Publication date: February 27, 2023
“New times, new threats”. With this motto we can contextualize the outlook of the latest regulation on cybersecurity in the European Union, the NIS2 Directive. It substitutes NIS1 Directive, the previous EU cybersecurity rules from 2016. This one was reviewed at the end of 2020 and as a result of this review, the proposal for a Directive on measures for high common level of cybersecurity was presented by the Commission on 16th December 2020. The review showed that NIS1 had certain limitations. In a more digital society, new threats that were previously unnoticed or non-existent appear, and the old regulations, although they provided certain guarantees, are now obsolete. In particular, the Commission highlighted these main issues:
The Directive was published in the Official Journal of the European Union in December last year and entered in force last month on 16th. Member States have to incorporate the provisions in their national law by 18th October of 2024 (article 41), that is, they have 21 months from the entry into force of the Directive to make the proper preparations. Luckily, this new regulation is not only built from the ashes of the previous one, some pillars remain and are being built upon. These are:
The NIS2 Directive aims to address the deficiencies of the previous rules, to adapt it to the current needs and make it future-proof.
To this end, the Directive expands the scope (Article 2) of the previous rules by adding new sectors based on their degree of digitalisation and interconnectedness and how crucial they are for the economy and society, by introducing a clear size threshold rule— meaning that all medium and large-sized companies in selected sectors will be included in the scope. At the same time, it leaves certain discretion to Member States to identify smaller entities with a high security risk profile, that the entity is the only supplier in a Member State of a service which is essential for the maintenance of critical societal or economic activities or disruption of the service provided by the entity could have a significant impact on public safety, public security or public health for other reason, for example, that should also be covered by the obligations of the new Directive. Also this Directive does not apply to public administration entities that carry out their activities in the areas of national security, public security, defence or law enforcement.
The new Directive also eliminates the distinction between operators of essential services and digital service providers. Entities would be classified based on their importance, and divided into two categories: essential and important entities, which will be subjected to different supervisory regime (Article 3). Some essential entities are qualified trust service providers and top-level domain name registries as well as DNS service providers, regardless of their size; a public administration entity of central government as defined by a Member State in accordance with national law; or the entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities; these are only a few examples. Important entities are the ones that do not qualify as essential but still are identified by Member States as important.
The new law strengthens and streamlines security and reporting requirements for companies by imposing a risk management approach, which provides a minimum list of basic security elements that have to be applied. Includes a list of 10 key elements that all companies have to address or implement as part of the measures they take, including incident handling, supply chain security, vulnerability handling and disclosure, the use of cryptography and where appropriate, encryption (Article 21).
The new Directive introduces more precise provisions on the process for incident reporting, content of the reports and timelines (Article 23 et seq.). Affected companies have 24 hours from when they first become aware of an incident to submit an early warning to the CSIRT or competent national authority which would also allow them to seek assistance if they request it. The early warning should be followed by an incident notification within the 72 hours of becoming aware of the incident and a final report no later than one month later.
Furthermore, NIS2 addresses security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in the supply chains and supplier relationships. At European level, the Directive strengthens supply chain cybersecurity for key information and communication technologies (Articles 23, 26, 27 & 28). Member States in cooperation with the Commission and ENISA, may carry out Union level coordinated security risk assessments of critical supply chains, building on the successful approach taken in the context of the Commission Recommendation on Cybersecurity of 5G networks (Articles 29 & 30).
The Directive introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States (Article 31 et seq.). For example, Member States shall ensure that the competent authorities, when exercising their supervisory tasks in relation to essential entities, have the power to subject those entities at least to: on-site inspections and off-site supervision; regular and targeted security audits; security scans based on objective risk assessment criteria; or request for information and to access data. In addition, NIS2 indicate a list of the parameters that should guide the regulation of fines.
It also enhances the role of the Cooperation Group in shaping strategic policy decisions and increases information sharing and cooperation between Member State authorities. It also enhances operational cooperation within the CSIRT network and establishes the European cyber crisis liaison organisation network (EU-CyCLONe) to support the coordinated management of large-scale cybersecurity incidents and crises (Articles 14 to 19).
NIS2 also establishes a basic framework (Article 22) with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and creates an EU vulnerability database for publicly known vulnerabilities in ICT products and ICT services, to be operated and maintained by the EU agency for cybersecurity (ENISA).
Furthermore, NIS2 works in a larger spectrum. It is closely related with the Critical Entities Resilience Directive (CER) and the Regulation for the Digital Operational resilience for the financial sector (DORA).
The scope of NIS2 is largely aligned with the Critical Entity Resilience Directive (CER Directive) to ensure that the physical and cyber resilience of critical entities is comprehensively addressed. Entities identified as critical entities under the CER Directive, will become also subject to the cybersecurity obligations of NIS2 Directive. Furthermore, national competent authorities under the CER and NIS2 Directives have to cooperate and exchange on a regular basis relevant information such as on risks, cyber threats and incidents as well as on non-cyber risks, threats and incidents. The Collaboration Group under NIS2 shall meet regularly and at least annually with the Key Entities Resilience Group established under the CER Directive.
Regarding the financial sector, while the new NIS2 directive applies to credit institutions, trading venue operators and central counterparties, DORA will apply to these entities in terms of cybersecurity risk management and reporting obligations. At the same time, it is also important to maintain strong information-sharing relationships between the financial sector and other sectors covered by NIS2. To this end, within the framework of DORA, European Financial Supervisory Authorities (ESAs) and National Competent Authorities of the financial sector can participate in the discussions of the NIS Cooperation Group. In addition, DORA authorities can consult and exchange relevant information with the Single Point of Contact (SPOC) and CSIRT established under NIS2.The competent authorities, SPOCs or the CSIRTs established under NIS2 would also receive details of major ICT-related incidents from the competent authorities under DORA. Moreover, Member States should continue to include the financial sector in their cybersecurity strategies and national CSIRTs may cover the financial sector in their activities.
In conclusion, we expect the European states to get their act together because they have a lot of work to do, not only in cooperating with other member states but also within their own borders. In a period of a little less than two years they have to elaborate a national cybersecurity strategy, establish authorities and procedures to control the implementation of this strategy by both public and private entities. They must create a cybersecurity threat notification system. They must develop a system of sanctions. In other words, the list of tasks is not short.
However, despite the amount of work, the conclusion will bear great fruit. States and non-governmental groups outside the European Union are increasingly focusing on the development of equipment and electronic subterfuge techniques to infiltrate and alter electronic infrastructures and the data contained therein for their own purposes and benefit. Normally this is usually the opposite of our countries so we are subjected to constant “anonymous” attacks to alter and damage our security. The digital world has opened the door to new actions that allow us to avoid the consequences of the classic consequences of actions in the real world. We cannot allow our stability to be threatened in this way. So every grain of sand that is put in place will help to make the European and national landscape more secure.