Timelex
Leading law firm
Menu

Renewing the EU's Cybersecurity Strategy with NIS2

Author info
Niels Vandezande
Niels Vandezande
21/03/2023
Cybersecurity

In December 2022, a new directive was adopted to ensure a high common level of cybersecurity in the EU. Directive (EU) 2022/2555, also known as the NIS2 Directive, repeals and replaces the former Directive (EU) 2016/1148 on the security of network and information systems – also known as the NIS1 Directive. In this blogpost, we will highlight the core changes to this framework, as well as frame the new Directive in the EU’s broader cybersecurity strategy.

BACKGROUND

STRONG INCREASE IN CYBER INCIDENTS

The NIS1 Directive was adopted in 2016 and had to be transposed by the Member States by 9 May 2018. That process was only completed in 2019, due to some Member States not meeting the deadline. 

In the field of cybersecurity, as lot has happened since then. Today, it is estimated that 22% of EU enterprises have suffered ICT-related security incidents in 2021. Ransomware attacks were up 41% in 2022. The global average cost of a data breach was in 2022 estimated at USD 4,35 million – even going up to USD 10,1 million in the healthcare sector. The global cost of cybercrime was estimated at EUR 5,5 trillion by the end of 2020.

At the same time, the increasing interconnectedness of all layers and sectors of society and the growth of teleworking following the COVID-19 pandemic result in an ever more important reliance on network and information systems. This underlines the need for strong policies in the field of cybersecurity. 

WHERE DID NIS1 FALL SHORT?

However, while reviewing the NIS1 Directive, it was discovered that this framework failed to meet its projected goals in several ways. 

  1. First, the Directive left too much discretion to Member States to determine what constitutes a provider of essential services. For instance, some Member States designated certain hospitals as essential entities, while others did not. A major railway operator in one Member State was designated as essential, but a similarly-sized operator in a different Member State was not. This results in an uneven playing field, given that some entities face the operational cost of compliance with this framework, while similar entities in other countries do not. Conversely, it also means that some entities will be more prepared in their cyber resilience, while others are not. 
  2. Second, effective information sharing never really took off under NIS1. The directive did not impose clear requirements to share threat or vulnerability information, and did not manage to convince entities to do so in practice. 
  3. Third, supervision and enforcement were highly divergent between Member States, with some being downright ineffective. 

Weighing a number of different policy options, the European Commission decided on a complete repeal and replacement. The NIS2 Directive was proposed late 2020 and adopted in December 2022. It will have to be transposed by the Member States by 17 October 2024 and becomes applicable the day after. 

WHAT WILL NIS2 CHANGE?

FROM NETWORK AND INFORMATION SECURITY TO CYBERSECURITY

NIS2 is not a completely novel framework. it largely maintains the approach set by the NIS1 Directive, but with a tightened scope and a few new obligations. Also in terms of overall scope, the focus has shifted from ‘network and information security’ to ‘cybersecurity’. This is important, as cybersecurity – as defined under the EU Cybersecurity Act – also covers “the users of such systems, and other persons affected by cyber threats”.

FOCUS ON ESSENTIAL AND IMPORTANT ENTITIES

In terms of covered entities, NIS2 excludes small and micro-enterprises in most cases. The focus has been shifted to essential and important entities, as described in Annexes 1 and 2 to the Directive. This list has been substantially expanded from NIS1. 

New entries marked as essential include, amongst others,

  • electricity producers, 
  • hydrogen operators, 
  • basic pharmaceutical product manufacturers, 
  • R&D entities, 
  • digital infrastructure (including IXPs, DNS and TLD service providers, data centers, trust services providers, etc.), 
  • public administrations and 
  • space ground operators.

In terms of other critical sectors, NIS2 marks 

  • postal and courier services, 
  • waste management, 
  • chemicals manufacturing and distribution,
  • food businesses in wholesale distribution and industrial production, 
  • medical devices production, 
  • certain machinery and transport production, 
  • research organizations, and 
  • digital providers such as online marketplaces, search engines and social networks. 

MINIMUM REQUIREMENTS FOR NATIONAL STRATEGIES

Member States must still adopt a national strategy. NIS2 more clearly sets out the minimum requirements for such strategy, thus leaving less discretion than NIS1. 

New is that Member States must also designate authorities responsible for the national management of large-scale cybersecurity incidents and crises (cyber crisis management authorities). Also their tasks are clearly set out. Furthermore, NIS2 more clearly elaborates the duty for Member State authorities to coordinate and cooperate with each other. 

At the EU level, NIS2 maintains the Cooperation Group, with support of the European Commission and ENISA – having now been designated as the EU agency for cybersecurity. Also the national cyber crisis management authorities receive an EU-platform: EU CyCLONe. New is that Member States may submit their national policies for peer review. 

GREATER RESPONSIBILITY FOR MANAGEMENT

In terms of risk management, NIS2 puts greater responsibility on the management bodies of entities. They must undergo training and can be held liable for infringements against this framework. 

This ensures that upper management becomes a direct stakeholder in the cybersecurity compliance of their organization, and that they are more enticed to make available adequate budgets therefor. 

RISK-BASED APPROACH WITH MINIMUM ELEMENTS

NIS2 maintains the risk-based approach set out by NIS1, but more clearly elaborates the minimum elements of such approach. As before, significant incidents must be notified to CSIRTs. NIS2 sets out clearer deadlines for when such notification should occur, and may also require the recipients of the services involved to be notified if they could be adversely affected. 

STRONGER ENFORCEMENT

Regarding supervision and enforcement, NIS2 more clearly formulates the competences of authorities in this field, as well as the actions they can take. Regarding fines, NIS2 imposes certain thresholds, ensuring that fines are more harmonized across the EU. 

THERE IS MORE TO CYBERSECURITY THAN NIS2

OTHER RELEVANT CYBERSECURITY INSTRUMENTS

Since NIS1, several other texts have been adopted in the field of cybersecurity. 

One text is the EU Cybersecurity Act, which designates ENISA as the EU agency for cybersecurity and establishes an EU-wide certification scheme for ICT-products, services and processes. 

Closely linked to NIS2 is the new Directive on the resilience of critical entities (CER Directive), which focuses more on the physical security of essential entities – whereas NIS2 focuses on their cybersecurity. 

CYBERSECURITY FRAMEWORKS FOR SPECIFIC SECTORS

Also specific sectors can adopt their own cybersecurity framework, tailored to the needs and challenges of that sector. In this sense, NIS2 serves as the lex generalis in the field of cybersecurity, where sector-specific texts can serve as lex specialis

One example of such sector-specific text is the Regulation on digital operation resilience for the financial sector (DORA). This text imposes specific requirements on 21 types of regulated financial entities, as well as on the third-party ICT service providers on which they rely. 

CONCLUSION: MORE ORGANISATIONS WILL NEED TO PROFESSIONALISE THEIR CYBERSECURITY 

  • NIS2 is a welcome renewal of the EU’s cybersecurity framework. It sets out to address the main shortcomings of its predecessor, while also being more geared towards new and evolving cyber threats. 
  • The Directive maintains the general approach of NIS1 – with tightened requirements and an increased scope – and should therefore not be too surprising for most entities. 
  • Nevertheless, the scope expansion will mean that a whole range of new entities will have to get their cybersecurity compliance in order. 

Do you have any questions regarding the cybersecurity compliance of your organization? Please contact Timelex.

Related posts