On 16 December 2020, the European Commission adopted a proposal for a Directive on measures for a high common level of cybersecurity across the Union (“NIS II Directive”) that revises the current Directive on Security of Network and Information Systems (“NIS Directive”). As part of its new EU Cybersecurity Strategy, launched on the same day, the European Commission proposes new rules that would bring more sectors and services under the scope of the NIS rules and that would subject entities already covered by the current NIS rules to an updated (and more stringent) regime of security obligations and incident notice requirements. As in many other recent legislative proposals, the Commission also envisages stronger enforcement and supervision of the rules.
In the NIS Directive, the obligations that apply to an entity that falls under the scope of the NIS Directive depend on its qualification as ‘operator of essential services’ (“OES”) or ‘digital service provider’ (“DSP”):
- An OES is defined as a public or private entity of a type referred to in Annex II, which meets certain criteria. These criteria are: (i) an entity provides a service which is essential for the maintenance of critical societal and/or economic activities, (ii) the provision of that service depends on network and information systems, and (iii) an incident would have significant disruptive effects on the provision of that service. Annex II includes entities in the following sectors: energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution and digital infrastructure.
- A DSP is an information society service that is an online marketplace, an online search engine or a cloud computing service. (see also our previous blogpost on the NIS Directive).
The NIS II Directive replaces this categorisation by a new categorisation and make a distinction between ‘essential’ entities and ‘important’ entities.
Essential entities are entities of a type referred to in Annex I of the NIS II Directive. That list corresponds to the list of OES under the NIS Directive, supplemented with the following entities:
- additional entities in the energy sector, adding for example district heating and cooling and operators of hydrogen production, storage and transmission. For the electricity sector, it aligns the list with the scope of the Directive 2019/944 on common rules for the internal market for electricity;
- additional entities in the health sector such as EU reference laboratories, and manufacturers of pharmaceuticals and medical devices to take into account health threats that became apparent in the wake of the COVID-19 crisis;
- additional entities considered as digital infrastructure such as cloud computing services providers, data centre service providers, content delivery network providers, trust service providers and public electronic communications networks or publicly available electronic communications services; and
- public administrations, operators of certain space-based services and entities managing waste water.
An important entity is defined as any activity of a type referred to as an important entity in Annex II. The entities that are listed as ‘important entities’ in Annex II are today not subject to the NIS directive, except for online marketplaces and online search engines which are already part of the current list of DSP. Next to these two entities, Annex II contains the ones listed below:
- postal and courier services;
- waste management;
- manufacturers and distributors of certain chemicals;
- food producers and distributors;
- manufacturers of certain critical products, such as some medical devices, transport equipment, motor vehicles, trailers, electrical equipment, etc.; and
- social networking services platforms.
Under the NIS Directive, Member States are required to draw up a list of entities that meet the criteria of OES. This means that Member States have a margin of appreciation to (not) include certain entities on this list. Under the current proposal, Member States are no longer required to establish a list of ‘essential’ entities. Instead, a uniform criterium – the ‘size-cap rule’ – would determine to which entities the obligations set out in the NIS II Directive apply.
On the basis of the size-cap criterium, all medium and large enterprises (as defined by the Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises) that fall under the definition of ‘essential entities’ would need to comply with the obligations. In contrast, small and micro entities would, in principle, be excluded from the scope. However, certain types of small and micro entities are nonetheless covered. This is the case for the following entities: operators of public electronic communications networks, providers of publicly available electronic communications services, trust service providers, top-level domain (TLD) registries, domain name system (DNS) service providers.
Additionally, Member States would have the right to bring certain entities that they can choose out of a list of entities set out in the NIS II Directive under the scope of the NIS II Directive. Consequently, the scope of the NIS II rules would not be completely harmonised across the EU for small and micro entities.
Finally, the proposal explains, in more detail, some concepts that led to interpretation issues under the NIS Directive such as the definition of cloud computing services as “a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable and distributed computing resources” and further defines each of the elements of this definition. The deployment models of cloud computing should include private, community, public and hybrid cloud and be interpreted in accordance with the ISO/IEC 17788:2014 standard. It is also clarified that data centre services other than cloud computing services are as well covered by the Directive and provides for a definition of this concept.
Cybersecurity risk management and reporting obligations
For entities covered by the new rules, the key requirements that the NIS II would impose are (i) a minimum list of technical and organisational measures to be taken, (ii) governance requirements for management bodies of essential and important entities, and (iii) an amended incident notification regime.
In contrast to the current regime, both essential and important entities would be subject to the same set of obligations. The NIS II Directive also introduces a heavier enforcement regime including administrative fines up to 10.000.000 EUR or, if higher, 2% of the total worldwide annual turnover of the undertaking in the preceding financial year. However, as the NIS II Directive would lay down minimum rules, Member States would be able to subject infringements to higher administrative fines. The supervisory and penalty regimes would be different for the two categories of entities to ensure proportionality.
Entities that fall under the scope of the NIS II Directive will have to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services. The current NIS Directive already contains two similar obligations, one for OES and another for DSP. The proposal harmonises both requirements and adds a list of measures that should at a minimum be present. These include, amongst others, having in place security policies, incident handling, business continuity and crisis management, and the use of cryptography and encryption.
Management bodies of essential and important entities will have to approve these cybersecurity risk management measures, supervise their implementation and be accountable for non-compliance by the entity. To that end, management will need to follow specific and regular cybersecurity trainings.
Furthermore, both essential and important entities have to notify the competent authorities or the Computer Security Incident Response Teams (CSIRT) of incidents having a significant impact on the provision of their services, while under the NIS rules, DSP’s only had to notify incidents with a substantial impact. The criteria that are used to determine whether an incident has a significant impact would also be amended as a result of the NIS II Directive. In addition, the proposal contains an important new obligation that requires to notify, without undue delay, “any significant cyber threat that those entities identify that could have potentially resulted in a significant incident”.
Where the current rules allow the competent authority or CSIRT in certain instances to inform the public, the proposal also contains an obligation for the essential or important entity to notify, where appropriate, the recipients of their services themself of incidents that are likely to adversely affect the provision of that service. In case of a significant cyber threat, any measures or remedies that those recipients can take in response to that threat and, where appropriate, the threat itself should be notified to the recipients of their services that are potentially affected by that significant cyber threat. Finally, Member States also have the possibility to require in-scope entities to certify some of their ICT products, services and/or processes under ‘specific European cybersecurity certification schemes’ (adopted pursuant to the EU Cybersecurity Act of 2019).
Sector-specific instrument for the financial sector
The proposal explicitly recognises the option for the EU legislator to adopt ‘sector–specific acts’ of EU law. Where their provisions are at least equivalent in effect to the obligations of the NIS II Directive, the sector-specific instrument would apply instead of the NIS II Directive.
In September 2020, the European Commission already launched a proposal for such an instrument regarding the financial sector entities, i.e. the ‘Proposal for a Regulation on digital operational resilience for the financial sector’. Those new rules would include a set of minimum requirements for contracts between IT service providers and financial entities, including broadened audit and monitoring rights. “Critical” IT service providers which are included in a list published by the European Supervisory Authorities (ESAs) would be subject to an annual oversight plan. The ESAs would also be given the task of developing draft regulatory technical standards which need to be assessed by financial entities when sub-contracting critical or important functions to third-party IT service providers.
If both acts come into force, the sector-specific Regulation will be considered as lex specialis to the NIS II Directive.
Implications and next steps
The proposal will now go through the EU legislative process, including negotiations between the Council and the EU Parliament. Once adopted, the Member States will have 18 months to transpose the NIS II Directive in national law.
Upon adoption, not only would the current NIS Directive be repealed, the overlapping security obligations in the eIDAS Regulation (article 19) and the Electronic Communications Code (articles 40 and 41) would be deleted as well. Although there is also an overlap with security and incident report obligations in other instruments such as the GDPR and the ePrivacy Directive, those remain unaffected by this proposal.
For further information, please get in touch with your usual DLA Piper contact or email us at email@example.com.