Revision of the Network and Information Security Directive: Questions and Answers

The NIS Directive, or Directive (EU) 2016/1148 — the first EU cybersecurity law — is the first horizontal internal market instrument aimed at improving the resilience of network and information systems in the Union against cybersecurity risks. Despite its notable achievements, the NIS Directive has shown certain limitations. The digital transformation of society, intensified by the COVID-19 crisis, has expanded the threat landscape. New challenges have appeared, which require adapted and innovative responses.

To be able to analyse the impact and identify the deficiencies of the NIS Directive, the Commission carried out an extensive stakeholder consultation. The Commission identified the following main issues: insufficient level of cyber resilience of businesses operating in the EU; inconsistent resilience across Member States and sectors; insufficient common understanding of the main threats and challenges among Member States and lack of joint crisis response.

As a result, and in order to respond to the growing threats due to digitalisation and interconnectedness, the Commission is proposing a revised set of rules aiming to strengthen the level of cyber resilience in the Union.

Since the COVID-19 crisis, the European economy has grown more dependent on digital solutions than ever before. Sectors and services are becoming increasingly interconnected and interdependent. This has resulted in a growing and rapidly evolving cybersecurity threat landscape: any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the whole internal market.

The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of unexpected risks. It intensified the already emerging issues in the current NIS Directive and served as a catalyst for its revision. A concrete change to the NIS Directive in view of this crisis was to expand the scope of the new proposal, covering more specific elements in the health sector, such as entities carrying out research and development activities of medicinal products.

The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU, in order to contribute to the overall functioning of the internal market. It is based on 3 main pillars:

1. In order to achieve a high level of preparedness of Member States, the NIS Directive requires Member States to adopt a national strategy on the security of network and information systems. Member States are also required to to designate national Computer Security Incident Response Teams (CSIRTs), who are responsible for risk and incident handling, a competent national NIS authority, and a single point of contact (SPOC). The SPOC has to exercise a liaison function to ensure cross-border cooperation between the Member State authorities with the relevant authorities in other Member States and with the NIS Cooperation Group.

2. The NIS Directive establishes the NIS Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States, and the CSIRTs Network, which promotes swift and effective operational cooperation between national CSIRTs.

3. The NIS Directive ensures that cybersecurity measures are taken across seven sectors, which are vital for our economy and society and which rely heavily on ICT, such as energy, transport, banking, financial market infrastructures, drinking water, healthcare and digital infrastructure.

Public and private entities identified by the Member States as operators of essential services (OES) in these sectors are required to undertake a cybersecurity risk assessment and put in place appropriate and proportionate security measures. They are required to notify serious incidents to the relevant authorities. And, providers of key digital services (digital service providers or DSPs), such as search engines, cloud computing services and online marketplaces, have to comply with the security and notification requirements under the Directive. At the same time, the latter are subject to a so-called ‘light-touch’ regulatory regime, which entails, among other measures, that they are under the jurisdiction of one Member State for the whole EU and are not subjected to ex-ante supervisory measures.

The new Commission proposal aims to address the deficiencies of the previous NIS Directive, to adapt it to the current needs and make it future-proof.

To this end, the Commission proposal expands the scope of the current NIS Directive by adding new sectors based on their how crucial they are for the economy and society, and by introducing a clear size cap — meaning that all medium and large companies in selected sectors will be included in the scope. At the same time, it leaves some flexibility for Member States to identify smaller entities with a high security risk profile.

The proposal also eliminates the distinction between operators of essential services and digital service providers. Entities would be classified based on their importance, and divided into essential and important categories, which will be subjected to different supervisory regimes.

The proposal strengthens and streamlines security and reporting requirements for companies by imposing a risk management approach, which provides a minimum list of basic security elements that have to be applied. The proposal introduces more precise provisions on the process for incident reporting, content of the reports and timelines.

Furthermore, the Commission proposes to address security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in supply chains and supplier relationships. At European level, the proposal strengthens supply chain cybersecurity for key information and communication technologies. Member States in cooperation with the Commission and ENISA, may carry out coordinated risk assessments of critical supply chains, building on the successful approach taken in the context of the Commission Recommendation on Cybersecurity of 5G networks.

The proposal introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States.

The proposal also enhances the role of the Cooperation Group in shaping strategic policy decisions and increases information sharing and cooperation between Member State authorities. It also enhances operational cooperation including on cyber crisis management.

The Commission proposal also establishes a basic framework with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and creates EU registry in this area, operated by the EU agency for cybersecurity (ENISA).

The Commission’s proposal covers the following essential and important entities:

Essential entities: energy (electricity, district heating and cooling, oil and gas); transport (air, rail, water and road); banking; financial market infrastructures; health; manufacture of pharmaceutical products including vaccines; drinking water; waste water; digital infrastructure (internet exchange points; DNS providers; TLD name registries; cloud computing service providers; data centre service providers; content delivery networks; trust service providers; and public electronic communications networks and electronic communications services); public administration; and space.

Important entities: postal and courier services; waste management; chemicals; food; manufacturing of medical devices, computers and electronics, machinery equipment, motor vehicles; and digital providers (online market places, online search engines, and social networking service platforms).

The evaluation of the current rules on security and incident reporting requirements has shown that in some cases Member States have implemented these requirements in significantly different ways. This has created an additional burden for companies operating in more than one Member State.

Furthermore, when it comes to cybersecurity requirements we want to be sure that all companies address the necessary core set of elements in their cybersecurity risk management policies.

For this reason, the proposal includes a list of 7 key elements that all companies must address or implement as part of the measures they take, including incident response, supply chain security, encryption and vulnerability disclosure.

When it comes to incident reporting, we need to strike the right balance between the need for swift reporting in order to avoid the potential spread of incidents, and the need for in-depth reporting to draw valuable lessons learned from individual incidents. The new proposal therefore foresees a two-stage approach to incident reporting. Affected companies have 24 hours from when they first become aware of an incident to submit an initial report, followed by a final report no later than one month later.

The proposed new NIS Directive puts supervision and enforcement at the heart of the tasks of the competent authorities and sets a coherent framework for all supervisory and enforcement activities across Member States.

In order to strengthen the supervision that helps ensure effective compliance, the new NIS proposal provides for a minimum list of supervisory and means through which competent authorities may supervise essential and important entities. These include regular and targeted audits, on-site and off-site checks, request of information, and access to documents or evidence.

In addition, the new Directive establishes a differentiation of supervisory regimes between essential and important entities, with a view to ensuring a fair balance of obligations for both entities and competent authorities.

As regards to enforcement, so far there has been an overall reluctance across Member States to apply penalties to entities failing to put in place security requirements or report incidents. This can have negative consequences for the cyber resilience of entities. In order to make enforcement effective, the new proposal sets up a consistent framework for sanctions across the Union. It therefore establishes a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations laid down in the NIS Directive. These sanctions include binding instructions, order to implement the recommendations of a security audit, order to bring security measures in line with NIS requirements, and administrative fines.

In relation to administrative fines, the proposed new NIS Directive would require Member States to provide for a certain level of administrative fines, notably at least €10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. When exercising their enforcement powers, comment authorities should give due regard to the particular circumstances of each case ,such as the nature, gravity and duration of the infringement, the damage caused or losses incurred, the intentional or negligent character of the infringement.

In order to ensure real accountability for the cybersecurity measures at organisational level, the NIS proposal introduces provisions on the liability of natural persons holding representation or senior management positions in the entities falling within the scope of the new NIS Directive.

The new proposed rules improve the way the EU prevents, handles and responds to large-scale cybersecurity incidents and crises. It does so by introducing clear responsibilities, appropriate planning and more EU cooperation. The Commission proposes to require Member States to appoint national authorities responsible for cybersecurity crisis management, introduce national crisis management plans, and take part in a new network focused on operational cooperation for incidents and crises, the so-called EU Cyber Crisis Liaison Organisation Network (hereinafter called ‘EU-CyCLONe’). This Network is key component of the EU cyber crisis management network outlined by the Commission in 2017 with the Recommendation on coordinated response to large-scale incidents and crises.

As a rule, essential and important entities are deemed to be under the jurisdiction of the Member State where they provide their services. If the entity provides services in more than one Member State, it should fall under the jurisdiction of each of these Member States. The competent authorities each of these Member States should cooperate, provide mutual assistance to each other and, where appropriate, carry out joint supervisory actions.

At the same time, certain types of entities () would be under the jurisdiction of the Member State, in which they have their main establishment in the Union. These entities include, but are not limited to domain name system service providers, top level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, as well as online marketplaces, online search engines and social networking platforms

This is to ensure that such entities do not face a multitude of different legal requirements, as they provide services across borders to a particularly high extent. For the purpose of effective supervision, ENISA would be required to create and maintain a registry, in which these types of entities notify where they are established in the Union.

EU Cooperation is taken forward by allowing Member States to act jointly and tackle emerging security risks posed by the ongoing digital transformation.

More specifically, Member States will be able to jointly supervise the implementation of EU rules and mutually assist each other in the case of cross-border malpractices, have a more structured dialogue with the private sector and coordinate the disclosure of vulnerabilities found in software and hardware sold across the internal market. They will also be able to work in a coordinated manner to assess the security risks and threats related to new technologies, as done for the first time with 5G.

Member States will draw on EU cooperation to improve national capabilities through staff exchanges between authorities and peer reviews. The existing groups, notably the Cooperation Group gathering national cybersecurity authorities and the Network of Computer Security Incident Response Teams (CSIRTs) will contribute to advance cooperation respectively at both strategic and technical levels.

This proposal is closely linked with two other ongoing initiatives, the Commission proposal for a Regulation for the Digital Operational resilience for the financial sector (Digital Operational Resilience Act, DORA) as well as the proposal for a Critical Infrastructure Resilience (CIR) Directive. The Commission has aimed to ensure that there is maximum coherence between this proposal and these two initiatives.

As regards the financial sector, while the new NIS proposal would apply to credit institutions, operators of trading venues and central counterparties, the DORA proposal will apply to these entities as regards cybersecurity risk management and reporting obligations. At the same time, it is important to maintain a strong relationship for the exchange of information between the financial sector and the other sectors covered by NIS 2. To that end, under the DORA proposal, all financial supervisors, the European Supervisory Authorities (ESAs) for the financial sector and the financial sector national competent authorities would be able to participate in the discussions of the NIS Cooperation Group, and to exchange information and cooperate with the single points of contact and with the national CSIRTs under NIS2. The single points of contact (SPOCs) under NIS would receive details of major ICT-related incidents from the competent authorities under DORA. Moreover, Member States should continue to include the financial sector in their cybersecurity strategies and national CSIRTs may cover the financial sector in their activities.

Furthermore, the Commission has aligned the scope in the NIS 2 proposal with the proposal for a Critical Infrastructure Resilience Directive (CIR Directive).

The Proposal will be subject to negotiations between the co-legislators, notably the Council of the EU and the European Parliament. Once the proposal is agreed and consequently adopted, Member States will have to transpose the Directive within 18 months of its entry into force. The Commission then has to periodically review the Directive and report for the first time 54 months after the entry into force.

Operators of essential services are private businesses or public entities with an important role to provide security in healthcare, transport, energy, banking and financial market infrastructure, digital infrastructure and water supply.

Under the NIS Directive, identified operators of essential services will have to take appropriate security measures and to notify serious cyber incidents to the relevant national authority.

Cyber-threats can propagate easily across borders and organisations without adequate security measures in place make for easy targets. A consistent identification helps ensure that all critical entities in a sector and across the Union exhibit a similar level of cyber-resilience. It also helps to prevent cyber-threats from propagating throughout the internal market.

In addition, the NIS Directive requires Member States to establish security requirements and incident notification procedures for operators of essential services. In order to guarantee a level playing field for operators in the internal market, it is important that operators providing similar services of similar relevance are subject to similar regulatory treatment.

The Directive requires Member States to draw up a list of services that they consider essential for the functioning of the economy and society. Public and private entities that provide such services and that depend on network and information systems (ICT) must be identified as operators of essential services if an incident would have a significant disruptive effect on the provision of the service in question. Member States usually apply thresholds to determine the significance of an incident.

For example, a Member State determines that drinking water distribution is an essential service. It would then identify all entities providing this service if they also depend on network and information systems and surpass a previously determined threshold of 5 000 000 m³ per year.