Author: Gergana Hristova, Atanas Kirov; Legal experts at Law and Internet Foundation
The pioneer European Union legislation in the field of cybersecurity is a Directive known as the ‘NIS Directive’. It was adopted by the European Parliament on 6th July 2016, entered into force in May 2018, and the Member States were given approximately two years to adopt it into their national laws. It has improved the level of cybersecurity within the borders of the Union by requiring from the Member States to adopt national cybersecurity strategies and appoint dedicated cybersecurity authorities. Furthermore, it has contributed to the successful cooperation between the Member States posing prerequisites for the exchange of information and the cyber resilience.
The digital economy is the fastest developing sector, more than two times quicker than the rest of the sectors. The outbreak of COVID-19 has led to a rapid development of the level of societal digitisation. Due to the impossibility of physical meetings and contacts, online connections have become the main option for maintaining social relations as much as professional ones. Within the context, the EU funded project GUARD is a 36-month project aimed at the dynamic countering of cyber-attacks. As evolving business models are progressively reshaping the scope and structure of ICT services, additional security and privacy concerns that have not been addressed in a satisfactory way yet. Tackling conflicting trends in the cybersecurity market, GUARD develops an open and extensible platform for advanced assurance and protection of trustworthy and reliable business chains spanning multiple administrative domains and heterogeneous infrastructures.
One of the mechanisms established by the NIS Directive (in particular the provision of Article 23) demands the Commission to review the Directive and its application across the EU. The most recent review of this piece of legislation was presented on 16th December 2020. One of the main priorities that was taken under consideration by the review was that the actions in the domain of cybersecurity have to be directed in the way to make ‘Europe fit for the digital age’. Despite the current NIS Directive progress, the level of cybersecurity capabilities in the EU countries, remained unequal, which has been enhanced by the inconstant situation in the world. Therefore, the outcomes of the review have led to the conclusion that the only way of dealing with the problems is through the creation of an entirely new directive.
The proposal for the new NIS 2 Directive outlines that ‘Cybersecurity is a priority in the Commission’s response to the COVID-19 crisis’. Therefore, one of the reasons for the proposed adjustments according to the European Commission is the fact that previous the Directive does not provide adequate protection to the European citizens due to the changing circumstances. Its progress until now is undeniable but there is still a long way to go in order to meet the new level of development. For example, the transition to online working and communication has been much easier in the sectors already digitised. However, the governmental and social services have experienced a quite difficult transformation and not entirely secured one as the results from the review assessment have shown. Furthermore, this type of services work with especially sensitive data, therefore this transition bears significant risks. In the direction for this to be improved, the proposal outlines several weaknesses that prevent the Directive from its full potential.
The review’s assessment shows that the level of cybersecurity of businesses in the EU is low and inconsistent across the different sectors. The level of joint situational awareness and the joint crisis response is also significantly low. An example of such issue mentioned in the review is the fact that hospitals in some Member States do not have to comply with the NIS Directive, while in other Member States all health institutions fall under its scope. The supervision and enforcement of the previous Directive also have shown ineffective due to the reluctancy to impose penalties even though there are a number of breaches and incompliances with the requirements. In this order, the review presented a proposal for a new directive – the NIS 2 Directive that will consist of new requirements and improvements so that the EU rules in the area of cybersecurity can properly fit the improvements of the digital sphere and adapt with the speed of development of technology systems.
The consultation document, which is a report that aims to inform the citizens and stakeholders about the Commission’s work on a particular topic so that they can effectively participate in future consultation activities, states that the review is supposed to access the ‘level of security of network and information systems in the Member States’. Furthermore, the Better Regulation Guidelines outline that it should be evaluated the ‘effectiveness, efficiency, coherence, relevance and EU added value of the NIS Directive taking into account the constantly evolving technological and threat landscape’. The focus was put on the mitigation of the risks to the national security systems that provide essential services in different fields. The consultation document also states that the review identifies and calculates the direct and indirect regulatory costs and benefits that come with the implementation of the Directive. This includes the costs in the period from its implementation from May 2018.
Therefore, the review has responded to these issues by presenting a proposal for a new NIS 2 Directive that include new suggestions and amendments for improvement of the current legislation as well as its modernization according to the new developments in the technology field. A part of these changes is the new requirements on "essential" and "important" service providers in critical sectors, including reporting cyberattacks, imposing stricter security policies, analysing the security of suppliers and the usage of encryption in the modern technology systems. There will be no distinction between operators of essential services and digital service providers, the classification will be done based on their importance and subjected to different supervisory regimes. Some of the operators that fall under the definition of ‘essential’ service providers are the distribution and transmission system operators of electricity, suppliers of electricity, airport managing bodies, traffic management control operators, infrastructure managers, healthcare providers, suppliers and distributors of water, etc. The definition of ‘important’ service providers consists of postal service providers, undertakings carrying out the manufacture, production and distribution of substances, providers of online marketplaces, manufacturers of computer, electronic and optical products, manufacturers of transport equipment and many more.
Furthermore, the proposal introduces a clear size cap, which means that all large and medium companies of certain sectors will be obliged by the new Directive. The small businesses will have the opportunity to identify themselves whether they also fall into the group of companies with high level security risk. This shows how much wider is the scope of the new NIS 2 Directive as it would cover more areas than the one currently in force and takes into consideration the most vulnerable but essential service providers. The Members States in cooperation with the European Commission and the European Union Agency for Cybersecurity (ENISA) will conduct risk assessments of critical supply chains as well as require from individual companies to address cybersecurity risks in supply chains and supplier relationships. A basic framework would be established for the coordination of newly discovered vulnerabilities across the EU and an EU registry would be created. Another part of the proposed measures is the imposing of fines upon institutions that do not comply with the requirements. They can get go up to 10 million Euro or even higher depending on the seriousness of the breach or incompatibility with the requirements of the Directive. The ultimate goal is that these fines would force the stakeholders to oblige with the law and therefore fulfil the objectives of the new Directive. Consequently, the outcome would also consist of mitigating potential loss due to disruptions by cyberattacks, including industrial espionage, reducing budgetary expenses for related to cyberattacks emergencies as well as reduced loss of income by the general public due to economic disruption.
One of major step taken forward to the improvement of cybersecurity across the EU is that the proposal for the new NIS 2 Directive is closely aligned with the proposal for the Critical Entities Resilience Directive. It would enhance the effect of the NIS 2 Directive by imposing new security requirements onto companies that provide essential services. The approach that will be taken in order for this to be achieved will be that the competent authorities under the scope of both Directives will take additional measures and exchange information that concern cyber and non-cyber resilience. The focus will be especially on critical operators in the ‘essential’ sectors since they process a large amount of sensitive data. That way their physical infrastructure will be protected against hacker attacks and breaches from unauthorised parties.
Another major point mentioned in the review is the new Strategy on Cybersecurity that will improve the security in the European Union and will implement a coherent approach in all Member States regarding the global Internet and its risks. Furthermore, it is also supposed to support the cooperation and the exchange of information between industries while improving the security mechanisms in their infrastructure. It is an attempt to ‘simplify and harmonise’ the requirements for the EU companies, no matter of size, but also to make the ‘flexible and future-proof’ so that they can be adapted to the development of the technologies. This is a particularly important feature since the previous NIS Directive has entered into force considerably recent and it has become outdated too soon due to the fast evolution of the technologies.
These proposals made by the European Commission and presented on 16th December 2020 need to be approved by the national governments in the Council of the EU and by the European Parliament before they become enforceable and official. However, there are some concerns such as the possibility that the suggestions will not be easily approved since the previous NIS Directive had taken approximately three years to be accepted and enforced. Once the new Directive is adopted, the Member States will have 18 months to implement the new legislation into their national laws and the next review of the new Directive is scheduled to be 54 months after it enters into force. When the NIS 2 Directive becomes enforceable together with the Critical Entities Resilience Directive and the new Strategy on Cybersecurity, they would supposedly create a coherent approach in the EU laws regarding cybersecurity as well as improve the cooperation and exchange of information and practices among the Member States. Therefore, the ultimate result is expected to be a much better response in emergency situations and deterrence of the risks that come up with the convenient services that the Internet offers. The systematic and structured changes to the NIS Directive that have been presented aim to cover a wider range of economic sectors in the Union that will include both small and big businesses. This way a shared responsibility will be established between the different types of shareholders and a united approach towards cyberattacks.
The contents of this publication elaborated under the GUARD project are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Commission. GUARD has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 833456.