Cybersecurity on a higher level? The NIS-2 directive

In the European security agenda, originating from 2015, cybersecurity was one of the major focus areas. Since then various legislations in the field of cybersecurity have been introduced as part of the EU-strategy to make Europe more digitally resilient. Various cybersecurity incidents and an evaluation of the cybersecurity legislation in place since 2015, have urged a new cybersecurity strategy of the European Union published in 2020. One of the outcomes of the strategy is the replacement of the current “Network- and Information Security directive (‘NIS-1’). Apart from that the European Commission have made proposal for a ‘Cybersecurity Act’ and a ‘Digital Operational Resilience Act’ focusing on the financial sector.

In this article we will focus on the successor of NIS-1, the NIS-2 Directive. In May 2022 the European Parliament and the EU member states have reached a political agreement on the NIS-2 Directive. Once the European Parliament has formally approved the NIS-2 Directive, it can be adopted and the implementation in the EU member states can start.

Since the NIS-2 Directive builds on NIS-1, we will start with an outline of NIS-1. The aim of NIS-1 is the harmonization of the security requirements for network- and information systems with a coordinated approach between the EU member states. NIS-1 focusses on an adequate level of cybersecurity protection throughout the EU, where security requirements, notification obligations and the exchange of information are central. NIS1 is implemented in the Netherlands via the Wbni (‘Wet beveiliging network- en informatiesystemen’).

NIS-1 makes a distinction between ‘Providers of Essential Services’ (PES) and Digital Service Providers (DSP).

PES are those parties providing services that are important for critical societal and/or economic entities for which these parties highly depend on digital network- and information systems. NIS-1 has a list of ‘Essential services’ (including e.g. energy, transportation, financial services, health care and the supply of drinking water). The national legislator has the authority to assign these parties providing ‘Essential services’. I the Netherlands that was done via the bbni (‘besluit beveiliging network- en informatiesystemen’).

DSPs are providers of digital services such a ‘online market places’, ‘online search engines’ and ‘cloud service providers’. In contrary to the PES these DSPs are not assigned by the national legislator. However, every entity operating as a DSP should abide to NIS-1 provided that it has a certain size (minimum 50 employees, annual turnover of 10 million Euros).  

Both PES and DSP have to take appropriate security measures and have to notify incidents with ‘serious consequences’ to the authorities or the ‘Computer Security Incident Response Team (CSIRT).

Security measures

PES and DSP have to identify security risks and to take ‘appropriate technical and organizational measures to manage security risks which are aligned with the ‘state of the art’ and aligned with the risks. The services of the PES are more critical than those of DSPs and therefore the security measures of DSP know a lighter regime. DSPs have a discretion in determining which measures are appropriate for the management of the security risks of their network- and information systems.

Notwithstanding the foregoing, regulation 2018/151 (EU) mentions certain elements that DSPs should take into account, when determining their security measures (such as a risk analysis, operational security, fysical security and access control).

The requirements mentioned for DSPs also apply to PES. On top of these requirements some additional requirements are applicable for PES. In the first place PES need to provide proof, by means of documentation, of the fact that a security policy is in place and, second, the PES need to show that the security policy has been implemented and executed by means of the implementation of security measures.  

Another difference between DSP and PES is the way of enforcement by the authorities. In case of PES authorities are entitled to a pro-active enforcement (meaning that they can control PES before any incident occurs). In case of DSPs the enforcement is re-active (meaning that authorities will only control DSPs upon the occurrence of an incident).

Notification

Also applicable for both DSP and PES is the obligation to notify security incidents with the purpose to manage and prevent security incidents. An incident is any event with a real damaging effect on the security of a network- and information system.

PES have to notify the sectoral authority ‘immediately’ after becoming aware of any incident that a) has serious consequences for the continuity of the service provided by the PES or b) is a breach of the security of the network and information systems that could have serious consequences for the continuity of the service provided by the PES. DSPs have an obligation to notify in case of an incident that has serious consequences for the continuity of the services provided by the DSP.

In the assessment whether or not to notify PES and DSP have to take the following into consideration: a) the number of users which are affected by the discontinuity of the service, b) the duration of the incident, c) the size of the geographical area affected by the incident, d) the size of the disruption of the working of the service and e) the size of the consequences for the economical and societal activities.

For DSPs the regulation 2018/151 (EU) has worked out in which cases an incident has serious consequences (and thus must be notified): a) the service is unavailable in the EU for more than 5 Million hours, b) the incident affects more than 100.000 users in a negative way in relation to integrity, confidentiality or authentication of the service, c) one or more users of the service have more than 1 million euro damage as a consequence of the incident, d) there is a risk for public security or the loss of one or more lives.

NIS-2 Directive: what will change?

The evaluation of the NIS-1 directive showed that the ‘scope’ is too limited and many obligations unclear. Furthermore, the member states have too much discretion to demand for requirements regarding security and notification, which leads to extra obstacles for organizations that are active in more than one member state. The enforcement regime is considered to be ineffective and there is no systematic exchange of information between the member states.

Under NIS-2 there will be a significant broadening of the scope. NIS-2 will be applicable to much more sectors than under NIS-1. NIS-2 will be applicable to Car manufacturers, Manufacturers of medical devices, the chemical industry, food products industry, post- and courier services and social media platforms.

NIS-2 will make a distinction between ‘Essential entities’ and Important entities’. A more strict regime for the enforcement of security measures shall apply to Essential entities. What is noteworthy is that Cloud service providers under NIS-2 will fall under the definition of ‘Essential entities’. There will however be a clear size cap. NIS-2 will only be applicable to medium and large-sized organizations (unless a small entity has a very high security risk profile): all entities in one of the mentioned sectors with at least 50 employees and a minimum turn-over of 10 Million Euro per year.

An important difference with NIS 1 is that NIS-2 will introduce a list of seven (7) basic security elements/requirements that all entities must address or implement as part of the security measures they take, including risk analysis and information system security policies, incident response, business continuity and crisis management, supply chain security, assessment of effectiveness of risk management measures, and encryption and vulnerability disclosure.

These security measures are not only applicable to entities itself, but also for the chain of subcontractors/suppliers that are being used. This is important, because very often security issues arise from problems which are at the level of a subcontractor/supplier. A clear example is the use of hosting providers by cloud service providers.

NIS-2 has a two-stage approach to incident reporting. Affected organization must notify within 24 hours from when they first become aware of an incident, followed by a final report in relation to the incident within one month.

NIS-2 introduces sanctions which are in line with the sanctions that are currently applicable under the General Data Protection Regulation (‘GDPR’). NIS2 has a list of administrative sanctions that can be applied when entities breach the obligations under NIS-2, such as, the cybersecurity risk management, basic security measurement or their reporting obligations under NIS-2 Directive. These sanctions include binding instructions, an order to implement the recommendations of a security audit and an order to bring security measures in line with NIS requirements. NIS2 also establishes administrative fines up to EUR 10 million or 2% of the entities’ total turnover worldwide, whichever is higher.

What could NIS-2 mean for the security practice?

The broadening of the scope and the sectors in comparison to NIS-1 implicates that under NIS-2 more organizations will have to address (cyber)security. For those organizations it will be important to a) make an analysis of possible securityrisks, b) have a riskbased approach of security and c) address the issue of security within the organization. The latter means that organizations should consider having an Incident response plan for cybersecurity incidents and appoint a person responsible for cybersecurity and related incidents (which can closely cooperate with the Data Protection Officer (if appointed).

Furthermore, under NIS-2 it will not only be important to look at the own security within the organization but also at aspects of security outside the organization, where supply chain security forms a security measure to be taken. This means that contracts with parties delivering systems or providing services with an impact on security should be carefully assessed. What has been agreed with IT-suppliers or other subcontractors in relation to security measures and the notification of incidents.

Finally, NIS-2 could be a good incentive to have a closer look at what the insurances that an organization has in place states about the coverage of (cyber)security incidents.