During the autumn of 2021, the European Parliament adopted a draft cybersecurity directive, the revised ‘Directive on security of network and information systems’ (commonly referred to as ‘NIS2’). When it moved to the Council, additional changes were made; one was to extend the time for Member States to transpose it into national law from 18 months to two years.
The NIS2 Directive has been assigned to the Committee on Industry, Research and Energy, within the European Parliament, and will repeal and replace the EU’s existing cybersecurity directive (Directive 2016/1148).
The existing directive, adopted in 2016, was the first piece of EU-wide legislation on cybersecurity and aimed to achieve a high level of cybersecurity across EU Member States. While the 2016 directive was a significant legislative move, its implementation proved difficult and resulted in fragmentation of the single market, leading to insufficient security levels.
NIS2 aims, purpose and key changes
Largely in response to the surge in cyberattacks and increased threats posed by digitalisation generally since 2016, the NIS2 Directive aims to strengthen the security requirements, address the security of supply chains and streamline reporting obligations, as well as to introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions regimes across the EU.
The requirements include incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. There is also an obligation on EU Member States to impose administrative fines for cybersecurity risk management and reporting obligations breaches (up to €10 million or 2 percent of total worldwide annual turnover, whichever is higher).
One of the key changes in NIS2 is the broadening of the scope of the existing legislation. NIS2 significantly increases the number of entities covered, obliging more sectors to take technical and organisational measures to manage risks posed to the security of network and information systems. In addition to the sectors covered by the existing directive, NIS2 now includes public administration and manufacturing of certain critical products, such as medical devices. The significant broadening of the scope of the healthcare sector, by including medical device manufactures, is perhaps no surprise given the increasing attention health care cybersecurity has received in light of the COVID-19 pandemic.
The impacted sectors are outlined in Annex I, termed ‘essential sectors’, and Annex II, termed ‘important sectors’.
- Annex I: ‘Essential sectors’ covered by the new security provisions include: health, energy, transport, banking, digital infrastructure, public administration and space sectors.
- Annex II: ‘Important sectors’ include: entities manufacturing medical devices, postal services, waste management, food production and processing and digital providers.
As with NIS1, micro and small entities are excluded from the scope.
Overall, it seems as though NIS2 is more of an evolution than a revolution, encompassing the same basic structure, while building out greater EU coordination to reduce vulnerabilities, strengthening requirements and significantly increasing the sectors covered.
NIS2 should enter the trilogue process early this year. If the trilogue process takes between six and nine months and the two year transposition period stays in place, then the new organisations in scope would need to be in a position to comply with NIS2 during 2024.