Author: Annalisa Ricchiuti, LL.M in Intellectual Property and Competition Law-Munich Intellectual Property Law Center (MIPLC), 2020-2021
Editor: Bobbie Smith, MA Geography University of Aberdeen 2016-2020 / Graduate Diploma in Law University of Exeter 2020-2022
In November 2022, the Council of the European Union adopted the final version of the Network and Information Security Directive (the “NIS2 Directive” )[1], repealing the first version of the directive[2] which entered into force in 2016. By October 2024, Member States shall adopt the measures necessary to comply with this Directive and – immediately after – private entities will be required to implement the new measures thereof.
The first version of the NIS2 Directive was also the first European legislation on cyber-security that aimed to strengthen Member States’ cyber-security standards for entities conducting business within the EU. The NIS Directive has several merits – among others – has opened the doors for significant changes in the member States’ institutional and regulatory approach to cybersecurity and pushed for a unified identification standard of the Operator of Essential Services (the “OES” )[3]. This enabled the identification of sectors which required regulatory intervention from the EU legislators and surveillance authorities, as well as cross-sector and cross-border cyber incidents and attacks[4].
However, the digital revolution – especially during the peak of COVID-19 – paved further challenges[5]. The number of cyber-attacks continued to rise in the past quinquennial: according to the Commission paper works 88.4% of the respondents reported that the cyber-threat level has increased since 2016[6]. The expansion of the Internet of Things (IoT) has significantly expanded the potential for cyberattacks. Currently, there are over 21 billion IoT devices globally, and this number is projected to double by 2025. The incidence of attacks on IoT devices has seen a sharp rise of over 300% in the first half of 2019. In September of the same year, IoT devices were utilized in a classic DDoS attack that resulted in the temporary shutdown of Wikipedia. The likelihood of IoT devices being used as conduits for cyber-attacks is also anticipated to rise in the future[7].
The NIS2 Directive will extend the scope of the current NIS directive, adding new sectors to the list of the relevant entities touched upon by the legislation: it will apply to entities working in sectors that are considered crucial for the economy and for consumers (the relevant sectors are listed in Annex I and II of the directive and they include health, energy and transport services) and that reach a certain size threshold (large or medium-size entities as defined by Commission recommendation 2003/361/EC[8]).
In certain cases, companies and entities will fall within the application scope of the directive regardless of their size: this is the case for public sector entities and for entities that are classified as “critical”. The directive provides some further guidance to member States in identifying “critical entities”: critical are those entities belonging to the sectors listed in Annex I of the directive on the resilience of critical entities (issued in 2022 as well)[9]. This will be the case, for example, if the entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal activities. Furthermore, the directive will apply to cloud computing services providers and data centre service providers that are not cloud computing services that were not initially covered by the legislation (rec.35).
The NIS2 directive classifies businesses based on their importance: entities that are essential and important are subject to a different regime and are required to implement different measures: inter alia, increased diligence in selecting a managed security service provider (recital 86) and ensuring the security of the network and information systems which they use in their activities. Likewise, essential entities are subject to a comprehensive ex-ante and ex-post supervisory regime, while important entities should be subject to an ex-post-only supervisory regime (recital 122).
The security requirements settled down by the directive, as anticipated, are stricter than the ones present in the first version of the NIS: the members of the management bodies of essential and important entities must follow the training, as well as encourage their employees to follow such training (recital 25 and art. 20).
On a related note, management bodies of essential and important entities can be held liable for infringement or failure to comply with the approved cybersecurity risk-management measures (art.20).
The new NIS framework will establish a ‘two-layer’ approach for significant data incident notification that essential or important entities will have to follow. Firstly, entities will be required to notify the breach without undue delay and no later than 24 hours. Entities will then have supplementary 72 hours to transmit detailed information on the entity of the breach and the circumstances of it (art. 23). Notifications must be forwarded to the CSIRT -the Computer Security Incident Response Team- the competent national authority or the single point of contact designated by the Member State. As such, Member States are required to be adequately equipped to prevent and respond to incidents and national CSIRTs play an important role in ensuring that incidents and risks are dealt with efficiently, as well as that efficient cooperation is enhanced at the Union level (rec. 34 NIS).
Regarding the interaction of the directive with other relevant European legislation, it is important to highlight that firstly, as far as personal data are concerned, the NIS2 Directive applies without prejudice to the provisions contained in the GDPR, this meaning that for any matter, data incident or data breach involving personal data, the GDPR would prevail. Nonetheless, the directive requires the cooperation of the competent authorities and the supervisory authorities established under the GDPR.
Secondly, it is worth noting that the final text of the Data Governance Act[10] has also been recently published in light of the European Institution reaching an agreement on the final draft. The text will be applicable from the last quarter of 2023 and it will require that data intermediaries ensure the protection of sensitive and confidential data and also set the conditions for the re-use, within the Union, of certain categories of data. The Act will be applicable to entities that do not necessarily fall within the application scope of the NIS2 Directive: it will apply to public sector bodies and providers of ‘data intermediation service’, that is a service that aims to establish a commercial relationship for the purposes of data sharing between data subjects and data users. It will also require a notification and supervisory framework: on this last point, there might be some overlap with the notification requirements.
The European legislator considered that enterprises will have to face significant costs to comply with the measures: for this reason, the directive encourages the use of open-source software and standards, as well as the adoption -by the member States- of policies promoting the introduction of open-source cybersecurity tools in particular for small and medium-sized enterprises. Furthermore, according to a Commission impact assessment of 2020[11], the measures will ensure a reduction in cost of cyber incidents up to 11.3 billion euros by 2029.
On the other hand, companies that fall under the scope of the framework will have to increase up to 22% their current ICT (information and communication technology) security spending for the first years following the introduction of the new NIS2 framework (only 12% for companies already under the scope of NIS)[12]; similarly, national budgets and administrations will have to increase 20-30% of resources invested in cyber-security[13]. As an example, the directive requires that the use of encryption (in particular end-to-end encryption) should be mandatory for providers of public electronic communications networks or of publicly available electronic communications services (rec.98), which is a measure that implies high costs, also in relation to energy expenses[14].
When measures are enforceable in market operators, we will be able to see if the actions taken by the European legislator will be enough to face the new challenges for cyber-security, and if Member States and private entities will be able to adapt adequately to the prescriptions of the new framework.
The list of reference
[1] Directive 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union’ amending Regulation 910/2014 and Directive 2018/1972, and repealing Directive 2016/1148 (2022) Official Journal L333, p. 80-152
[2] Directive 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union’ (2016) Official Journal L194/1, p. 1-30
[3] Commission, ‘ Part 3/3 Impact assessment report accompanying the document Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148’, COM (2020) 823 final
[4] Ibid. 65
[5] Commission, ‘ Executive Summary of the Impact assessment report accompanying the document Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148’, COM (2020) 823 final
[6] Commission, ‘ Part 2/3 Impact assessment report accompanying the document Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148’, COM (2020) 823 final
[7] World economic forum, ‘The Global Risks Report 2020 ‘ (World Economic Forum, 15 January 2020) <https://www.weforum.org/reports/the-global-risks-report-2020/> accessed 31 January 2023
[8] The commission, ‘Recommendation concerning the definition of micro, small and medium-sized enterprises’, COM (2003) L124, p.36
[9] Directive 2022/2557 of the European Parliament and of the Council on the resilience of critical entities and repealing Council Directive 2008/114/EC Official Journal L333/164
[10] Commission, Proposal for a Regulation of the European Parliament and of the Council on European data governance (data Governance Act), COM (2020) 767 final
[11] Commission, ‘ Part 1/3 Impact assessment report accompanying the document Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148’, COM (2020) 823 final
[12] Commission, ‘ Part 2/3 Impact assessment report accompanying the document Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148’, COM (2020) 823 final
[13] Ibid. 65
[14] Jongdeog Lee, Krasimira Kapitanova, Sang H. Son, ‘The price of security in wireless sensor networks’, (2010) Volume 54, Issue 17 Computer Networks < https://www.sciencedirect.com/science/article/pii/S138912861000157X> accessed 7 January 2023.
This article is written within the Academic Essay Project (AEP) organised by LAWELS. AEP aims to increase the number of quality academic writings on legal topics, encourage young lawyers to participate in academic writing, and lay the foundation of an online database on legal science. The team of legal editors and legal writers share their knowledge through high-end essays that we are publishing on our website and social media accounts for the world to read and learn from.
The articles on the LAWELS platform are not, nor are they intended to be, legal advice. You should consult a lawyer for individual advice or assessment regarding your own situation. The article only reflects the views of the author.