Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
EU: Towards the adoption of the NIS 2 Directive
At the end of 2020, the European Commission ('the Commission') published a proposal for a revised Directive on Security of Network and Information Systems ('the NIS 2 Directive')1, to update and replace the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive')2, which entered into force in 2016 and was the first horizontal cybersecurity legislation at EU level. More recently, the European Parliament ('the Parliament') and the Council of the European Union ('the Council') adopted their approaches to the NIS 2 Directive. OneTrust DataGuidance provides an overview of the Commission's proposal, as well as the approaches of the Parliament and the Council, ahead of the trilogue negotiations.
Why a NIS 2 Directive?
The NIS Directive was adopted with the specific aim of achieving a high common level of cybersecurity across Member States. However, while it contributed to improving the level of cybersecurity and the cyber resilience of private and public entities falling within its scope of application, it also showed significant weaknesses3. In particular, the NIS Directive's implementation has proved problematic, resulting in fragmentation across Member States4. The reasons for such fragmentation include the unclear delimitation of the NIS Directive's scope of application, which was largely left to the discretion of Member States5. Similarly, the NIS Directive accorded Member States significant room for manoeuvre in the implementation of security and incident reporting obligations, and in relation to supervision and enforcement requirements6.
In light of the above, and also to respond to the growing number of cyber attacks and the inherent threats of the digitalisation of critical sectors7, the Commission presented, in December 2020, its proposal for a NIS 2 Directive.
The EU Commission's proposal
One of the most significant changes proposed by the NIS 2 Directive is the definition of a new scope of application. In fact, where the NIS Directive included in its scope of application operators of essential services and digital services providers, the NIS 2 Directive proposes to replace the same with two new categories of entities. Specifically, Article 2 of the Commission's proposal would establish that the NIS 2 Directive applies to certain public and private 'essential entities' operating in the sectors listed Annex I of the NIS 2 Directive (energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration, and space) and to certain 'important entities' operating in the sectors listed Annex II of the NIS 2 Directive (postal and courier services, waste management, manufacture, productions, and distribution of chemicals, food production, processing, and distribution, manufacturing, and digital providers). In addition, a size-cap rule is introduced, according to which all medium and large entities, as defined by Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises, operating in the abovementioned sectors, would automatically fall within the NIS 2 Directive's scope of application (Recital 8 of the NIS 2 Directive).
In addition, the NIS 2 Directive, among other things:
- requires Member States to adopt a national cybersecurity strategy (Articles 5-11 of the NIS 2 Directive);
- enhances cooperation among Member States, by facilitating strategic cooperation and exchange of information (Articles 12 to 16 of the NIS 2 Directive);
- strengthens the security requirements, by obliging Member States to impose cybersecurity obligations on all covered entities, and streamlines reporting obligations (Article 17 to 23 of the NIS 2 Directive);
- facilitates information sharing among covered entities (Articles 26 and 27 of the NIS 2 Directive); and
- creates stricter supervisory measures, enforcement requirements, and harmonised minimum sanctions (Articles 28 to 34 of the NIS 2 Directive).
The Parliament's general approach
On 28 October 2021, the Committee on Industry, Research and Energy ('ITRE') of the Parliament announced that it had adopted its report on the NIS 2 Directive and a mandate to enter into interinstitutional negotiations8, both of which were confirmed during the Parliament plenary session held on 10 November 2021. The Parliament's approach introduced key amendments to the Commission's proposal.
Scope of application
The Parliament's proposal maintains the size-cap rule and the distinction between essential and important entities, but broadens the scope of application of the NIS 2 Directive by adding a new sector. Specifically, Amendment 280 of the Parliament's proposal includes among the important entities education and research institutions, on account of the fact that the same are heavily targeted by cyber attacks and their intellectual property is worthy of protection10. However, the Parliament's proposal, under Amendment 15, removes domain name systems ('DNS') and root servers from the scope of application. With regard to the former, the Explanatory Statement of the Parliament's proposal clarifies that, under the Commission's proposal, individuals who have their own DNS service, e.g. on a laptop, would fall within the scope of application of the NIS 2 Directive, identifying this as problematic. With regard to the latter, the Explanatory Statement of the Parliament's proposal reasons that root servers, which are generally operated by volunteers, and thus not monetised, should not be covered by the NIS 2 Directive.
Incident reporting obligations
While the Commission's proposal establishes that entities, upon becoming aware of an incident, must notify the same within 24 hours to the competent authorities, the Parliament's approach provides for different timeframes depending on the nature of the incident in question. Specifically, the Parliament's proposal extends the notification timeframe with regard to incidents that breach the confidentiality and integrity of the services, for which a timeframe of 72 hours is laid out (Amendment 58 of the Parliament's proposal), aligning the same with the timeframe for the notification of data breaches provided for by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')9. Conversely, for incidents that affect the availability of services, the Parliament proposal maintains the 24-hours timeframe (Amendment 58 of the Parliament's proposal).
Risk management
Cybersecurity risk management measures are also expanded under the Parliament's proposal (Amendments 181 to 188 of the Parliament's proposal). In the Parliament's proposal, the minimum technical and organisational measures that covered entities are required to implement include cybersecurity training, use of encryption, the use of multi-factor authentication or continuous authentication solutions, and secured voice, video and text communications.
Data sharing
The Parliament's proposal fine-tunes the provisions governing the exchange of data among entities. For instance, Amendment 238 of the Parliament's proposal includes additional types of cybersecurity information that essential and important entities, as well as other relevant entities not covered by the scope of the NIS 2 Directive, may exchange, including information relating to cyber threats, near misses, metadata and content data, indicators of compromise, adversarial tactics, modus operandi, actor specific information, cybersecurity alerts, industrial espionage tactics, and recommended security tool configurations.
Supervisory and enforcement measures
Under the Parliament's proposal, the competent authorities' supervisory and enforcement powers are enhanced. With regard to essential entities, Amendments 247 to 260 of the Parliament's proposal adds to the measures listed by Article 29 of the NIS 2 Directive, in the version proposed by the Commission, and provides that competent authorities, in the exercise of their supervisory tasks, may also:
- investigate cases of non-compliance and the effects thereof on the security of the services provided by the entity concerned; and
- order annual and targeted security audits carried out by a qualified independent, and ad hoc audits in cases justified on the ground of a significant incident or non-compliance.
Additionally, with regard to enforcement powers, it is specified that competent authorities may issue binding instructions including with regard to the necessary measures that entities are required to implement to prevent or remedy an incident, as well as time-limits for the implementation of said measures and for reporting on compliance with the binding instructions received.
Similar changes are provided for by Amendments 263 to 270 of the Parliament's proposal with respect to important entities.
Notably, while the cooperation between competent authorities under the NIS 2 Directive and data protection authorities under the GDPR was already addressed in the Commission's proposal, the Parliament's draft also includes a similar provision for the cooperation with competent authorities under EU sector specific legislation. Specifically, Amendment 262 of the Parliament's proposal stipulates that Member States shall ensure that their competent authorities cooperate with the relevant competent authorities of the Member State concerned, designated pursuant to the Proposal for a Regulation on Digital Operational Resilience for the Financial Sector and Amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, and (EU) No 909/2014 ('DORA'). Elaborating on this inclusion, the Explanatory Statement highlights the importance of preventing double oversight for entities who fall in the scope of both the NIS 2 Directive and DORA.
The Council of the EU's general approach
On 3 December 2021, the Council announced that it had adopted its general approach11 on the NIS 2 Directive12. Relevant changes introduced by the Council are analysed below.
Scope of application
Similar to the Parliament's approach, the Council maintains the differentiation between essential and important entities, and the size-cap rule. However, the Council proposal seeks to exclude from the scope of the NIS 2 Directive entities operating in areas such as defence, national security, public security, law enforcement (Article 2(3a)(a) of the Council's proposal), the judiciary, parliaments, and central banks (Article 2(3a) (b) of the Council's proposal). However, Article 2(2a) of the Council's proposal seeks to include public administration entities of central governments within the NIS 2 Directive's scope of application, on account of the fact that the same are often targets of cyber attacks. The same Article of the Council's proposal also establishes that, with regard to public administration entities at a regional and local level, it is up to Member States to decide whether the NIS 2 Directive will apply. Interestingly, the Council's proposal also excludes DNS from the NIS 2 Directive scope.
Interplay with sectorial legislation
The Council's proposal addresses the interplay between the NIS 2 Directive and sectoral legislation, notably DORA. Specifically, Article 2b of the Council's proposal establishes that where provisions of sector–specific EU legislation require essential or important entities either to adopt cybersecurity risk management measures or to notify significant incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in the NIS 2 Directive, the relevant provisions of the NIS 2 Directive, including the provisions on supervision and enforcement, shall not apply to such entities.
Risk management
The Council proposal specifies that the NIS 2 Directive applies an 'all-hazard' approach, which entails not only the protection of network and information systems, but also their physical environment from any event such as theft, fire, or power failures or from any unauthorised physical access, damage, and interference (Recital 40a of the Council's proposal). Accordingly, Recital 40a of the Council's proposal further specifies that the risk management measures should also address the physical and environmental security of the entities covered.
In addition, the Council's proposal stresses the importance of ensuring the proportionality of the cybersecurity measures imposed on entities. In particular, Article 18(1) of the Council's proposal seeks to establish that when assessing the measures' proportionality, due account shall be taken of the degree of the entity’s exposure to risks, its size, the likelihood of occurrence of incidents, and their severity. Notably, Article 18(1) of the Council's proposal also provides that that cybersecurity risk management measures imposed on important entities may be less stringent than those imposed on essential entities.
Supervision measures
The Council's proposal introduces a risk-based approach for the imposition of measures in the exercise of supervisory powers by competent authorities, providing, under Article 29(2)(a) and 30(2)(b) of the Council's proposal, that competent authorities may establish methodologies allowing for a prioritisation of their supervision tasks.
Next steps
Now that the Parliament and the Council have reached their initial position on the NIS 2 Directive, the interinstitutional negotiations may begin. For the adoption of the NIS 2 Directive, both the Parliament and the Council, as co-legislators, will need to agree on the final text.
Anna Baldin Privacy Analyst
[email protected]
1. See: https://www.dataguidance.com/legal-research/proposal-directive-european-parliament-and-10
2. See: https://www.dataguidance.com/legal-research/directive-security-network-and-information
3. NIS 2 Directive p. 1.
4. Ibid Recital 4.
5. Ibid.
6. Ibid.
7. See: https://www.dataguidance.com/legal-research/nis2-directive-high-common-level
8. See: https://www.europarl.europa.eu/news/en/press-room/20211022IPR15610/cybersecurity-meps-strengthen-eu-wide-requirements-against-threats
9. See: https://www.dataguidance.com/legal-research/european-parliament-report-proposal-directive
10. Ibid.
11. See: https://www.dataguidance.com/legal-research/draft-directive-measures-high-common-level
12. See: https://www.consilium.europa.eu/en/press/press-releases/2021/12/03/strengthening-eu-wide-cybersecurity-and-resilience-council-agrees-its-position/