The European Commission adopted on Thursday the initial implementing rules on cybersecurity of critical entities and networks under the Directive on measures for a high common level of cybersecurity across the Union. The NIS2 Directive addresses cybersecurity risk management measures and cases in which an incident should be considered significant and companies providing digital infrastructures and services should report it to national authorities. The move is seen as another major step in boosting the cyber resilience of Europe’s critical digital infrastructure.
The implementing regulation will apply to specific categories of companies providing digital services, such as cloud computing service providers, data center service providers, online marketplaces, online search engines, and social networking platforms, to name a few. For each category of service providers, the implementing act also specifies when an incident is considered significant.
Adopting the implementing regulation coincides with the deadline for Member States to transpose the NIS2 Directive into national law. As of Oct. 18, 2024, all Member States must apply the measures necessary to comply with the NIS2 cybersecurity rules, including supervisory and enforcement measures. The implementing regulation will be published in the Official Journal in due course and enter into force 20 days thereafter.
The regulation lays down the technical and methodological requirements of the measures referred to in NIS2 about DNS service providers, TLD name registries, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.
The NIS2 Directive aims to address the deficiencies of the previous rules, adapt to the current needs, and make it future-proof. To this end, the Directive expands the scope of the previous rules by adding new sectors based on their degree of digitalization and interconnectedness and how crucial they are for the economy and society, by introducing a clear size threshold rule— meaning that all medium and large-sized companies in selected sectors will be included in the scope. At the same time, it leaves certain discretion to the Member States to identify smaller entities with a high-security risk profile that should also be covered by the obligations of the new Directive.
The new Directive also eliminates the distinction between operators of essential services and digital service providers. Entities would be classified based on their importance and divided into two categories: essential and important entities, which will be subjected to different supervisory regimes. It strengthens and streamlines security and reporting requirements for companies by imposing a risk management approach, which provides a minimum list of basic security elements that have to be applied. The new Directive introduces more precise provisions on the process for incident reporting, the content of the reports, and timelines.
Furthermore, NIS2 addresses the security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in the supply chains and supplier relationships.
At the European level, the NIS2 Directive strengthens supply chain cybersecurity for key information and communication technologies. Member States in cooperation with the Commission and ENISA (European Network and Information Security Agency), may carry out Union-level coordinated security risk assessments of critical supply chains, building on the successful approach taken in the context of the Commission Recommendation on Cybersecurity of 5G networks.
The Directive introduces more stringent supervisory measures for national authorities, and stricter enforcement requirements, with the aim of harmonizing sanctions regimes across Member States. It also enhances the role of the Cooperation Group in shaping strategic policy decisions and increases information sharing and cooperation between Member State authorities. It also enhances operational cooperation within the CSIRT network and establishes the European cyber crisis liaison organization network (EU-CyCLONe) to support the coordinated management of large-scale cybersecurity incidents and crises.
NIS2 also establishes a basic framework with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and creates an EU vulnerability database for publicly known vulnerabilities in ICT products and ICT services, to be operated and maintained by the ENISA.
The evaluation of the current rules on security and incident reporting requirements has shown that in some cases Member States have implemented these requirements in significantly different ways. This has created an additional burden for companies operating in more than one Member State. Furthermore, when it comes to cybersecurity requirements we want to be sure that all companies address the necessary core set of elements in their cybersecurity risk management policies.
For this reason, the NIS2 Directive includes a list of 10 key elements that companies have to address or implement as part of the measures they take, including incident handling, supply chain security, vulnerability handling and disclosure, the use of cryptography, and where appropriate, encryption.
When it comes to incident reporting, the European Commission outlines that “we need to strike the right balance between the need for swift reporting in order to avoid the potential spread of incidents, and the need for in-depth reporting to draw valuable lessons learned from individual incidents.”
The new Directive foresees a multiple–stage approach to incident reporting. Affected companies have 24 hours from when they first become aware of an incident to submit an early warning to the CSIRT or competent national authority that would also allow them to seek assistance (guidance or operational advice on implementing possible mitigation measures) if they request it. The early warning should be followed by an incident notification within 72 hours of becoming aware of the incident and a final report no later than one month later.
The NIS Directive puts supervision and enforcement at the heart of the tasks of the competent authorities and sets a coherent framework for all supervisory and enforcement activities across Member States. In order to strengthen the supervision that helps ensure effective compliance, the NIS2 provides for a minimum list of supervisory means through which competent authorities may supervise essential and important entities. These include regular and targeted audits, on-site and off-site checks, requests for information, and access to documents or evidence.
In addition, the NIS2 Directive establishes a differentiation of supervisory regimes between essential and important entities, with a view to ensuring a fair balance of obligations for both entities and competent authorities.
As regards to enforcement, so far there has been an overall reluctance across Member States to apply penalties to entities failing to put in place security measures or report incidents. This can have negative consequences for the cyber resilience of entities. In order to make enforcement effective, the new Directive sets up a consistent framework for sanctions across the Union. It therefore establishes a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations laid down in the NIS2 Directive.
These sanctions include binding instructions, order to implement the recommendations of a security audit, order to bring security measures in line with NIS requirements, and administrative fines. In relation to administrative fines, the new NIS Directive distinguishes between essential and important entities. Concerning essential entities, it requires Member States to provide for a certain level of administrative fines, notably a maximum of at least €10,000,000 or 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. In the case of important entities, NIS2 requires Member States to provide for a maximum fine of at least € 7,000,000 or at least 1,4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
When exercising their enforcement powers, competent authorities should give due regard to the particular circumstances of each case, such as the nature, gravity, and duration of the infringement, the damage caused or losses incurred, and the intentional or negligent character of the infringement. To ensure real accountability for the cybersecurity measures at the organizational level, NIS2 introduces provisions on the liability of natural persons holding senior management positions in the entities falling within the scope of the new NIS Directive.
The NIS2 Directive is linked with two other initiatives, the Critical Entities Resilience (CER) Directive and the Regulation for the Digital Operational Resilience for the financial sector (Digital Operational Resilience Act, DORA).
The NIS 2 and CER Directive are aligned to address both physical and cyber resilience of critical entities. Entities identified under CER will also follow NIS2 cybersecurity obligations. National authorities from both directives must cooperate, sharing information on risks and threats regularly.
The NIS2 Cooperation Group and CER Resilience Group will meet at least annually. In the financial sector, NIS2 includes credit institutions and trading operators, but DORA will handle cybersecurity risk management for these entities. DORA allows financial authorities to join NIS Cooperation Group discussions and share information with NIS2 contacts and CSIRTs. Financial sectors should remain part of national cybersecurity strategies.
Member States will have to transpose the Directive by Oct. 17, 2024 (21 months of entry into force of NIS2). The Commission then has to periodically review the functioning of the Directive and report on this for the first time by Oct. 17, 2027 to the Parliament and to the Council.