The EU has agreed changes to its cybersecurity rules. On 22 November 2022, the “NIS 2 Directive” received approval from the European Parliament. Yesterday, the text was also adopted by the Council of the EU, clearing the path for this to become law.

What is “NIS”?

The original Network and Information Security Directive of 2016 aimed to achieve “a high common level of cybersecurity across the Member States.” It focuses on critical infrastructure in sectors such as health, transport and energy (operators of essential services), as well as certain digital services. Its provisions include security and breach notification obligations on key organisations in these sectors.

It contains an inbuilt review mechanism to accommodate changes to “societal, political, technological or market conditions.” The latest review led to a report, which was followed by legislative proposals and has culminated in the draft text of the NIS 2 Directive (see the full text here).

Why NIS 2?

The impetus for amending the original directive included a surge in cyber-attacks and the growing threats associated with increased digitalisation. The European Parliament’s press release also referred to improving the resilience of critical infrastructure in the face of the climate crisis and “the increasing occurrence of sabotage in the European Union because of Russia’s war of aggression against Ukraine”. Topics such as “the cybersecurity of undersea communications cables” are therefore expressly called out in the draft text.

The review of the Directive has also shown a wide divergence in its implementation by Member States, for example in the security and incident reporting obligations and in relation to enforcement. To this end, NIS 2 (for example) formally establishes the European cyber crisis liaison organisation network (EU-CyCLONe), to support the coordinated management of large-scale cybersecurity incidents.

Despite concerns around a lack of harmonisation, the 2020 proposal made it clear that a directive (rather than a directly-effective regulation) was chosen, to allow for “a certain degree of flexibility for competent authorities” in individual Member States.

Expanded sectors

One eye-catching feature of the NIS 2 text is the expansion to cover a wider range of sectors deemed of “high criticality” (11 in total), as well as further “critical” sectors:

Operator of essential services

Sectors of high criticality

Original NIS Directive

Draft NIS 2 text

Energy (electricity, oil and gas)

Energy (expanded to include district heating and cooling, and hydrogen subsectors)

Transport (air, rail, water, road)

Transport (air, rail, water, road)

Banking

Banking

Financial market infrastructures

Financial market infrastructures

Health

Health

Drinking water

Drinking water

Digital Infrastructure (Internet Exchange Point providers, DNS service providers, top-level domain name registries)

Digital Infrastructure (expanded to include data centre service providers, content delivery network providers, trust service providers, providers of public electronic communications networks and publicly available electronic communications services)

X

Waste water

X

ICT service management (business-to-business)

X

Public administration

X

Space

Relevant digital service providers

Other critical sectors

Providers of the following digital services: online marketplace, online search engine, cloud computing service

Digital providers (online marketplaces, online search engines, social networking services platforms)

X

Waste management

X

Manufacture, production and distribution of chemicals

X

Production, processing and distribution of food

X

Manufacturing

X

Postal and courier services

X

Research organisations

The Directive includes a distinction between “essential” and “important” entities, with different supervisory and enforcement regimes for these. It also harnesses the general EU legislative concepts of micro-, small- and medium-sized enterprises to help clarify which entities are in-scope.

What next?

Having now been formally adopted by MEPs and the Council of the EU, the directive will be published in the Official Journal of the EU “in the coming days”. The NIS2 Directive will enter into force 20 days after publication and Member States will then have 21 months to transpose the Directive into national law.

What about the UK?

The UK is also keeping its NIS regime under review. As discussed in our blog this summer, the UK Government published its second review of the UK’s equivalent regime – the Network and Information Systems Regulations 2018 – in July 2022. The review assessed how well the current regime had been working in the UK, and recommended proposed amendments. Meanwhile, sector-specific guidance in the UK is also being updated. For example, in November 2022, Ofcom launched a consultation on proposed changes to guidance for the digital infrastructure subsector under the NIS Regulations for which it is responsible.

Comment

Organisations which could be subject to the UK, and newly expanded EU, regimes will continue to have to monitor both landscapes. Despite attempts at greater harmonisation in NIS 2, this could include divergence under the updated EU regime due to national requirements. As for the UK specifically, whilst there may be political pressure to forge its own path, industry concerns and the “Brussels effect” may nevertheless lead to some overlap in forthcoming updates.

“This Directive aims to overcome the shortcomings of the differentiation between operators of essential services and digital service providers, which has been proven to be obsolete, since it does not reflect the importance of the sectors or services for the societal and economic activities in the internal market.” (Recital 6 of NIS 2)