New EU cyber rules: NIS2 – Proposal to update the NIS1 Directive and position of the Council
On 6 December 2020, the EU Commission published its proposal for a revised Directive on Security of Network and Information Systems, known as the NIS2 Directive. The proposal constitutes one of the regulatory initiatives of the EU’s Cybersecurity Strategy for the Digital Decade published on 16 December 2020 which also fits in the Strategy regarding technological sovereignty and leadership.
In view of the unprecedented digitalization of recent years (which has even more intensified during the current health crisis), the EU Commission has considered it necessary to update the recently adopted NIS1 Directive in order to provide appropriate and innovative responses to this new landscape and its challenges, including for IoT, 5G and future generation mobile networks.
Security is one of the core principles relating to the processing of personal data. By further improving cybersecurity the proposal thus also further safeguards these principles. However, improved security could also form a threat to privacy. Artificial intelligence used in early detection can for example potentially use large amounts of personal data such as log data or IP addresses. That is why data protection by design as provided in art. 25 GDPR should remain a cornerstone of every programme.
The proposal includes the following changes:
- Expansion of the scope of the NIS1 Directive by adding new sectors based on their criticality for the economy and the society but also by introducing a size cap meaning that only medium and large companies in selected sectors will be included in the scope whilst retaining some flexibility for Member States to identify smaller entities with a high security risk profile like for example providers of electronic communication networks of publicly available electronic communications service. Added sectors and services are for instance manufacturing of certain critical products (such as pharmaceuticals, medical devices, chemicals), postal and courier services or digital services (such as social networking services platforms and data center services);
- Elimination of the current distinction between (i) operators of essential services and (ii) digital service providers by exploring a new approach to classification based on the importance of the service (essential and important categories);
- Strengthening of the security requirements for the companies subject to the rules, by imposing a risk management approach providing a minimum list of basic security elements that have to be applied, and introducing more precise incident response reporting requirements. The proposal also lists encryption as one of the toms to ensure security (art. 18) and outlines the possibility to impose end-to-end encryption for providers of electronic communications networks and services (recital 54);
- Addressing cybersecurity risks in supply chains and supplier relationships e.g. by introducing more stringent supervisory measures for national authorities;
- Introduction of more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonizing sanctions regimes across Member States;
- Establishment of European Cyber crises liaison organization network (EU-CyCLONE) to support coordinated management of large-scale cybersecurity incidents and crises at EU level and increasing information sharing and cooperation between Member States authorities; and
- Establishment of a basic framework with responsible actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and creating an EU registry on that operated by the ENISA.
On 22 March 2021, the Council of the EU adopted its conclusions on the EU’s cybersecurity strategy, which provide that cybersecurity is essential for building a resilient, green and digital Europe. In its conclusions, the Council acknowledged the importance of a comprehensive and horizontal approach on cybersecurity in the Union, while fully respecting Member State’s competences and needs. In addition, the Council encourages the Commission and the High Representative of the Union for Foreign Affairs and Security Policy to establish a detailed implementation plan with respect to the cybersecurity strategy.
Next step – The proposal for the revised Directive will be subject to negotiation between the EU Council and the EU Parliament and, once it is adopted, Member States will have 18 months to transpose the NIS 2 Directive.
Art. 5(1)f and 32 of the GDPR impose both on controllers and processors to ensure appropriate level of security