Introduction
On 16 December 2020 the European Commission adopted a proposal for a revised Directive on Security of Network and Information Systems (“NIS II Directive”). This aims to fix shortfalls in the current NIS Directive and to make it fit for purpose and future-proof. The main draft changes include:
- Bringing eight additional industries within the scope of the Directive;
- Changing the way that organisations are classified and in turn the extent of their obligations under the regime;
- Bolstering organisations’ security responsibilities;
- Measures to address the security of supply chains and supplier relationships;
- Strengthened supervisory measures for national authorities and stricter enforcement and harmonisation of sanctions regimes across EU Member States; and,
- Additional structures and processes aimed at increasing cooperation and coordinated vulnerability disclosure.
This update focusses on the first five points as they are likely to be of more interest to businesses.
What industries will be covered?
The revised Directive will apply to organisations in a broader range of sectors and subsectors. The current distinction between “operators of essential services” (OESes) and “digital services providers” (DSPs) will be scrapped and entities will instead be split into the categories of: (a) “essential”; and (b) “important”. The following list sets out the sectors that were covered by the NIS Directive and the expanded scope under NIS II:
NIS Directive
- Operators of essential services
- Energy: electricity, oil and gas
- Water Supply: drinking water supply & distribution
- Banking & Financial Market infrastructure
- Healthcare
- Transport: air, rail, water & road
- Digital Service Providers and Digital Infrastructure
- Online marketplaces
- Cloud Computing Services
- Search Engines
NIS II
- Providers of Public Electronic Communications Networks or services (“essential”)
- Wastewater (essential) and Waste Management (“important”)
- Manufacturing of Certain Critical Products (such as pharmaceuticals, medical devices, chemicals) (“important”)
- Food (“important”)
- Digital Services such as Social Networking Services Platforms and Data Centre Services (“important”)
- Space (“essential”)
- Postal and Courier Services (“important”)
- Public Administration (“essential”)
The new sectors have been chosen based on their criticality for the economy and society – the full list of sectors, subsectors and types of entities can be found in the Annex to the proposal.
What are the differences between “essential” and “important” entities?
Different supervisory regimes will apply to each category. For example, competent authorities will only be required to take action in relation to an “important” entity when provided with evidence or indication that the entity does not meet the security and incident notification requirement.
There will be a size cap, which brings all medium and large companies in selected sectors within scope, plus flexibility for EU Member States to expand the application of the rules to smaller entities with a high security risk profile.
What is changing in terms of organisations’ general security obligations?
Minimum security measures
A minimum list of appropriate and proportionate technical and organisational measures will have to be applied by “essential” and “important” entities to manage the risks posed to the security of network and information systems which those entities use to provide their services. Similarly to under GDPR, this involves a risk-based assessment. These measures will include at least:
- Risk analysis and information system security policies;
- Incident handling (prevention, detection, and response to incidents);
- Business continuity and crisis management;
- Supply chain security;
- Security in network and information systems acquisition, development and maintenance;
- Policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures; and,
- The use of cryptography and encryption.
Security incident reporting
Currently, depending on the situation and whether personal data has been compromised, if an organisation experiences a security incident, it may have to report an incident to both its competent authority (under NIS, as designated under national rules) and the data protection supervisory authority (under GDPR if the same incident is also a personal data breach). In the UK, the ICO is currently the competent authority under the NIS Directive for DSPs; the relevant competent authority for an OES will be industry-specific. This means that controllers have to make both notifications without undue delay and within 72 hours of becoming aware, where feasible.
Under the NIS II Directive, the process for incident reporting and the content of the reports and reporting timelines will be tightened up to require:
- Organisations to notify, without undue delay, the competent authorities or the “computer security incident response teams” (CSIRT) of any incident having a significant impact on the provision of their services;
- Where appropriate, organisations to notify, without undue delay, the recipients of their services of incidents that are likely to adversely affect the provision of that service;
- The organisations concerned to submit to the competent authorities or the CSIRT: (a) without undue delay and in any event within 24 hours after having become aware of the incident, an initial notification, which, where applicable, indicates whether the incident is thought to be caused by unlawful or malicious action; (b) upon the request of a competent authority or a CSIRT, an intermediate report on relevant status updates; and, (c) a final report not later than one month after the submission of the initial report including certain additional information regarding root cause, ongoing mitigation measures and other matters.
What is changing in terms of security of supply chains and supplier relationships?
Organisations will need to address cybersecurity risks in supply chains and supplier relationships (see ‘Minimum security measures’ above). At the European level, EU Member States will cooperate with the European Commission and the European Union Agency for Cybersecurity to carry out coordinated risk assessments of critical supply chains.
What is changing in terms of sanctions and enforcement?
An impact assessment into the NIS regime found its supervision and enforcement regime to be “ineffective”. The assessment went on to say that “[EU] Member States have been very reluctant to apply penalties to entities failing to put in place security requirements or report incidents”.
In response to this, the proposal introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims to harmonise sanctions regimes across EU Member States. In particular, the proposed update will establish a list of administrative sanctions and introduce more stringent enforcement, including fines.
Currently, the NIS Directive allows EU Member States to set their own levels of fines. In the UK, the ICO can issue fines of up to £17 million for the most serious cases of infringement of the NIS Directive. The new Directive seeks to make fine thresholds more uniform across EU Member States, and fines will be able to be set at similar levels to those under GDPR. The maximum fines for organisations infringing the cybersecurity risk management and reporting obligations of the NIS II Directive will be at least the greater of €10,000,000 or 2% of the total worldwide annual turnover of the undertaking to which the “essential” or “important” entity belongs in the preceding financial year.
What are the implications of Brexit?
The (UK) NIS Regulations 2018 implement the (EU) NIS Directive into UK law. However, after the end of the Brexit transition period, the UK will, in EU terms, become a so-called “third country” and so some of the current mechanisms may no longer work in the same way. For example, a DSP subject to the jurisdiction of the UK before the end of the current Brexit transition period because its main establishment in the EU was in the UK may need to change its competent authority or appoint an EU representative.
The European Commission has published the following notice on the withdrawal of the UK from the EU and EU Rules in the field of Security of Network and Information Systems: https://ec.europa.eu/info/sites/info/files/brexit_files/info_site/network_security_en.pdf
There is scope for the UK to deviate from the EU rules in the future but an overriding consideration is the need for any cybersecurity arrangement to be cross-border and cooperative.
What are the next steps?
The proposal will be subject to negotiations between the European Commission, the Council of the EU and the European Parliament. Once the proposal is agreed and then adopted, the EU Member States will then have eighteen months to transpose the NIS II Directive into their domestic legislation.
Takeaways
For now, keep an eye on developments in this area and look out for the final text of the NIS II Directive – watch this space. UK companies will then need to wait to see if the UK government decides to follow the EU approach or forge its own path.
We have written previously about NIS here: https://www.corderycompliance.com/eu-network-information-security-directive-faqs/
and here https://www.corderycompliance.com/uk-to-implement-eu-cybersecurity-directive/
We report about cyber security issues here: https://www.corderycompliance.com/category/cyber-security/.
For information about our Breach Navigator tool please see here: https://www.corderycompliance.com/solutions/breach-navigator/.
For more information about the EU proposal please see here: https://ec.europa.eu/digital-single-market/en/news/proposal-directive-measures-high-common-level-cybersecurity-across-union
For more information please contact Katherine Eyres, Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH |
Katherine Eyres, Cordery, Lexis House, 30 Farringdon Street, London EC4A 4HH |
||
Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | Office: +44 (0)20 7075 1786 | ||
jonathan.armstrong | andré.bywater | katherine.eyres | ||
![]() |
![]() |
![]() |