“NIS2”:WITH THE NEW CYBERSECURITY DIRECTIVE, BRUSSELS BROADENS THE SCOPE OF COMPANIES AND SERVICES THAT WILL HAVE TO FACE STRICT CYBERSECURITY REQUIREMENTS IN EUROPE

16 May 2022

On May 13th, the EU Council and the European Parliament struck a deal on the Network and Information Security Directive (NIS2 Directive) that will force critical sectors such as energy, banking, health care but also digital infrastructure (cloud computing, data centre service providers etc.) and digital providers (providers of online marketplaces, search engines and social networking services platform) to harden their defences and invest in cybersecurity in the coming years.

The European Commission unveiled on December 16th, 2021, a proposal for a Directive on measures for a high common level of cybersecurity across the Union (also referred to as “NIS 2.0”). After facing multiple waves of cyberattacks, the proposed Directive aims at remedy the inconsistent resilience of EU Member States to cybersecurity threats.

Among the different options, the EU Commission decided to revamp the existing legal framework through systemic and structural changes to the Directive (EU) 2016/1148 that entered into force in 2016 (also referred to as “NIS 1.0”). According to the impact assessment report, entities which will fall within the scope of the revised Directive may need an increase of maximum 22% of their current information and communication technology (ICT) security spending for the first years following the introduction of the proposed Directive.

Widening of the scope of the NIS2 Directive

Above all, the update of the “NIS 1.0” directive aims to broaden the scope of companies, organizations and public services that will have to face strict cybersecurity requirements in Europe. NIS2 directive introduces a size-cap rule as a result of which all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.

The Directive is based on a two-layer approach which differentiates entities between “essential entities” or “important entities” (the former Directive was applicable to “essential services” and “digital services providers”):

  • First, notable additions have been made to the list “essential entities” as defined in Annex I: are now covered by this category medicines and vaccines manufacturers, telecommunications companies, cloud and data service providers, aerospace industry players and central government IT systems.
  • Second, the Directive also intends to apply to a large number of new entities, the so-called “important entities” operating in the sectors listed in Annex II (postal and courier services; waste management; manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing). This category also covers “digital providers” which are now specified to be providers of online marketplaces, providers of online search engines and providers of social networking services platform.

No later than 6 months after the transposition deadline, Member States should draw up a list of essential and important entities. This list should be updated regularly and at least every two years.

Overview of the obligations ensuring a high common level of cybersecurity in Europe

The Directive imposes a long list of requirements on companies, organizations and public services that will fall under the scope of the Directive: in essence, the targeted entities will have to set up and audit cybersecurity response plans, flag cybersecurity incidents to authorities within 24 hours and use state-of-the-art cybersecurity technologies to prevent hacks.

The main difference between essential and important entities resides in the supervision and enforcement regime. Contrary to essential entities that are subject to an ex-ante supervisory regime, important entities beneficiate from an ex post supervisory regime, which means that competent authorities are required to take action when provided with evidence or indication that an important entity does not meet the security and incident notification requirements.

As regards sanctions, organizations would face fines of 2 percent of turnover for operators of “essential services” and 1.4 percent for important “service providers”.

Next steps? The provisional agreement reached last Friday, May 13, is now subject to approval by the Council and the European Parliament.