The last months of 2020 saw impressive legislative activity by the European Commission, as it rolled out proposals for several regulations (namely, the Data Governance Act, the Digital Services Act and the Digital Markets Act), as well as proposed new Standard Contractual Clauses for international data transfers (expected to be adopted by April 2021), and also dealt with issues affecting data transfers to the UK due to Brexit. Amongst all of this, it would have been easy to miss a very important update in the field of cybersecurity – the proposal for a Directive on Measures for High Common Level of Cybersecurity Across the Union (NIS2 Directive), presented on December 16, 2020.
In fact, this proposal comes just in time, according to the European Commission's cybersecurity director Lorena Boix Alonso. Given the recent SolarWinds cyberattack, she argues that the NIS2 Directive will be a much-needed tool to address critical issues with similar incidents in the future, including covering public institutions and vetting supply chain security.
The NIS2 Directive in a nutshell
If adopted, the NIS2 Directive will introduce new and stricter obligations for companies to ensure adequate cyber readiness and response. These include implementing tailored cybersecurity readiness and response policies and programs, conducting regular staff trainings and supply chain audits, and notifying of any cyber incident within just 24 hours. Supervisory authorities will also have new enforcement powers, such as the right to request information and carry out audits, and even temporarily prevent a company from carrying out its business operations and suspend its CEO for a failure to address identified deficiencies.
The new directive will also bring more companies within the scope of the EU cybersecurity regulatory framework. Several companies active in the life sciences sector, digital service providers, manufacturers of electronics and motor vehicles and even public administration entities are among those that currently are still not covered by this framework. Furthermore, the directive, similar to GDPR, will have an extraterritorial scope, which means non-EU companies that provide services within the EU will have to comply with the new rules.
Adoption by EU institutions of the NIS2 Directive is expected by early 2022 and its implementation into EU Member State laws by mid-2023.
Given the rapidly growing importance of cybersecurity and the risks associated in this regard, companies should already start planning for the NIS2 Directive. Most importantly, companies should take the following steps:
- Consider how likely they are to fall under the scope of the NIS2 Directive
- Determine what is their current cybersecurity maturity level and to what extent would it be considered compatible with the NIS2 Directive
- Allocate in advance human and financial resources to implement any necessary cybersecurity measures
- Reorganize and streamline cybersecurity readiness and response programs (i.e., identify ways to have a single cyber incident response and reporting policy that complies with both GDPR and NIS2 Directive)
In 2016, the NIS Directive (Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union) entered into force, which established the first legislative framework aimed at ensuring a high level of cybersecurity across the EU. Member States had to transpose the directive into their national legal systems by 2018.
Among the provisions regulating the national cyber strategies, and cooperation and information exchange practices between Member State authorities, several general obligations were also laid down for companies deemed to be operators of essential services. These included:
- implementing appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems they use in their operations
- preventing and minimizing the impact of incidents affecting the security of their network and information systems
- notifying of all incidents having a significant impact on their network and information systems
However, not long into its operation, the NIS Directive has already proven its limitations. The proposed NIS2 Directive aims to update and add to the existing cybersecurity rules applicable to companies by:
- broadening the scope of the types of companies falling under such rules
- mandating that companies themselves identify whether they are subjected to such rules
- adding new and stricter obligations for companies and granting more enforcement powers to competent authorities
Novelties proposed by the NIS2 Directive
More types of entities covered by the new cybersecurity rules
The current NIS Directive applies to Operators of Essential Services, as well as (to a lesser degree) certain limited categories of digital service providers. OES are defined as entities who a) provide a service that is essential for the maintenance of critical societal and/or economic activities; b) the provision of that service depends on network and information systems; and c) an incident would have significant disruptive effects on the provision of that service. However, the NIS Directive limits the designation of an OES only to certain sectors, such as energy, transport and drinking water supply.
With the rapid increase in society's reliance on network and information systems and the ever more serious risks posed by such a trend, it was soon realized that far more companies fit the definition of an OES but operate in sectors outside the scope of the NIS Directive. Thus, in order to rectify this oversight and to achieve the goal of a high level of cybersecurity across the EU, the NIS2 Directive will greatly expand the list of companies subjected to the cybersecurity rules by also including, among many others, producers and researchers of medical products and devices, manufacturers of vehicles and electrical products and components, essentially all digital service providers (i.e., social network platforms, cloud solution providers, data centers, messaging services, content delivery networks and others), and even public administration entities.
All companies falling under the NIS2 Directive will be categorized as either essential entities or important entities. The distinction, albeit using different titles, is essentially similar to the one already used in the NIS Directive. Namely, in the case of essential entities, competent authorities will actively monitor their compliance with the applicable rules and will carry out inspections or other investigative actions on a regular basis (so-called "ex-ante" enforcement). Whereas for important entities, authorities will investigate any potential breaches of the rules if a cyber incident occurs or there is other evidence pointing to any deficiencies in a company's compliance level (so-called "ex-post" enforcement).
Applicability of the NIS2 Directive determined by companies instead of authorities
Another major issue of the NIS Directive was that it placed the burden of identifying which companies fell within the scope of the cybersecurity rules on Member State authorities, rather than the companies themselves. This resulted in inconsistencies among Member States, where often the same company was identified as falling under the directive in one EU country, but not in others. This caused confusion both for companies and authorities, especially in cases where a cross-border incident affected several countries with differing views about a company's classification.
The NIS2 Directive solves this by shifting this burden onto the companies themselves and obliging them to self-identify as being either an essential or important entity and to provide the necessary information in this regard to a designated registry. In case an entity fails to self-identify, a competent authority may take action to rectify this situation, which could include monetary sanctions.
New and stricter obligations for companies
In addition to the single general obligation in the NIS Directive to implement sufficient technical and organizational measures, the NIS2 Directive will require companies to take various other steps to ensure an appropriate level of cybersecurity. This will entail adopting tailored security policies covering several specific risk areas, conducting regular staff trainings and vetting the security levels of company supply chains.
The NIS2 Directive will also establish a more detailed procedure for reporting cyber incidents. The most critical element in this regard will be the obligation to provide an initial notification to a competent authority within 24 hours of the incident. This is a much tighter timeframe, compared to the 72-hour deadline provided for in the GDPR. Furthermore, a cyber incident within the meaning of this directive is a much broader concept than a data breach under the GDPR. Meaning, in certain cases, companies might need to report the same incident affecting personal data to two different authorities within two different timeframes, and in other cases, report incidents where personal data has not been affected and the GDPR reporting duties will not apply.
Increased enforcement powers of the supervisory authorities
The enforcement powers of competent authorities under the NIS2 Directive will also be extended and specified. Thus, the authorities will have such rights as to carry out on-site inspections and security audits, request information and access to a company's data and documents, issue binding orders to rectify any deficiencies, inform the public about a company's failure to ensure cybersecurity, and designate a monitoring officer to oversee a company's compliance efforts for a specified time period.
Arguably the most staggering addition to the authorities' weapons arsenal introduced in the NIS2 Directive is the right to temporarily shut down a company's business activities, and even to suspend a company's CEO or person carrying out a similar managerial role. These powers, however, will be reserved only for essential entities and only in cases where a company blatantly disregards initial instructions from the authority on how to remedy any deficiencies.
One additional aspect companies should note is that under the current NIS Directive, enforcement is carried out on a local level by authorities designated by each Member State. Furthermore, some Member States (such as Italy and the Netherlands) have designated several authorities, which are responsible for enforcement only within a specific business sector. It does not appear that the NIS2 Directive will prevent Member States from keeping their originally designated authorities. Thus, companies subjected to the cybersecurity framework will need to be wary about reporting cyber incidents in all affected Member States, as well as reporting them to the correct authority.
Extraterritorial scope of the NIS2 Directive
Companies established outside the EU, but offer their services within the EU, will also need to respect the upcoming NIS2 Directive. This means that if such a non-EU company classifies as either an essential or important entity within the meaning of the directive, they will need to fully comply with that directive (which includes all of the rules explained above), as well as designate a representative in at least one EU Member State, where its services are offered.
Timeline for adoption and transposition into Member State laws
Compared to a regulation, the adoption process of a directive in the EU institutions is normally somewhat faster. Still, it is expected that the NIS2 Directive will be passed no sooner than early 2022. Afterwards, the directive will still give 18 months for Member States to transpose its provisions into national law. Accordingly, the new cybersecurity rules will start to apply around mid-2023 at the earliest.
What does this mean for companies?
If the NIS2 Directive is adopted, adherence to strict cybersecurity rules, which require implementing a holistic awareness and response program, will become the norm rather than the exception. Soon, most companies whose operation relies on network and information systems and who are considered as essential or important to the public will be covered by the EU cybersecurity framework.
Given the wide-reaching rules and enforcement risks the NIS2 Directive proposes, including fines up to €10 million or 2% of an undertaking's global turnover, companies should already consider taking certain steps to prepare. Some good suggestions would involve determining whether your company will fall under the scope of the NIS2 Directive, and if so, allocating in advance human and financial resources for updating your cyber programs to ensure compliance. General counsels should inform about the consequences a company's board could face due to potential noncompliance with the new rules, put forward any proposals to mitigate such consequences and agree on any necessary budget plans.
Get in touch with your usual Cooley contact if you would like to know how best to prepare for the NIS2 Directive. We have assisted several companies with their efforts to comply with the current NIS Directive and can further advise on the impact the NIS2 Directive will bring to your business.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.