The European Council and European Parliament recently reached a provisional agreement on the text for the EU's proposed Directive on minimum cybersecurity standards to be implemented across the EU (NIS2). The text is expected to be formally adopted in the coming months. NIS2 seeks to replace and strengthen the EU's current Network and Information Society Directive (NIS Directive) and applies to certain essential and important entities operating in a defined list of sectors, including commonly considered critical infrastructure entities.
Key developments arising from NIS2 include:
- Broader scope: NIS2 applies to a broader scope of sectors and entities than those covered by the current NIS Directive.
- “Management body” oversight and accountability: NIS2 imposes direct obligations on “management bodies” concerning implementation and supervision of their organisation's compliance with the legislation – leading potentially to fines and temporary ban from discharging managerial functions, including at the senior management C-Suite level.
- Cyber risk management measures – including supply chain diligence: NIS2 requires entities to implement cyber risk management measures, which include security risk mitigation requirements and third party supplier / service due diligence.
- Amended incident reporting requirements: NIS2 imposes notification obligations in phases, including an initial notification within 24 hours of becoming aware of certain incidents or cyber threats (instead of simply “without undue delay” as in the NIS Directive), “intermediate” and “final” reporting obligations.
- Fines and penalties: Member States are granted discretion to set out effective, proportionate and dissuasive penalties for breaches of NIS2, as well as administrative fines for certain breaches of up to EUR 10M or 2% of total worldwide turnover (whichever is higher).
In this article, we outline some of the developments arising from the proposed NIS2 and explain why the legislation is likely to have an impact not only on those organisations that fall directly within scope of the legislation, but also on their suppliers and service providers.
Expanded scope under NIS2
The NIS Directive - current scope
The current NIS Directive was adopted in 2016 as the first EU-wide cybersecurity legislation. Its aim was to achieve a high common level of cybersecurity across the EU, and the legislation focuses on implementing certain risk management and reporting obligations on operators of essential services (OES) (for instance, entities maintaining critical energy, health, or transport infrastructure) and digital services providers (DSP) (certain providers of online marketplaces, online search engines and cloud computing services).
NIS2 - the shift to "essential" and "important entities" and sector expansion
Organisations should take note that NIS2 will apply to a wider pool of entities than currently covered by the NIS Directive. Under NIS2, the pool of in-scope entities will be widened to capture certain "essential" entities (outlined in Annex I of NIS2) and "important" entities (outlined in Annex II of NIS2). Consequently, the distinction currently in place under the NIS Directive surrounding OESs and DSPs will be replaced. Likewise, whilst further clarity on the scope of NIS2 will ultimately be revealed once implemented in the various Member States, NIS2 will broaden the number of sectors that are currently covered under the NIS Directive. For instance, in addition to the sectors covered by the NIS Directive, NIS2 will also cover organisations operating in the following sectors:
- Digital infrastructure and digital providers - including providers of public electronic communications networks or services, social networking services platforms and data centre services
- Waste water and waste management
- Manufacturing of certain critical products (such as pharmaceuticals, medical devices, or chemicals)
- Postal and courier services
- Public administration
Besides covering a greater range of sectors, NIS2 also provides greater detail on which entities in those relevant sectors are subject to the proposed legislation. Whereas currently under the NIS Directive, Member States are responsible for drawing up lists of OESs and DSPs, the NIS2 Directive:
- introduces a size cap so that all medium and large entities that operate in the sectors covered by the new text will have to comply with the requirements contained in NIS2; and
- applies to certain "important" and "essential" entities (irrespective of their size) in particular circumstances, such as:
- entities providing certain public electronic communications networks or publicly available electronic communications services
- top-level domain name registries and domain name system services providers
- entities offering services whereby a potential disruption to those services could have an impact on public safety, public security or public health
- entities offering services whereby a potential disruption to the service could induce systemic risks, particularly in sectors where the disruption could have a cross-border impact
Management Liability for Cybersecurity Risk Management
NIS2 increases the level of responsibility that “management bodies” (in the NIS2 wording) of essential and important entities must take in ensuring compliance with elements of NIS2. It provides for an obligation of the Member States, when implementing NIS2, to ensure that management bodies:
- approve the cybersecurity risk management measures taken by the entity – for instance, the risk management measures surrounding supply chain security diligence;
- supervise the implementation of the risk management measures;
- follow specific, regular training to gain the requisite knowledge and skills to apprehend and assess the cybersecurity risks to their essential or important entity; and
- are held accountable for the non-compliance by the entities.
The practical implication of this requirement is that management bodies of entities falling within scope of NIS2 may be deemed liable where those entities breach their obligations under NIS2. Ultimately, pushing responsibility for cybersecurity risk management to the management level of essential and important entities demonstrates a propensity to ensure that cybersecurity risk management is a senior management responsibility. Management bodies have ultimate responsibility and any failure to recognise that could result in serious consequences, including management liability and administrative fines, as provided for in the implementing national legislation.
The current text of NIS2 does not define what constitutes a "management body", which is an aspect that will ultimately be determined by implementing national legislation in the Member States. However, NIS2 suggests that individuals discharging managerial functions could be considered a “management body”. NIS2 stipulates that those individuals may be subject to enforcement action for an entity's failure to comply with NIS2. For instance, in the context of essential entities, NIS2 permits Member States to foresee in their national transposing legislation that relevant bodies or courts temporarily ban individuals from discharging managerial responsibilities at the senior management C-Suite level, until necessary action has been taken to remedy deficiencies and/or comply with requirements requested by the competent authorities.
In addition to temporary bans, from a public reputation perspective, NIS2 permits Member States to request that infringing entities make a public statement outlining not only that an infringement of NIS2 has occurred, but also naming the individual(s) responsible for the infringement. Moreover, Member States are free under NIS2 to lay down rules on penalties in their domestic implementing legislation. Penalties need to be effective, proportionate and dissuasive, and the Recitals to the current NIS2 text make it clear that they may include criminal penalties for infringement of the legislation. Consequently, it will be important that organisations in scope of NIS2 pay attention to national Member State rules transposing NIS2 and the associated penalty regime (both criminal and civil) contained in those national rules.
Cybersecurity risk management measures
NIS2 aims for a more aligned cybersecurity management approach to mitigate inconsistencies in cybersecurity resilience across the in-scope sectors. To this end, NIS2 outlines seven key measures that all essential and important entities shall take to manage risks posed to the security of those entities' network and information systems when providing their services. Those measures are:
- Risk analysis and information system security policies
- Incident handling (prevention, detection, and response to incidents)
- Business continuity and crisis management
- Supply chain security – including security-related aspects of relationships between each entity and (i) its suppliers or (ii) service providers (such as data storage providers and processing services or managed security services providers)
- Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosures
- Policies and procedures to assess the effectiveness of cybersecurity risk management measures
- The use of cryptography and encryption
Supply chain due diligence – suppliers of IT-related services to take note
The new cybersecurity measures require entities falling in scope of NIS2 to mitigate security risks in their supplier / service provider supply chain – including assessing and taking into account the overall quality of products and cybersecurity practices of their suppliers and service providers.
The draft NIS2 text notes that entities have fallen victim to cyberattacks in which threat actors had compromised an entity’s network and information systems security through exploiting vulnerabilities affecting third-party products and services. Consequently, organisations outside the direct scope of NIS2 offering such products and services may ultimately become impacted by the new legislation, for instance should the organisation provide certain IT-related services to customers who fall in scope of NIS2 and are therefore required to undertake supply chain diligence on the supplier organisation. Currently, the draft NIS2 text outlines that providers of managed security services, such as those providing incident response, penetration testing, security audits and consultancy services, will require increased diligence from in-scope NIS2 entities.
The net effect of the supply chain security diligence obligations is that organisations providing network and/or information systems security services to customers in the expanded sectors covered by NIS should be prepared for increased questioning from in-scope NIS2 customers concerning their cybersecurity practices and information security policies. Such questioning may relate to individual solutions, but also general cybersecurity and information security risk management practices implemented by those suppliers.
Incident and cyber threat reporting requirements
NIS2 amends the incident reporting requirements under the current NIS Directive to require that essential and important entities must notify the relevant competent authorities1 or one of the Member States' computer security incident response teams (CSIRTs) without undue delay of:
- any incident having a significant impact on the provision of their services – including an incident that has caused, or has potential to cause, substantial operational disruption or financial losses to the entity. The incident reporting requirements include an initial notification within 24 hours of becoming aware of the incident (instead of simply “without undue delay” as in the NIS Directive) and include intermediate and final reporting obligations; and
- any significant cyber threat identified that could have potentially resulted in a significant incident.
Fines and penalties
NIS2 allows EU Member States to implement administrative fines of at least EUR 10M or up to 2% of the total worldwide turnover of an entity for the preceding financial year (whichever is higher) for entities in scope of NIS2 who breach the cybersecurity risk management measures and/or the cybersecurity incident reporting obligations. This is in addition to the wide discretion NIS2 affords Member States to implement their own national rules on penalties for infringement of the proposed legislation, as identified earlier in this article.
Adoption timeline and steps to take at this time
At this stage, organisations should consider the scope of NIS2 and whether their businesses fall within that scope. If an organisation concludes that it is likely to fall within scope of the new legislation, the organisation should consider the organisational, financial and technical steps that will be required to prepare for complying with NIS2. For instance, from an ICT spend perspective, the European Commission expects organisations to face a maximum increase of 22% on ICT security spending in the first few years post-NIS2 implementation (a maximum increase of 12% is estimated for organisations that are already under the scope of the current NIS Directive). In addition, in-scope organisations should keep an eye on how NIS2 is implemented in the key EU jurisdictions where they operate.
In addition, organisations offering information and network security products / services should also be prepared for due diligence from in-scope NIS2 organisations. Therefore, those out-of-scope organisations should ensure that effective, documented processes are in place to manage security risks associated with their product / service offering in anticipation of any such due diligence.
With respect to timeframe for implementation, the NIS2 text has been provisionally agreed by the European Parliament and European Council and both of these institutions must now formally adopt the text. NIS2 is expected to be adopted in 2022 and once adopted, Member States will have 21 months to transpose NIS2 into national law. It is unlikely to be adopted and formally transposed into all EU Member State national laws until the end of 2024 at the earliest.
1 NIS2 requires Member States to designate one or more "competent authorities" responsible for cybersecurity and certain supervisory tasks under the legislation. Under the current NIS Directive, equivalent authorities include the ANSSI in France, the BSI in Germany and the CCB in Belgium.