Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.
The European Council and European Parliament recently reached a provisional agreement on the text for the EU's proposed Directive on minimum cybersecurity standards to be implemented across the EU (NIS2). The text is expected to be formally adopted in the coming months. NIS2 seeks to replace and strengthen the EU's current Network and Information Society Directive (NIS Directive) and applies to certain essential and important entities operating in a defined list of sectors, including commonly considered critical infrastructure entities.
Key developments arising from NIS2 include:
In this article, we outline some of the developments arising from the proposed NIS2 and explain why the legislation is likely to have an impact not only on those organisations that fall directly within scope of the legislation, but also on their suppliers and service providers.
The current NIS Directive was adopted in 2016 as the first EU-wide cybersecurity legislation. Its aim was to achieve a high common level of cybersecurity across the EU, and the legislation focuses on implementing certain risk management and reporting obligations on operators of essential services (OES) (for instance, entities maintaining critical energy, health, or transport infrastructure) and digital services providers (DSP) (certain providers of online marketplaces, online search engines and cloud computing services).
Organisations should take note that NIS2 will apply to a wider pool of entities than currently covered by the NIS Directive. Under NIS2, the pool of in-scope entities will be widened to capture certain "essential" entities (outlined in Annex I of NIS2) and "important" entities (outlined in Annex II of NIS2). Consequently, the distinction currently in place under the NIS Directive surrounding OESs and DSPs will be replaced. Likewise, whilst further clarity on the scope of NIS2 will ultimately be revealed once implemented in the various Member States, NIS2 will broaden the number of sectors that are currently covered under the NIS Directive. For instance, in addition to the sectors covered by the NIS Directive, NIS2 will also cover organisations operating in the following sectors:
Besides covering a greater range of sectors, NIS2 also provides greater detail on which entities in those relevant sectors are subject to the proposed legislation. Whereas currently under the NIS Directive, Member States are responsible for drawing up lists of OESs and DSPs, the NIS2 Directive:
NIS2 increases the level of responsibility that "management bodies" (in the NIS2 wording) of essential and important entities must take in ensuring compliance with elements of NIS2. It provides for an obligation of the Member States, when implementing NIS2, to ensure that management bodies:
The practical implication of this requirement is that management bodies of entities falling within scope of NIS2 may be deemed liable where those entities breach their obligations under NIS2. Ultimately, pushing responsibility for cybersecurity risk management to the management level of essential and important entities demonstrates a propensity to ensure that cybersecurity risk management is a senior management responsibility. Management bodies have ultimate responsibility and any failure to recognise that could result in serious consequences, including management liability and administrative fines, as provided for in the implementing national legislation.
The current text of NIS2 does not define what constitutes a "management body", which is an aspect that will ultimately be determined by implementing national legislation in the Member States. However, NIS2 suggests that individuals discharging managerial functions could be considered a "management body". NIS2 stipulates that those individuals may be subject to enforcement action for an entity's failure to comply with NIS2. For instance, in the context of essential entities, NIS2 permits Member States to foresee in their national transposing legislation that relevant bodies or courts temporarily ban individuals from discharging managerial responsibilities at the senior management C-Suite level, until necessary action has been taken to remedy deficiencies and/or comply with requirements requested by the competent authorities.
In addition to temporary bans, from a public reputation perspective, NIS2 permits Member States to request that infringing entities make a public statement outlining not only that an infringement of NIS2 has occurred, but also naming the individual(s) responsible for the infringement. Moreover, Member States are free under NIS2 to lay down rules on penalties in their domestic implementing legislation. Penalties need to be effective, proportionate and dissuasive, and the Recitals to the current NIS2 text make it clear that they may include criminal penalties for infringement of the legislation. Consequently, it will be important that organisations in scope of NIS2 pay attention to national Member State rules transposing NIS2 and the associated penalty regime (both criminal and civil) contained in those national rules.
NIS2 aims for a more aligned cybersecurity management approach to mitigate inconsistencies in cybersecurity resilience across the in-scope sectors. To this end, NIS2 outlines seven key measures that all essential and important entities shall take to manage risks posed to the security of those entities' network and information systems when providing their services. Those measures are:
The new cybersecurity measures require entities falling in scope of NIS2 to mitigate security risks in their supplier / service provider supply chain – including assessing and taking into account the overall quality of products and cybersecurity practices of their suppliers and service providers.
The draft NIS2 text notes that entities have fallen victim to cyberattacks in which threat actors had compromised an entity's network and information systems security through exploiting vulnerabilities affecting third-party products and services. Consequently, organisations outside the direct scope of NIS2 offering such products and services may ultimately become impacted by the new legislation, for instance should the organisation provide certain IT-related services to customers who fall in scope of NIS2 and are therefore required to undertake supply chain diligence on the supplier organisation. Currently, the draft NIS2 text outlines that providers of managed security services, such as those providing incident response, penetration testing, security audits and consultancy services, will require increased diligence from in-scope NIS2 entities.
The net effect of the supply chain security diligence obligations is that organisations providing network and/or information systems security services to customers in the expanded sectors covered by NIS should be prepared for increased questioning from in-scope NIS2 customers concerning their cybersecurity practices and information security policies. Such questioning may relate to individual solutions, but also general cybersecurity and information security risk management practices implemented by those suppliers.
NIS2 amends the incident reporting requirements under the current NIS Directive to require that essential and important entities must notify the relevant competent authorities1 or one of the Member States' computer security incident response teams (CSIRTs) without undue delay of:
NIS2 allows EU Member States to implement administrative fines of at least EUR 10M or up to 2% of the total worldwide turnover of an entity for the preceding financial year (whichever is higher) for entities in scope of NIS2 who breach the cybersecurity risk management measures and/or the cybersecurity incident reporting obligations. This is in addition to the wide discretion NIS2 affords Member States to implement their own national rules on penalties for infringement of the proposed legislation, as identified earlier in this article.
At this stage, organisations should consider the scope of NIS2 and whether their businesses fall within that scope. If an organisation concludes that it is likely to fall within scope of the new legislation, the organisation should consider the organisational, financial and technical steps that will be required to prepare for complying with NIS2. For instance, from an ICT spend perspective, the European Commission expects organisations to face a maximum increase of 22% on ICT security spending in the first few years post-NIS2 implementation (a maximum increase of 12% is estimated for organisations that are already under the scope of the current NIS Directive). In addition, in-scope organisations should keep an eye on how NIS2 is implemented in the key EU jurisdictions where they operate.
In addition, organisations offering information and network security products / services should also be prepared for due diligence from in-scope NIS2 organisations. Therefore, those out-of-scope organisations should ensure that effective, documented processes are in place to manage security risks associated with their product / service offering in anticipation of any such due diligence.
With respect to timeframe for implementation, the NIS2 text has been provisionally agreed by the European Parliament and European Council and both of these institutions must now formally adopt the text. NIS2 is expected to be adopted in 2022 and once adopted, Member States will have 21 months to transpose NIS2 into national law. It is unlikely to be adopted and formally transposed into all EU Member State national laws until the end of 2024 at the earliest.
Footnote
1 NIS2 requires Member States to designate one or more "competent authorities" responsible for cybersecurity and certain supervisory tasks under the legislation. Under the current NIS Directive, equivalent authorities include the ANSSI in France, the BSI in Germany and the CCB in Belgium.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.