NIS-2: Where are you?
blogpost by Pieter Byttebier (International Relations Officer - CCB) - 30 April 2022.
In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. The NIS-2 proposal was heralded by Commissioners as a flagship initiative of the concurrently presented European Cybersecurity Strategy.
Since then the text entered the complex corridors of European law-making, and for some it has become obscure whether NIS-2 will still come, to whom it will apply, and what it exactly may oblige.
This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.
What was NIS-1 and this new proposal again?
The current NIS(-1) Directive came into effect in 2016, and was the first piece of EU-wide cybersecurity legislation. It was then transposed in national legislation, in Belgium via the NIS-Act of 7 April 2019.
NIS-1 obliges Member States to develop National Cybersecurity Strategies and to collaborate cross-border, via the NIS-Cooperation Group and CSIRT-Network. The Directive furthermore obliges Member States to identify Operators of Essential Services (OES) in at least seven key-sectors: energy, transport, banking, financial market infrastructures, healthcare, drinking water, and digital infrastructure. These operators need to take minimum security measures and report significant incidents. Also providers (above a certain size) of key digital services, such as cloud computing services, search engines and online marketplaces have to comply with these security and notification requirements.
Since 2016 the European Commission has studied the effectiveness of this Directive. They concluded that, while NIS-1 accomplished some very good things, the Directive is too limited in scope. In the last 6 years, cyberthreats have significantly increased, and so has our society and economy’s interconnectedness and dependence on the digital domain. The Commission further noted a lack of clarity on scope and competences, ineffective enforcement, too much divergence between national approaches and maturity, and overall a lack of information sharing.
To remedy all of that, the Commission proposed to expand NIS-1: to include more sectors and entities in the scope; to harmonize the rules for identifying these entities (by using a size-cap as an automatic and uniform criterium); to expand the security requirements; to make managers and boards more involved and responsible; to harmonize and strengthen penalties as well as the supervisory powers of competent authorities; to clarify incident reporting obligations (e.g. timelines, information to be included); and to strengthen supply chain security both within each entity, as on a European level. The Commission also proposed to fortify European cooperation, by strengthening the mandates of the NIS Cooperation Group and the CSIRT Network, and by formally recognizing a new platform for managing large scale, cross border cybersecurity crises. It is also proposed to create a European framework for Coordinated Vulnerability Disclosure.
What happened with the proposal, and what is the timeline?
Shortly after the NIS-2 proposal was launched, the European Parliament (led by NIS-Rapporteur MEP Bart Groothuis – Renew) and the European Council (led by the Council Presidencies: Portugal (January-June 2021), Slovenia (July-December 2021) and currently France (January-June 2022)) started to work on amendments to the text, in order to each craft a version of NIS-2 they would find acceptable.
After many internal negotiations, these discussions led to two amended versions of the NIS-2 proposal:
- The Parliament Position, adopted on 4 November 2021
- The Council General Approach, adopted on 3 December 2021
So, together with the original Commission proposal, there are now three versions of NIS-2 out in the wild. However, it is important to stress that none of them are the Directive’s final form.
In January 2022 the Council and the Parliament, assisted by the Commission, started the so-called ‘trialogues’. These are technical and political negotiations, through which the co-legislators try to find an acceptable unified single form of these three text versions – a compromise, which can then be submitted to the Council and Parliament for final approval.
All negotiators are ambitious to adopt a text as soon as possible. The French Presidency has said that it wants to have a political agreement by early June 2022. Taking into account the official translations, voting and publication, the Directive is thereby expected to be officially published in the fall.
Member States will then have 18 to 24 months (the exact timeline is still being debated) to transpose the Directive into national legislation. We can therefore probably expect a new Belgian NIS-Act somewhere in the course of 2024. Obligations on organizations in Belgium will realistically thus take effect by early 2025 – depending on what will be in the Belgian Act.
We should conclude two things from this timeline:
- Until there is a new Belgian NIS-2 Act, all obligations under NIS-1 remain active.
- You should not wait until 2025 to already make your organization more cybersecure. Cybersecurity is not a compliance obligation, but a vital aspect in protecting your business. The NIS laws are merely meant to give us as a society a way to ensure that entities who offer services that are essential to our economy and way of life, are taking at least certain minimal measures to protect their services (and thus us) against significant disruptions.
What did Council and Parliament think of NIS-2?
Overall, the Parliament and Council welcomed the NIS-2 proposal, and they mostly differ in opinion on a few major issues.
Most important is the scope: the Parliament wants to be ambitious with a large and uniform scope, while the Council focusses on a risk-based, proportionate and differentiated approach, both for entities and their supervising authorities, fearing an excessive burden on businesses and authorities with a significant increase of entities in scope. (The CCB indeed estimates a possible twenty to fortyfold increase between NIS-1 and NIS-2 of number of entities in scope). Still, both co-legislators also introduced new sectors to their versions. The Parliament also followed the Commission in wishing to include Public Administrations. The Council agreed, but introduced specific rules on implementation, given issues of e.g. national security and different national state structures.
The Council in turn wants incidents to be notified within 24h at the latest, but the Parliament prefers 72h, except when availability is affected: then it would be also 24h. The Parliament also wants countries to set up single notification platforms that also cover notifications on the basis of other laws (such as GDPR), while the Council wants to keep this merely as a possibility for nations to decide.
To make NIS-2 future-proof, the Commission would also receive powers to later lay down specific or harmonized rules on things like detailed security measures or incident notification. Council and Parliament voiced different views on the extent of these Commission powers, and whether they should be Delegated or Implementing Acts (an important procedural difference, see the link for more details).
The Council did also not like the proposed system of Peer Reviews, and preferred countries learning from each other rather than inspecting one another, as the Commission and Parliament want.
This last aspect touches on a key political point underlying many other differences: cybersecurity, like all security, is still essentially a national competency. Yet Europe does hold competence over the single Market, which is dependent on cybersecurity. What balance will co-legislators establish?
What key-aspects do we already know now?
So, finally, let’s dive into some technical details of the three texts, and identify some key points on which Parliament and Council already or not yet agree.
A small disclaimer before we do: nothing is certain until the final text is voted and published. The explanations below do not constitute any binding guidance, but only provide personal insights in some likely upcoming conditions. Only the final text will state the exact obligations.
1. Will NIS-2 apply to you?
Parliament and Council both more or less agree on the sectors to be included in NIS-2. Apart from discussions on proposed extra sectors such as research institutions, fast-charging stations, and managed (security) service providers, or debates on the special sector of Public Administrations, it is clear that all the following sectors will be included: Energy (electricity, oil, gas, district heating and hydrogen), Transport (air, rail, water and road), Banking, Financial market infrastructures, healthcare (including labs and research on pharmaceuticals and medical devices), Drinking water, Waste water (but only if it is a main activity), Digital Infrastructures (Telecom, DNS, TLD, data centres, trust services, cloud services), digital services (search engines, online markets, social networks), Space, Postal and courier services, Waste management, Chemicals (production and distribution), Food (Production, processing and distribution) and manufacturing (specifically, but not limited to, medical, computer, and transport equipment). For a detailed list of these sectors and the type of operators intended, see the annexes to any of the three proposals, to which you can find by clicking the links above.
If an entity has an activity in any of these sectors, and if that entity has (during its last two book years) more than 50 employees or more than 10million euro’s annual turnover (so large or medium enterprises) then the entity will have to abide by the Directive’s rules.
More precise: entities will have to abide by the rules of the Member States in which they have an establishment. For some digital sectors, however, a one-stop-shop regime is introduced: entities will only fall under the rules of one country, where they have their ‘main establishment’ (but that country can ask other Member States to help with supervision on their own territory). The European Agency for cybersecurity (ENISA) will also hold a registry for these one-stop-shoppers, to avoid blind spots.
These are the main lines, but some details and exceptions will make it more complex. For instance, in some specific (sub)sectors, especially digital infrastructures, size will not matter and all entities in the sector will be in scope. Member States will also be able to identify entities, regardless of size, if these are deemed critical for societal or economic functions.
Given all this complexity and the very large number of expected new entities, the European co-legislators proposed that Member States should establish an overview of entities, for instance via a national self-registration platform, in which basic information will need to be provided.
Discussion is still open, however, on the categories in which the entities will be placed: essential entities or important entities. The difference would be mostly that essential entities could be more strictly inspected and could be subject to higher penalties. The Commission and Parliament want to divide these categories by sector: all the entities active in sectors in Annex I would be essential; entities active in sectors in Annex II would be important. The Council, on the other hand, wants to proportionally differentiate also within sectors. For them, only the large entities (so more than 250 employees or €50 million annual turnover) of the sectors in Annex I would be essential. The Mediums of Annex I and all those of Annex II would be important. Some digital sectors would be all essential, regardless of size, and Member States will always be able to classify entities to a higher category.
2. What if there is other legislation for my sector?
All parties want NIS-2 to be a baseline legislation. If a legislation came out that is stricter than NIS-2 on cybersecurity issues, for instance in a specific sector, then that sectoral legislation would take precedence, but only on the issues on which they are indeed stricter and only for its own scope. This will be the case, for instance, for the DORA Regulation on the Financial Sector. The Commission will give guidance on when a legislation is stricter, and authorities will have to work together. If there are no specific sectoral cybersecurity laws, then the big-tent NIS-2 rules are there as a baseline.
On the other hand, certain cybersecurity provisions on the Telecom Sector and Trust services, now covered in the Telecom code and eIDAS Regulation, will be moved to the NIS framework.
If an entity would also be identified as a Critical Entity, according to the new upcoming Critical Infrastructure Directive (CER, which focusses on non-cyber security), then it will automatically also be in the scope of NIS-2 for cybersecurity.
3. What measures will entities have to take?
All entities will have to make risk analyses on the potential and impact of incidents, and then implement organizational and technical measures proportionate to this risk.
NIS2 would not be more precise than stipulating (see article 18) that entities should have incident handling plans, business continuity and crisis management plans, policies and procedures to assess the effectiveness of these measures, policies on the use of cryptography, human resource security, the use of appropriate authentication systems, and supply chain management.
Crucial is also that the management of entities will explicitly have to approve all of these measures and follow basic cybersecurity training.
Once the final text is there, it will be up to Member States to issue specific guidelines or rules on more detailed standards to be followed. There is indeed still debate between Parliament and Council on what proportionality of measures would entail in practice.
The European Commission might also be empowered to issue more specific rules on these measures, at least for some digital sectors, though as said, there is still discussion on the extent of these powers.
The Commission and Member States will also be able to make coordinated assessments on the risk of certain products or services.
Repeating the existing possibilities of the Cybersecurity Act, Member States and the EU will also be able to oblige specific certification in certain sectors for certain products, services or processes, to prove or ensure compliance with NIS-2. At this stage, however, no EU certification schemes have been fully set up, so they can also not be made obligatory yet. Three schemes are in the making: on Common Criteria (products), Cloud Computing, and 5G. Before these voluntary schemes would be made obligatory, there will be large consultations of stakeholders and Member States on the possible impacts, deadlines, cost, and available alternatives of these mandatory certifications.
Apart from all that, entities will have to notify significant cybersecurity incidents (but not threats, as the Commission initially proposed). Thresholds for what ‘significant incident’ would mean have not (yet) been defined. It is clear, nevertheless, that entities will have to notify incidents as soon as possible, and later follow up with a more substantial report, followed by a final report either one month after the incident, or when it has been closed.
4. What will the sanctions be like?
Member States will have to appoint competent authorities and give them the powers to inspect, demand (targeted) audits or security scans and request information, to ensure that entities follow all these obligations. Essential entities will be subject to stricter supervision (including the possibility to have regular audits or request evidence of implementation).
Authorities should also be empowered to issue warnings and binding instructions. If entities do not comply with these, authorities should be able to impose deadlines, revoke certifications, and levy administrative fines or penalties. These fines should, however, always be dissuasive, effective and proportionate. Member States should set the maximum fines, but Parliament and Council still disagree on the exact amount. It will be, in any case, at the very least a maximum of €2million or 1% of global turnover. The co-legislators did agree, however, that authorities should not be made able to make public statements identifying persons responsible for non-compliances.
On all details of these provisions, see articles 28-34.
To conclude, NIS-2 is on its way and in the next couple of weeks many things will be decided on the European basic structure. Then it will be up to Member States to give specific form to the obligations, and, if they so wish, to go beyond. The intent is to build on NIS-1 and to extend what we have built up in the last three years. Until that time, it is already a good idea to start improving your organization’s basic or extended cybersecurity measures. None of these efforts will be a lost investment.