The Directive on Security of Network and Information Systems1 was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. It was the first piece of EU-wide cybersecurity legislation. Member States had to transpose the NIS Directive into their national legislation by 9 May 2018 and identify operators of essential services (OES) by 9 November 2018.
Under the NIS Directive, Member States are required to ensure that OES and digital service providers (DSP) implement cybersecurity requirements and report incidents.
As part of its policy objective to make "Europe fit for the digital age", the European Commission (the Commission) announced in early 2020 that it would conduct a review (pursuant to Art. 23 of the NIS Directive) of the functioning of the Directive by the end of 2020, since the Directive had "proven its limitations".
This review led to the publication of a new legislative proposal on 16 December 2020 (the proposal) that introduces systemic and structural changes to the NIS framework and aims to address the shortcomings in the functioning of the current NIS Directive. These range from too small a scope of application (in terms of the sectors and OES/DSP covered) and too wide a discretion for Member States to set security and incident reporting requirements for OES, to an ineffective supervision and enforcement regime.
Together with other measures, this proposal, which repeals the current NIS Directive, seeks to further improve resilience and incident response capacity among relevant stakeholders.
Key elements of the Commission proposal
Contrary to numerous calls for the revision to be implemented in a regulation, in particular to eliminate Member States' wide discretionary power in identifying OES resulting in fragmented identification in the Union, the proposal was published in the form of a directive.
The Commission justifies this choice by the proposal's objective to continue to give Member States a certain degree of flexibility to take into account national specificities, e.g. in the identification of "essential" or "important" entities.2 Compared to the current NIS Directive, however, this flexibility is now limited to the identification of additional essential or important entities going beyond the baseline introduced by the proposal.
This new baseline is also one of the cornerstones of the proposal, since it aims to eliminate the above-mentioned wide divergences between Member States in the identification of OES under the current NIS Directive and thus to ensure legal certainty for the risk management requirements and reporting obligations for all relevant entities.
It consists of the application of a size-cap rule, according to which all medium and large enterprises, as defined by Commission Recommendation 2003/361/EC, that operate within the sectors or provide the type of services covered by the proposal, fall within its scope.3
2 Significant expansion of the sectors covered
Furthermore, the proposal significantly expands the scope of the current NIS Directive by adding new sectors based on their criticality to the economy and society. While the sectors covered by the current NIS Directive were limited to energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure, the proposal now applies to
- certain public or private "essential entities" operating in the sectors of energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space; as well as
- certain "important entities" operating in the sectors of postal and courier services, waste management, manufacturing, production and distribution of chemicals, food production, processing and distribution, manufacturing and digital providers.
With reference to these new designations, it may also be concluded that the proposal eliminates the distinction between OES and DSP. Entities are classified based on their importance and divided into "essential" and "important" categories with the consequence of being subjected to different supervisory regimes.4
Micro and small entities within the meaning of Commission Recommendation 003/361/EC remain (in principle) excluded from the scope of the proposal, but it now specifies that micro and small entities which act in the aforementioned sectors, e.g. as providers of electronic communications networks or of publicly available electronic communications services, trust service providers, TLD name registries or in the public administration as well as entities acting as the sole provider of a service in a Member State, are not covered by this exception.
3 Risk management and reporting obligations
The proposal further strengthens security requirements for the relevant entities by requiring a risk management approach with a minimum list of basic security elements to be applied. The proposal introduces more detailed provisions on the incident reporting procedure, the content of the reports and deadlines.
For instance, the proposal stipulates that the management bodies of essential and important entities must approve the cybersecurity risk management measures taken by those entities, supervise their implementation and be accountable for any non-compliance with the risk management and reporting obligations. The proposal thus highlights that cybersecurity falls within the responsibility of management boards. To this end, the proposal further specifies that the members of the management body must regularly participate in specific trainings, instructing them to apprehend and assess cybersecurity risks and management practices.
As in the current NIS Directive, the entities concerned are required to take appropriate and proportionate technical and organisational measures to manage cybersecurity risks to network and information systems. Compared with the current NIS Directive, however, the proposal expanded the list of measures to be taken, which now also includes measures such as "supply chain security" or "the use of cryptography and encryption".
To demonstrate compliance with these requirements, the proposal provides that Member States may require essential and important entities to certify certain ICT products, services and processes.
Any cybersecurity incident that has a significant impact on the provision of the service offered by the entities concerned still must be reported to the competent national authorities or the relevant Computer Security Incident Response Team (CSIRT).
4 Supervision and enforcement
The proposal also provides for stricter supervisory measures for national authorities and stricter enforcement requirements. Those authorities should have the power to subject the relevant entities to regular (targeted) audits, on-site inspections and off-site (ex-post) supervision, including random checks, requests to access data, documents or any information necessary for the performance of their supervisory tasks. Especially the latter possibility is to be questioned.
It distinguishes between an ex-ante supervisory regime for essential entities and an ex-post supervisory regime for important entities, the latter requiring competent authorities to take action when provided with evidence or indications that an important entity is not complying with security and incident notification requirements.
The proposal finally obliges Member States to impose administrative fines on essential and important entities and sets maximum penalties. Accordingly, infringements of risk management measures or reporting obligations are subject to significant administrative fines of up to EUR 10,000,000 or 2 % of the total worldwide annual turnover of the undertaking to which the essential or important entity belongs in the preceding financial year, whichever is higher.
In line with the Commission's priorities to make Europe fit for the digital age and, in response to the increasing digitisation of the internal market and an evolving cybersecurity threat landscape triggered by the COVID-19 crisis, the present proposal addresses several deficiencies of the current NIS Directive, in particular the abolishment of the differentiation between OES and DSP and the application of the size-cap rule to determine the entities falling within the scope of application of the proposal.
The public now has until 11 February 2021 to submit comments on the proposal.
1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19 July 2016, p. 1–30 (NIS Directive / Directive).
2 For these new designations, see section 2.2 below.
3 See also section 2.2 below.
4 The new supervisory regimes are discussed under section 2.4 below.