NIS-2: BROADER SCOPE, NEW OBLIGATIONS AND TOUGHER FINES

In December 2020 the European Commission published a?proposal to repeal the?current 'NIS Directive'?(European Directive on Network and Information Systems) and to replace it with a new body called NIS-2 Directive, as initiative of the already announced?European Cybersecurity Strategy.

?Last week, with 577 votes to 6, with 31 abstentions, Members of the European Parliament (MEP) agreed on the text of the new 'NIS-2', with focal point in tougher cybersecurity rules for large energy, transport and financial firms, digital providers and medical device makers amid concerns about cyberattacks by state actors and other malicious players.

Back in 2016, NIS-1 obliged Member States to develop National Cybersecurity Strategies and to collaborate cross-border, to identify Operators of Essential Services (OES) in key-sectors like energy, transport, banking, financial market infrastructures, healthcare, drinking water, and digital infrastructure and to impose them to take minimum security measures and report significant incidents. Also providers (above a certain size) of key digital services, such as cloud computing services, search engines and online marketplaces had to comply with these security and notification requirements.

But?after years of application, the European Commission studied the?effectiveness of the NIS Directive and concluded that, while it accomplished some very good things, the NIS-1 was too limited in scope and tools. Since its validity, cyberthreats had notoriously increased, a lack of clarity on scope and competences was perceived, jointly with ineffective enforcement, too much divergence between national approaches and maturity, and an overall lack of information sharing.

A broader scope for cybersecurity:

As Article 1 states, “this Directive lays down measures that aim to achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market.”

?This new rules covers all medium and large companies in essential sectors – energy, transport, banking, financial market infrastructure, health, vaccines and medical devices, drinking water, wastewater, digital infrastructure, public administration and space.

Sectors within the scope went from 19 to 35, adding all medium and large firms in postal and courier services, waste management, chemicals, food manufacturing, medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers such as online marketplaces, online search engines, and social networking service platforms will also fall under the rules.

The Directive will not apply to entities carrying out activities in areas such as defence and national security, public security, law enforcement and the judiciary. Parliaments and central banks are also excluded from the scope. However, the directive will apply to public administration entities at central and regional levels. In addition, Member States may also decide that it applies to entities at local level.

New obligations:

1. Companies are required to assess their cybersecurity risk: "take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services". (This covers requirements regarding both digital/logical security and physical security

2. NIS2 contains a list of mandatory measures to be taken, such as business continuity measures, cybersecurity training, access control policies and - where appropriate - the use of multi-factor authentication, secured emergency communication systems etc.

3. To "notify without undue delay" a competent authority of any cyber threat/incident that has a significant impact on the provision of their services, and also to notify "without undue delay, the recipients of their services" if such a threat/incident is "likely to adversely affect the provision of those services".

4. Companies are designated Essential Entities (EEs) or Important Entities (IEs) based on sector and size (annex to the Directive).

5. Subcontractors and service providers with access to critical infrastructure, who were overlooked in the first version of the directive, will also be subject to NIS2.

6. Companies, subcontractors and local authorities will be required to undergo safety audits.

?A revised system of fines:

Depending on whether an entity is considered an EE or IE one (which depends on their size and sector), fines for non-compliance can be respectively up to 10M EUR or a maximum of at least 2 % of the total worldwide annual turnover of the undertaking or 7M EUR or a maximum of at least 1,4 % of the total worldwide annual turnover of the undertaking.

-> Other features:

• The necessity of approval and oversight of cybersecurity risk management measures by the management bodies of essential and important entities.
• Budgetary issues may arise for the thousands of companies affected which will be required to focus on their budgets for investment in cybersecurity and human resources.

After MEP’s approval, Council also has to formally adopt the law before it will be published in the EU’s Official Journal. Member States will have 21 months after the directive's entry into force to transpose it into national law.