Critical Entities Resilience Directive. The new Critical Entities Resilience Directive would expand the scope of the existing EU rules on critical infrastructure from two (energy and transport) to ten sectors, covering energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space. By advancing the expectation that entities designated as critical entities under the Critical Entities Resilience Directive at the national level will also classify as essential entities subject to the proposed NIS 2 Directive, the European Commission seeks to subject those critical entities to more general resilience-enhancing obligations in order to address both cyber and non-cyber risks.
As with the proposed NIS 2 Directive, the proposed Critical Entities Resilience Directive is open for feedback until 15 February 2021.
5G Security, EU Cyber Sanctions Regime and an ‘Internet of Secure Things’
As part of last week’s announcement, the European Commission also reiterated its pledge to other regulatory initiatives in the area of cybersecurity, including with respect to 5G security, the EU’s autonomous cyber sanctions regime and an ‘Internet of Secure Things’.
The European Commission’s proposals will now need to go through the legislative process, and be discussed by – and agreed between – the European Parliament and the EU Member States via the Council. Whilst it may take a number of years for the rules to be adopted, implemented and become enforceable, the proposals put forward by the European Commission clearly set the tone for what is about to come.
Keep up with this channel for more detailed analyses of the proposed NIS 2 Directive, the proposed Critical Entities Resilience Directive and the proposed DORA Regulation, and how these will be relevant to your business.