On 16 January 2023, the Network and Information Systems – 2 (NIS2) Directive 2022 came into force, repealing and replacing the Directive on the security of Network and Information Systems (NIS), 2016. The speedy digital transformation has increased the interconnectedness among societies as well as the magnitude and frequency of digitally-induced threats, creating room for advanced measures. The new Directive aims to improve the present cyber security landscape across the European Union (EU) and overcome the inherent shortcomings in the former Directive, such as its ineffectiveness in addressing the existing and emerging cybersecurity challenges. It provides legal measures to achieve a high level of cyber security across the region.
NIS Directive is the first horizontal internal market instrument which focuses on ameliorating EU resilience against cybersecurity threats and making Europe fit for the digital age. As per its periodic review under Article 23 of the NIS Directive, a wide divergence has been observed in the implementation of security and incident reporting obligations by the EU Member States. States’ capabilities to effectively respond to cyber risks have remained insufficient and uneven, including cross-border events. If this continues, it can lead to higher vulnerability of some states to cyber threats and potential spill-over effects across the Union. The evaluation accentuated the need to (i) broaden the scope of the Directive by including essential sectors and sub-sectors; (ii) enhance harmonisation of the national legal frameworks on security matters; and (iii) incorporate additional digital service providers (DSP), among others. In order to achieve a true level playing field, NIS2 Directive entered into force.
NIS Directive is the first horizontal internal market instrument which focuses on ameliorating EU resilience against cybersecurity threats and making Europe fit for the digital age.
NIS2 Directive has addressed the shortcomings present in the previous document. To eliminate the divergences in the implementation of the Directive at the national level, NIS2 sets out rules concerning the functioning of a coordinated regulatory framework by developing effective cooperation mechanisms among responsible authorities in each Member State, providing enforcement measures and useful remedies; and upgrading activities and sectors subject to cybersecurity responsibility. The Directive classifies entities complying with its cybersecurity risk-management measures into two categories, “essential” entities (outlined in Annex I) and “important” entities (outlined in Annex II), depending on the extent to which they are critical concerning their sector, size, and the service they provide. The differentiation between the digital service providers and operators of essential services has been drawn to fill the gap in the former Directive, where entities identified as operators of essential services in accordance with Directive 2016 are regarded as essential entities.
Amendments have been made with respect to the incident reporting requirements. Under the latest reporting obligations, essential and important entities must notify computer security incident response teams (CSIRTs) of one of the Member States or notify the competent authority in case of an incident. This should be carried out without undue delay, such that initial notification should be made within 24 hours after encountering the significant incident and should primarily indicate the cause and if the incident has cross-border effects. The information provided should be updated within 72 hours of becoming aware of the incident, indicating severity and indicators of compromise (where available). The final report submission should not exceed longer than a period of one month. It should essentially incorporate a description, root cause, mitigation plans, and cross-border impacts of the incident.
According to the Article 20 of the directive, member states are obliged to ensure responsibility is given to the management bodies of essential and important entities. Some of the responsibilities assigned include approving cybersecurity risk-management measures and their implementation and following, as well as offering training to their employees regularly to enable them to identify risks and assess cybersecurity practices. The Directive implies harsh enforcement measures as well. According to Article 32, competent authorities are given the power to establish a deadline for an essential entity to take necessary action or comply with the requirement of those authorities. If an entity fails to do so within the given deadline, the competent authority can temporarily suspend certification or the relevant activities provided by the respective entity. Or, the competent authority may request a court or tribunal to temporarily prohibit the person responsible, either a legal representative or chief executive officer, from exercising managerial roles. Such suspensions would be applied until the entity takes action as per required.
According to Article 34, administrative fines are outlined to be imposed on essential and important entities. NIS2 Directive permits Member States to impose a fine of at least € 10,000,000 or a maximum of 2% of the annual total worldwide turnover in the previous financial year (whichever is higher) for essential entities in the scope of NIS 2. On the other hand, important entities in the Directive are subjected to fines of at least 7,000,000 euros or a maximum of 1.4% of the annual total worldwide turnover of the entity for the previous financial year (whichever is higher). Member States may impose periodic penalty payments to compel both entities to cease an infringement of this Directive. The fines imposed must be proportionate, effective and dissuasive.
The expansion of the cyber threat landscape has brought forth a myriad of new challenges which require a coordinated, advanced and innovative response from digitally-equipped countries. EU has adapted to new measures to protect the functioning of its network and information systems. The inclusion of essential and important entities, comprehensive coverage of services and sectors of key significance to crucial economic and societal activities, defined obligations on Member States, entities and other concerned authorities, provision of a clear and consistent framework for enforcement, and extended fines and penalties are some of the major inclusions under the latest Directive of EU, 2023.