)
EU Cybersecurity Legislation: What Changes with the Transposition of NIS 2 Directive?
Goran Gotev, Head of Technology Practice, Rud Pedersen Brussels
For anyone closely following the EU cybersecurity agenda, this week marks an important and long-awaited milestone: the review of the Security of Network and Information Systems Directive (NIS 2 Directive) will become applicable as of today in all 27 EU countries. This step finalises the four-year process revisiting the current cybersecurity rules in the EU.
So, what does effectively change with the new rules?
Expansion of scope
The revised NIS2 was proposed by the EU executive at the end of 2020, when, following the first Covid pandemic, some shortcomings of the original NIS Directive of 2016 were identified. One of these was the type of sectors considered being critical infrastructure (or “essential service providers” in the wording of the law): it already included entities operating in the field of energy, transportation, healthcare, banking and financial services, and some digital infrastructure providers, but many others were either under lower obligations or not covered at all. On top of that, Member States transposed the rules in a very fragmented way – often by adding obligations to new sectors or excluding some of the sectors deemed to be covered. What changes with NIS 2 is that the list of both essential and important entities has been expanded and now covers cloud service providers, management service providers and telecom operators. Additionally (and a very important step up) is the inclusion of public administrations, which were exonerated in the original law due to the reluctance of Member States to be subject to Brussels-drafted obligations.
Stricter reporting requirements and redress
With GDPR, all operational and compliance professionals had already adapted their data breach notification to a 72-hour reporting timeframe. While the original NIS had also a requirement to report cybersecurity incidents, it was not accompanied by a legal timeframe (it rather required to report “without undue delay”) and it did not set thresholds for the fines (which should be “proportionate and dissuasive”). It all changes now with NIS2 as operators that suffer an incident would have to issue an early warning to their competent authority under 24 hours, submit a proper preliminary incident report under 72 hours, and a final report under 30 days. Fines can go to up to EUR 10 million in the most severe cases. What remains a very helpful provision is that digital infrastructure providers (CSPs and others) can report cross-border or multi-country breaches only to the authority where they have their main establishment in the EU.
Introduction of risk management obligations
Contrary to the existing bill, companies and administrations will now be required to take measures to address cybersecurity risks which include incident handling (including for the detection, mitigation and response to incidents), supply chain security audits, use of encrypted/ secured communications as well as authentication and access management tools, to name a few. So far, there wasn’t a single operational requirement of this sort laid down in the legislation.
Next steps
The European Commission is expected to publish very soon an Implementing Act (supplemented by an Annex) on NIS2, aiming to further define technical and methodological requirements for risk management and the definition of “significant incidents”. Following a request for feedback which was published this summer, it is expected that the final document will address come of the concerns of national authorities and industry (i.e. heightened thresholds around financial impact and unavailability of service, and limiting use of confusing terms i.e. “reputational damage”). In terms of national transposition, only five countries, Belgium, Croatia, Hungary, Lithuania, and Latvia, will have fully transposed the directive by the deadline (17 October 2024). Most other Member States are in the process of finalising their process.