“If you can’t measure it, you can’t manage it.” Peter Drucker
The Directive on Security of Network and Information Systems across the EU (NIS Directive), the first piece of EU-wide legislation on cybersecurity, was adopted in 2016. Since, the threat landscape has changed considerably, and it has become necessary to further enlarge the scope of the directive to other critical sectors and services that are not covered by sector-specific legislation, and establish a common set of criteria to ensure a harmonised process of OES (operators of essential services) identification.
The scope of the NIS Directive is too limited in terms of the sectors covered, and can no longer reflect the pace of digitalisation and the higher degree of interconnectedness of recent years, resulting in a number of digitalised sectors providing key services to the economy and society as a whole.
The NIS Directive gave Member States broad discretion when laying down security and incident reporting requirements for OESs, which produced significantly different obligations in the different states. This creates additional burden for companies that are operating in more than one EU country.
The NIS Directive could not reach its goal in creating a platform for information sharing between the Member States. This negatively influences the effectiveness of the cybersecurity measures and the level of joint situational awareness at EU level.
Conceding the above shortcomings, the Commission presented on 16. December 2020 a proposal for a directive on measures for a high common level of cybersecurity across the Union (NIS2), which would repeal and replace the existing NIS Directive (NIS1)
The NIS2 proposes to expand the scope of the directive, obliging more entities and sectors to take measures (Figure 1), and it would assist in increasing the level of cybersecurity in Europe.
@ European Union, 2020
Figure 1: Sectors covered by the NIS Directive
NIS2 would also introduce a size-cap rule for determining which entities meet the criteria to qualify as operators of essential services and important entities. This means that all medium-sized and large entities operating within the sectors covered by the directive or providing services covered by the directive would fall within its scope.
In addition, it proposes a two-stage approach to incident reporting. Affected companies have 24 hours from when they first become aware of an incident to submit an initial report, followed by a final report no later than one month later.
Regarding enforcement, it establishes a minimum list of administrative sanctions whenever entities breach the rules regarding cybersecurity risk management or their reporting obligations laid down in the NIS Directive. There are different fines depending on an organisation’s type and size. For example, if an organisation violates the NIS2, it will face fines of 10 million EUR or 2% of the organisation’s gross annual global revenue. Additionally, the leadership of non-compliant organisations can be held personally responsible for the NIS2 breach.
Compared to the initial proposal for NIS2, in its report of 28. October 2021, the Committee on Industry, Research and Energy Council (ITRE) of the European Parliament proposed the simplification of the incident-reporting obligations, to avoid over-reporting. It also extended the period for Member States to transpose NIS2 into national law to 21 months, instead of 18 months.
The report also calls for tighter cybersecurity obligations in terms of risk management, reporting obligations and information sharing, but it aims to lower the administrative burden and improve cybersecurity incident reporting. The reporting obligations have been simplified and streamlined to give entities more time to report than the initial 24 hours proposed by the Commission.
As demanded by the Council, the directive would not apply to entities carrying out activities in areas such as defence and national security, public security, law enforcement and the judiciary. Parliaments and central banks are also excluded from the scope. However, as demanded by the Parliament it will apply to public administration entities at central and regional level.
The Commission announced the political agreement reached on 13. May 2022 between the European Parliament and European Union member states on the NIS2 Directive. It is expected this fall (fall of 2022) that both the Council and the Parliament will formally adopt the NIS2 text, which is the condition for the draft legislation to become EU law. Once the legislation is in force, EU Member States will have 21 months to implement it.