The EU has further expanded the scope of its cybersecurity rules. On 28 November 2022, the EU Council adopted the text of the NIS 2.0 Directive. The new Directive aims to harmonise cybersecurity requirements and implementation of cybersecurity measures in different Member States. It expands the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement.
In this article, we consider the scope of the current NIS Directive (EU 2016/1148) along with the changes introduced by the new NIS 2.0 Directive which companies providing essential and digital services should be taking steps to prepare for.
A Recap on the NIS Directive
Baseline Cybersecurity Measures and Reporting Obligations
The NIS Directive imposes minimum standards for network and information system security and reporting obligations on EU Member States and to designated operators of essential services ("OES") and relevant digital service providers ("RDSPs"). The NIS Directive was transposed into Irish law by the European Union (Measures for a High Level of Security and Network and Information Systems) Regulations 2018 (S.I. 360 of 2018) (the "NIS Regulations") on 18 September 2018.
The NIS Regulations identify OES as operators of critical infrastructure including: energy, transport, banking, health, supply and distribution of drinking water and digital infrastructure (internet exchange point operators, domain name service providers and top-level domain name registries)[1]. RDSPs include online marketplaces, online search engines and cloud computing services[2].
Key Obligations
| Action | OES | RDSPs |
| Manage Risk | Identify and take technical and organisational measures to manage the risks posed to the security of its network and information systems. | Identify and take technical and organisational measures to manage the risks posed to the security of its network and information systems , taking into account factors such as the security of systems and facilities; incident handling; business continuity management; monitoring, auditing and testing; and compliance with international standards. |
Take Action | Take appropriate measures to prevent and minimise the impact of any incidents which affect the security of its network and information systems to ensure continuity in the provision of those services. | Take measures to prevent and minimise the impact of incidents affecting the security of its network and information systems to ensure continuity in the provision of those services. |
| Notify Incidents | Notify the computer security response team within the Department of the Environment, Climate and Communications ("CSIRT") if an incident significantly impacts the continuity of the provision of its essential services , not later than 72 hours after becoming aware of the incident. | Notify the CSIRT of any incident that has a substantial impact on its provision of its services within the EU as soon as practicable after the incident occurs and, in any event, not later than 72 hours after becoming aware of the incident , subject to the RDSP having access to the information required to assess the impact of the incident, including the number of users affected, the duration, the geographical spread of the area affected, the extent of the disruption and the extent of the impact on economic and social activities. |
Enforcement
Along with information notices, authorised officers, appointed by the Minister, or the Central Bank in the case of banking and financial market infrastructures, may serve a compliance notice on an OED or RDSP prescribing directions as to remedial actions to be taken. The compliance notice may also direct the OES / RDSP to notify those affected, or the public generally, of the suspected breach.
Criminal sanctions may be imposed for failure to comply with these obligations, comprising of a €5,000 fine on summary conviction or a fine not exceeding €50,000 on conviction on indictment or, in the case of a company, not exceeding €500,000.
The NIS Directive has proved difficult to implement in practice. A review of the Directive showed a wide divergence in its implementation across the EU, particularly in regard to security and incident reporting obligations and in relation to enforcement. The NIS 2.0 Directive aims to address the shortfalls of the NIS Directive and increase the level of enforcement of cybersecurity across the EU.
NIS Directive 2.0 – Proposal for Reform
Stronger Risk and Incident Management and Cooperation
The European Commission's proposal for the NIS 2.0 Directive was first published on 16 December 2020 with a view to addressing the limitations of the NIS Directive that had come to light in the two years since its implementation and to ensure greater coordination of cybersecurity across the EU internal market in order to better adapt and respond to new challenges. The NIS 2.0 Directive aims to enhance and expand the scope of cybersecurity protection, streamline risk management measures and reporting obligations, and introduce stricter enforcement requirements, including harmonised sanctions across the EU.
The NIS 2.0 Directive will also formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents and crises.
Widening of Scope of the Rules
Under the old NIS Directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services. However, the new NIS 2.0 Directive introduces a size-cap rule as a general rule for identification of regulated entities. This means that all medium-sized and large entities operating within the sectors or providing services covered by the Directive will fall within its scope.
The NIS 2.0 Directive also extends the scope of the current NIS Directive to cover new sectors classified as "important entities" such as postal and courier services, waste management, manufacture and distribution of chemicals, food production and manufacturing and digital providers. The NIS 2.0 Directive eliminates the classification of OED and RDSP and instead provides for differing regimes for "essential entities" and "important entities".
The text of the NIS 2.0 Directive indicates that it will not apply to entities carrying out activities in areas such as defence or national security, public security, and law enforcement. Judiciary, parliaments, and central banks are also excluded from the scope.
Cybersecurity Training and Risk Management
The NIS 2.0 Directive introduces an obligation on Member States to ensure that a company's management approve its cybersecurity risk management measures and follow specific cybersecurity training. It also places new obligations on entities within its scope to implement supply chain security assessments and to take "appropriate and proportionate technical and organisational measures" to manage the risks posed to the security of the network and information systems which those entities use in the provision of their services.
Breach Reporting
In strengthening cybersecurity obligations on companies, the NIS 2.0 Directive introduces more precise provisions for the process and timelines for incident reporting to CSIRTs, along with enhanced supervisory measures for national authorities and stricter enforcement requirements. In particular, the NIS 2.0 Directive imposes notification obligations in phases, including an initial notification within 24 hours of becoming aware of certain incidents or cyber threats (instead of simply “without undue delay” as in the NIS Directive), “intermediate” and “final” reporting obligations.
Sanctions
Member States have discretion under the NIS 2.0 Directive to lay down rules on penalties in their domestic implementing legislation. Such penalties must be "effective, proportionate and dissuasive". The Recitals to the Directive indicate that penalties may include criminal penalties for infringement of the legislation. Accordingly, it is important for organisations falling within the scope of the NIS 2.0 Directive to be aware of their potential liability (both criminal and civil) under implementing national laws.
The NIS 2.0 Directive requires Member States to impose GDPR-like administrative fines for non-compliance. Depending on whether an entity is considered an "essential" or "important" one (which depends on their size and sector), administrative fines for non-compliance can be respectively up to: (i) €10 million or a maximum of at least 2% of the total worldwide annual turnover of the undertaking or (ii) €7 million or a maximum of at least 1.4 % of the total worldwide annual turnover of the undertaking.
It is notable that the Irish regulatory enforcement regime has recently been strengthened by the introduction of civil enforcement powers under the new Competition (Amendment) Act 2022 and the Communications Regulation Bill 2022. These new laws allow the Competition and Consumer Protection Commission and the Commission for Communications Regulation to investigate and sanction companies, and to seek to impose sanctions at the civil standard of proof (balance of probabilities), rather than the higher criminal standard of proof (beyond reasonable doubt), which regulators must satisfy very often at present. If further civil sanctions are introduced in the Irish law transposing the NIS 2.0 Directive, the competent authority will have greater direct control than in criminal prosecutions, which will naturally lead to more investigations and the imposition of more sanctions under the future Irish law transposing the NIS 2.0 Directive.
It is important that providers of essential and digital services in Ireland are aware of the new cyber security legislation that is coming down the tracks, as failure to meet their obligations under the new Directive may result in extensive civil sanctions, criminal liability and reputational damage where the incidents are publicised by the CSIRT.
Next Steps
The text of the NIS 2.0 Directive received formal approval by the European Council on 28 November 2022. It will be published in the Official Journal of the European Union in the coming days, and will enter into force on the twentieth day following this publication. Member States will have 21 months from the entry into force of the Directive in which to transpose the NIS 2.0 Directive into their national law.
In Ireland, recent experience would indicate that we may encounter delays in the implementation of the NIS 2.0 Directive, as deadlines have been missed recently for the transposition of other key legislation driving transformation in the digital sector (eg, the European Electronic Communications Code and the Audio-Visual Media Services Directive).
This article has been authored by Kate McKenna, Davinia Brennan, Simon Shinkwin, Neringa Juodkunaite and Evelyn Soye, for more information please contact us or your usual Matheson contact.
[1] Schedule 1, NIS Regulations.
[2] Schedule 2, NIS Regulations.
[3] Regulation 18(1), NIS Regulations.
[4] Regulation 21(1), NIS Regulations.
[5] Regulation 21(2), NIS Regulations.
[6] Regulation 17, NIS Regulations.
[7] Regulation 21(3), NIS Regulations.
[8] Where an OES relies on a third-party digital service provider in the provision of an essential service, the OES must notify the CSIRT if an incident affecting the digital service provider has a significant impact on the continuity of the provision of the essential services of the OES.
[9] Regulation 18(2), NIS Regulations.
[10] Regulation 22(1), NIS Regulations.
[11] Regulation 22(4), NIS Regulations.