NIS 2.0 – Reform of the European Network and Information Security Directive
On 16.12.2020, the European Commission presented a proposal for a Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive). This proposal aims to replace and further develop the NIS Directive, which entered into force in 2016 and is one of the most important pieces of EU-wide cybersecurity legislation.
NIS1 – Directive
One of the aims of the NIS Directive (implemented in Germany by the Federal IT Security Act) was to increase Member State capacities in the field of cyber security. The Member States had to designate competent authorities for monitoring compliance with the Directive as well as central contact points as liaison offices for supranational cooperation (in Germany, the “BSI”) and set up computer security incident response teams (CSIRTs). In order to strengthen cooperation at Union level, a cooperation group consisting of representatives of the Member States, the Commission and the EU Agency for Cyber Security (ENISA) has been established. A network of representatives of the national CSIRTs was also provided for to promote the exchange of information between Member States.
The core of the Directive, however, is the bundle of regulations on operators of so-called “essential services” as well as on providers of “digital services”. For the operators of these services, the NIS regulations provide for special security precautions and reporting obligations. An essential service must, according to the criteria of the NIS Directive (Arts. 5, 6 NIS Directive), be indispensable for the maintenance of critical social and economic activities, be dependent on a network and information system and a possible security incident would have to lead to a significant disruption in the provision. The sectors of essential services covered by the NIS Directive are listed in its Annex II, including healthcare, transport, energy and water supply. The question of who specifically qualifies as an operator of an essential service in the sectors designated by the NIS Directive is specified by the Member States themselves on the basis of predefined criteria. In Germany, this has been carried out within the “BSI-KritisV”. Operators are obliged to take appropriate and proportionate measures to counter cyber risks and to report possible security incidents to the competent authority.
The providers of digital services, which, according to Annex III of the Directive, include online marketplaces, cloud computing services and search engines, are subject to similar obligations (in particular implementation of appropriate measures and reporting of security incidents as well as – for non-EU providers – the appointment of a representative in the EU).
The Commission considers the NIS Directive to have been a success in principle since, as it has led to a general improvement in cyber security. However, it is no longer up to date in many areas due to ever faster advancing digitalisation and is therefore no longer sufficient to ensure cyber defence capability. The Commission also criticised the implementation of the NIS Directive by the Member States, including often poorly enforced sanctions, insufficient exchanges at Union level in certain areas and, in particular, a lack of harmonisation between Member States regarding the categorisation of cyber security incidents. Shortcomings of the old Directive were also pointed out, such as the high regulatory burden for the competent authorities of the Member States and the overly narrow scope of application, which does not cover all digitalised sectors in which essential services are offered to the community.
Within the framework of the “Programme to Ensure Efficiency and Performance of Legislation”, which aims to reduce administrative burdens and make EU law more efficient and cost-effective, the initiative was therefore taken to revise the NIS Directive. In line with the criticism expressed by the Commission on the state of implementation of the NIS Directive, the scope of application was extended in the draft NIS2 to include further sectors: In addition to the sectors already covered by the old Directive, essential facilities in the sewage, public administration and space sectors are now also included. The differentiation between operators of essential services and providers of digital services was abandoned; instead, a distinction is now made between so-called “essential” and “important” facilities based on the degree of criticality of the sector (see also rec. 11 of the draft NIS2 Directive). In addition to the newly added sectors of sewage, public administration and space, essential facilities can also be found in the familiar sectors such as energy, transport, health care or water supply. According to Annex II of the draft directive, sectors in which important facilities are present include postal and courier services, the manufacture of certain goods (including medical devices and motor vehicles) and the providers of digital services already known from NIS1.
In order to avoid significant differences between the Member States, the exact thresholds for essential (and now also important) services are no longer determined by the Member States according to the draft, but directly by the Directive, in that the scope of application is now to clearly include all medium-sized and large enterprises in the critical sectors (Art. 2 I of the draft NIS2 Directive). Micro and small enterprises are in principle excluded from the scope of application. However, Art. 2 II of the draft NIS2 Directive provides for a counter-exemption for such enterprises in certain cases.
In future, the national authorities are to take on more responsibility for monitoring and enforcing the regulations. The NIS2 Directive contains a catalogue of measures and powers that the Member States must follow (Art. 29 et seq. draft NIS2 Directive). The framework for penalties throughout Europe provides for fines of at least up to 10 million Euros / 2% of the worldwide annual turnover.
The proposal also considerably expands cooperation between the authorities of the Member States throughout the Union: among other things, it provides for an obligation of the competent authorities to exchange cybersecurity information (Art. 1 II lit. c draft NIS2 Directive), expanded tasks of the cooperation group (Art. 12 draft NIS2 Directive) and the CSIRT network (e.g. Art. 13 III lit. b draft NIS2 Directive) as well as the establishment of a European network for massive cybersecurity incidents made up of the competent national authorities (Art. 14 draft NIS2 Directive).
The measures prescribed by the Directive for operators of essential and important services are now described more comprehensively and uniformly in the draft: Art. 18 draft NIS2 Directive contains a catalogue of measures listing among other things, risk analysis and security concepts, prevention of security incidents and crisis management, which must at least be implemented by the companies. The reporting obligations of companies are also more clearly formulated; the draft now contains precise specifications on the procedure, content and timeframe for reporting a security incident (Art. 20 draft NIS2 Directive). An EU-wide coordinated risk assessment of supply chains has also been newly introduced (Art. 19 draft NIS2 Directive).
The proposal thus goes significantly further than the previous regulation within the framework of NIS1 and shows that, in the Commission’s view, the implementation of the NIS Directive to date has not been sufficiently consistent and that the aim is to tighten the legal obligations and achieve greater EU-wide harmonisation.
The Commission is optimistic and seems to be aiming for a timely implementation of the Directive (see press release from the Commission). However, the European Parliament and the Council of the European Union still have to take a position on the proposal, which is why adoption at European level is unlikely before the end of the year at the earliest. After entry into force, the Member States are to transpose the Directive into national law within 18 months. This will also mean the need for changes to the German IT Security Act 2.0, which is currently being passed.