Recent years have been active for legislators all over the world when it comes to cybersecurity and privacy regulation. The European Union (EU) has been increasing its legislative pace, especially due to digitalization caused by the pandemic. One EU cybersecurity document, NIS Directive No. 2016/1148 concerning measures for a high common level of security of network and information systems across the Union, was adopted in 2016, and already there are plans to update it by replacing with the NIS2 Directive.
What changes are suggested by the NIS2 Directive?
The NIS2 Directive is intended to introduce the following changes:
- Penalties of up to €10 million or 2 percent of the entity’s total turnover worldwide for not complying with the reporting and/or cybersecurity risk management measures
- A wider scope of entities subject to the reporting and cybersecurity risk measures requirements, such as:
- District and hydrogen energy sector services
- Laboratories, entities carrying out research and development activities of medicinal products, manufacturers of basic pharmaceutical products and preparations, and manufacturers of critical medical devices
- Waste water collection, disposal or treating
- Data centres, content delivery network, trust services providers
- Providers of public electronic communications network
- Public administration entities
- Space-based service providers
- Social networking platforms
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Food production, processing and distribution
- Manufacturing (medical and in vitro devices, computer and electronic and optical products, electrical equipment, machinery and equipment, motor vehicles, trailers and semi-trailers, other transport)
- Provision of a more specific list of required security elements, such as risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management; cryptography and encryption
- Notification of recipients of the services on incidents in certain cases
- Requirements to the security of critical supply chains
- Regulation of vulnerability disclosure process
- Stricter supervisory measures for the EU countries’ authorities
Is there any impact on non-EU countries?
The application of both NIS and NIS2 directives to organizations located outside the EU depend on their classification. The comparison can be seen below:
| NIS Directive |
NIS2 Directive |
||
|
Operators of essential services Even if an entity is not in the EU, it is subject to NIS Directive requirements if it provides services in the EU. A service provider is subject to NIS Directive if it has its head office in the EU.
|
General provisions for specific services providers of both categories DNS, TLD name registries, cloud computing, data centre service providers and content delivery network providers are subject to the requirements of NIS2 Directive, if they have their cybersecurity decision-making point in the EU. If such decisions are not taken in the EU, it is considered that the main establishment is in a member-state with the highest number of employees in the EU. It is not yet clear whether it is possible to refer to the same logic of applying NIS2 to essential services providers, as is the case with the NIS Directive. |
Legislators are currently amending the text of NIS2, which is expected to be finalized sometime after the second half of 2022. Countries will then have a period to transpose its requirements into national legislation (possibly a couple of years, but precise duration to be agreed). Although the NIS2 Directive is still a proposal, it is already possible to see that a wider scope of EU and non-EU entities will have to ensure their compliance with more unified cybersecurity requirements.