The cybersecurity landscape is ever-evolving, with legislation and regulation more often than not lagging behind in the technology race. It shouldn’t come as a surprise then that the European Commission is already proposing a revised version of its NIS Directive, no sooner than the original has been adopted by the EU’s different Member States.
As I explained in an earlier blog post, the EU’s Directive on Security of Network and Information Systems (NIS) is basically the first cybersecurity law to impose a number of relevant obligations both on the EU and on its Member States. The objective of those obligations is to prevent cybercriminals from disturbing not only economic activities but also essential services such as water supply, energy, transport, health, banking, finance, digital infrastructure and digital service providers. To learn more about the security obligations of that original Directive, check out this post from last year.
Future-proofing the law
Sure enough, in its short span of existence, the EU’s NIS Directive has already yielded some positive effects and results. It instigated a real change in mindset, to begin with, as Member States were forced to rethink their approach to cybersecurity.
But with a digital landscape and therefore also a threat landscape that keeps evolving rapidly, those efforts did not nearly seem sufficient. Especially since last year’s COVID-19 crisis also started adding to the already expanding cyberthreat landscape, as organised crime gangs, too, felt increasingly forced to migrate their activities online. Starved of their ‘normal’ or usual money-making schemes, they turned to phishing campaigns and ransomware attacks instead.
This worrying trend led to the conclusion that more or better adapted and innovative responses to cyberthreats were called for. The European Commission decided to address that challenge and make the NIS Directive more future-proof.
What is the European Commission proposing?
By now an impact assessment has been carried out. And at the end of last year, a revised Directive, NIS2, was proposed in light of and along with the new EU Cybersecurity Strategy. Let’s have a quick look at what this NIS2 Directive enforces, compared to the original NIS Directive.
Expanded scope: more sectors covered 
The proposal expands the scope of the current NIS Directive. This is done by adding new sectors based on their criticality for the economy and society as a whole.
On top of that, there will no longer be a distinction between operators of essential services (OES) and digital service providers (DSP). Instead, entities will be classified based on their importance and divided in either essential or important categories.
More capabilities
The proposal introduces stricter supervisory measures for national authorities, as well as stricter enforcement requirements.
The proposal also aims at harmonising sanctions regimes across Member States. For that purpose, a list of administrative sanctions will be established, including fines for breach of the cybersecurity risk management and reporting obligations.
Stricter risk management
The proposal enforces stricter security requirements for companies, with a minimum list of basic security elements that need to be implemented, ranging from cybersecurity testing to the effective use of encryption.
The proposal also addresses the security of supply chains and supplier relationships for these individual companies. For key information and communication technologies, it even does so on a European level.
Company management will be held accountable for non-compliance with the proposed risk management measures. And incident reporting obligations will be more streamlined, including the process itself.
Better cooperation
In order to increase the information sharing and cooperation between Member States, the proposal enhances the role of the Cooperation Group.
To support the coordinated management of large-scale cybersecurity incidents and crises at EU level, a European Cyber crises liaison organisation network (EU-CyCLONe) will be established.
Finally, vulnerability disclosure for newly discovered vulnerabilities will now also be managed across the EU.
What happens now?
The co-legislators, notably the Council of the EU and the European Parliament, will conduct negotiations about this new proposal. Once it is agreed and adopted, Member States will have 18 months in order to transpose the NIS2 Directive.