The European directive 2016/1148 of 6 July 2016 (the "NIS Directive") concerns measures for a high common level of security for network and information systems across the European Union and has been transposed in the laws of the countries of the European Economic Area ("EEA"). It imposes security-related obligations on "operators of essential services" that are established and identified in EEA countries as well as "digital service providers" (online marketplace, online search engine and cloud computing service providers) established or offering their services in these countries.
The European Commission has made a proposal to replace this NIS Directive with a new directive (the "NIS2 Directive Proposal"). It will have an extended scope of application, applying to "essential entities" (replacing the current "operators of essential services") and "important entities" (replacing the current "digital service providers") with greater extraterritorial reach. It will also saddle them with more comprehensive security-related obligations.
In this article, our cyber security experts summarise the new proposal and explain how it could affect you.
Whereas "operators of essential services" under the NIS Directive are undertakings that are identified as such by the Member State where they are established, all businesses providing services falling in one of the categories listed in Annex I of the NIS2 Directive Proposal will automatically become "essential entities" thereunder.
For instance, essential entities in the digital infrastructure sector will include all Internet Exchange Point providers, domain name system (DNS) service providers, top-level-domain (TLD) name registries, cloud computing service providers, data centre service providers, content delivery network providers, trust service providers and certain providers of public electronic communications.
Interestingly, cloud computing services, which are currently digital services under the NIS Directive, will become essential services under the NIS2 Directive Proposal, albeit still being narrowly defined as "digital services that enable on-demand administration and broad remote access to a scalable and elastic pool of shareable and distributed computing resources" (so that an entity using the cloud only to make available a software - SaaS - would not ipso facto become an essential entity).
Annex I of the NIS2 Directive Proposal also lists essential services in the sectors of energy, transport, banking, financial markets infrastructure, health, drinking water, public administration and space.
Essential entities will however exclude those that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC, save in certain circumstances.
Although the second category of regulated entities under the NIS Directive, namely "digital service providers", is currently limited to providers of online marketplace, online search engine and cloud computing services, all businesses providing services falling in one of the categories listed in Annex II of the NIS2 Directive Proposal will automatically become "important entities" thereunder. This includes not only "digital providers" but also entities providing certain services in the postal and courier services; waste management; manufacture, production and distribution of chemicals; food production; processing and distribution; and manufacturing sectors.
Furthermore, the category of digital providers itself will include providers of social networking services platforms, in addition to online marketplace and online search engine providers (whereas cloud computing service providers will exit this category to become essential entities, as indicated above).
Important entities will however exclude those that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC, save in certain circumstances.
While the NIS Directive already has some extraterritorial reach inasmuch as it applies to non-EEA "digital service providers" that offer their services in the EEA (but not to non-EEA "operators of essential services"), the NIS2 Directive Proposal will generalise this extraterritorial reach to both essential and important entities.
Non-EEA essential and important entities that "offer services" in the EEA will therefore have to comply with the obligations set out by this new regulatory framework.
Recital 65 of the NIS2 Directive Proposal provides some guidance about what it means to "offer services" in the EEA, using similar language as that found in recital 23 of the General Data Protection Regulation. It follows that there will have to be an intentional element; one will have to intentionally, rather than inadvertently or incidentally, target customers in the EEA.
When they offer their services in the EEA, non-EEA essential entities who are DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers, as well as non-EEA important entities who are digital providers, shall designate a representative in the European Union.
Essential and important entities will have to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their service. This includes supply chain security and security-related aspects concerning the relationships between each entity and its suppliers or service providers, such as providers of data storage and processing services or managed security services, and the use of cryptography and encryption.
In terms of reporting obligations, essential and important entities will have to
- notify, without undue delay, the competent authorities or the computer security incident response teams ("CSIRTs") of any incident having a significant impact on the provision of their services, and notify without undue delay the recipients of their services of incidents that are likely to adversely affect the provision of that service;
- notify, without undue delay, the competent authorities or the CSIRTs of any significant cyber threat that those entities identify that could have potentially resulted in a significant incident, and notify the recipients of their services that are potentially affected by a significant cyber threat of any measures or remedies that those recipients can take in response to that threat without undue delay.
TLD registries and entities providing domain name registration services for the TLD will also be saddled with specific obligations, such as to collect and maintain accurate and complete domain name registration data in a dedicated database facility with due diligence.
Once the NIS2 Directive Proposal ceases to be a proposal and becomes a directive that has entered into force, Member States will have 18 months to transpose it into their laws as per its article 38.
Article 25 of the NIS2 Directive Proposal however provides that essential entities who are DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers, as well as important entities who are digital providers, will however need to identify themselves (and, as the case may be, their representative in the European Union) to the European Union Agency for Cybersecurity (ENISA) within 12 months of the entry into force of the directive.