Anticipating stronger security requirements for critical EU sectors

A pdf copy of this brief is available here.

The EU Commission recently proposed a revision to its Directive on Security of Network and Information Systems (NIS). The existing NIS Directive (“NIS 1”) requires EU Member States to enact security safeguards for critical infrastructure-like entities and large digital services. The proposed revision - nicknamed “NIS 2” - would replace NIS 1 and require EU Member States to implement stronger security safeguards and stricter enforcement. This post provides an analysis of the NIS 2 proposal and comparison with the existing NIS Directive.

The EU Commission recently proposed a revision to its Directive on Security of Network and Information Systems (NIS). The existing NIS Directive (“NIS 1”) requires EU Member States to enact security safeguards for critical infrastructure-like entities and large digital services. The proposed revision - nicknamed “NIS 2” - would replace NIS 1 and require EU Member States to implement stronger security safeguards and stricter enforcement. This post provides an analysis of the NIS 2 proposal and comparison with the existing NIS Directive.

At the present time, the NIS 2 proposal will likely be subject to months of negotiation among EU lawmakers, and the text will likely change somewhat before enactment. However, by reviewing the NIS 2 proposal, we can at least anticipate the direction of changes that regulated organizations may be subject to under a revamped NIS Directive.

Rapid7 is supportive of efforts to ensure critical infrastructure security is strengthened in proportion to the risks, and there are a number of elements in the NIS 2 proposal we view as beneficial. These include recognition of the importance of coordinated vulnerability disclosure, and the need for a central coordinating body in the EU that will align with, and participate in, international programs and practices. We are also in strong agreement regarding the usefulness of Recital 69 (more details below) in clarifying allowable security activity under GDPR. However, there are also elements of the current NIS 2 proposal that appear overbroad, such as potentially applying to all cloud computing services simply because they are cloud-based. Likewise, the incident notification requirements would see regulated entities notify authorities of “any significant cyber threat” that “could have potentially resulted in a significant incident,” which risks a large number of unnecessary threat reports.

We look forward to continuing to work with EU officials to make NIS 2 streamlined, clear, and effective.

Background

The 2016 Network and Information Systems Directive (NIS 1) is an EU-wide cybersecurity law. The EU Member states (and the UK, an EU Member State at the time) issued local regulations to implement the Directive. In 2018, the EU also issued an implementing regulation for NIS 1 to provide additional specifics on security elements that are expected of “digital service providers.” (Note: EU Directives tell a Member State the broad outcome, but leave the details open to the State to “transpose” into national laws. EU Regulations issue more detailed requirements that bind Member States.)

The NIS 2 Directive is one of a trio of cybersecurity documents the EU Commission proposed in Dec. 2020. The other two are the EU Cybersecurity Strategy (which calls for updates to NIS, among other things), and a directive on critical infrastructure resilience (which defers to NIS 2 on cybersecurity issues, and reminds critical infrastructure and Member States to follow NIS 2 cybersecurity requirements).

While this post focuses on proposed changes in requirements for regulated entities, it’s worth noting that the NIS 2 Directive would do many other things as well. For example, the proposal would establish a framework for EU-wide coordinated vulnerability disclosure and set up an ENISA-operated vulnerability registry. Recital 69 of the NIS 2 proposal would also explicitly confirm that cybersecurity info-sharing, vulnerability disclosure, and awareness activities are within the scope of legitimate interest for security under GDPR - a welcome clarification.

Regulated Sectors

The NIS 1 Directive applies to two categories of sectors, with the NIS 1 Directive’s Annex listing types of entities that fall within these sectors. The proposed NIS 2 Directive, as detailed in its Annex, would rename those categories, expand the number of regulated sectors, and significantly expand the types of entities that fall within these sectors. One area that needs clarity is the scope of application to cloud computing services, as the language presently reads as though all cloud-based services are covered, which would be out of step with the concept of these as “essential” entities. The sector categories are important in relation to how the Directive is to be enforced - see the “Enforcement, and penalties” section below.

Under NIS 1, Member States designated the specific organizations as being regulated based on how strategically important the entities are to the State (i.e., market size, national security, economic impact, etc.). [NIS 1, Art. 6] However, under NIS 2, the Member States do not need to designate a specific organization as regulated. Instead, NIS 2 would require all essential and important entities to register with ENISA, and ENISA would notify Member States of entities in their jurisdiction. [NIS 2, Art. 25]

Below is a comparison of the sectors from their respective annexes, however please note that the NIS 2 directive expands on the types of entities as well.

Sectors-covered-by-NIS-2-proposal-2020-Rapid7

Security requirements

The NIS 1 Directive requires all EU Member States to adopt a national strategy for network and information system security, and requires Member States to establish security and reporting requirements for essential services and digital service providers. [NIS 1, Art. 1.2, 14, 16] The EU Commission also issued an implementing regulation to provide additional specifics on how Member States should regulate digital service providers, though not essential services.

The NIS 2 Directive would empower Member States to require essential and important entities to certify ICT products, services, and processes under specific EU cybersecurity certification schemes. [NIS 2, Art. 21] The proposed NIS 2 Directive would expand on the security outcomes required under NIS 1, with a notable new section on supply chain security and a burdensome expansion of requirements to report any potential cyber threat that could cause a disruption.

Here is a high level breakdown of the proposed changes:

Security-requirements-under-NIS-2-proposal-2020-Rapid7

Enforcement and penalties

The NIS 1 Directive requires EU Member States to empower their supervisory authorities and to create penalties for noncompliance. The specific powers and penalties were left up to the EU Member States. For example, the UK (a Member State at the time) announced fines of up to £17 million or 4% of a company’s global revenues, depending on the severity.

The NIS 2 Directive would continue to require EU Member States to work out the specifics, but would give much greater detail on the enforcement powers authorities must have, and a GDPR-like civil fine for noncompliance, with the intention to have stricter supervision as well as more consistent enforcement and penalties across Member States.

Here is a summary of the proposed changes:

Enforcement-and-penalties-NIS-2-proposal-2020-Rapid7

Next steps for NIS 2

The proposed NIS 2 Directive is now subject to negotiations between the EU Council and the EU Parliament. There is no official public deadline for these negotiations, but it’s likely a matter of months, not years. The text of the NIS 2 Directive will likely change before the final version is adopted, but it is unclear how much.

Under the current proposal, EU Member States would have 18 months to transpose the NIS 2 Directive after it is enacted. [NIS 2, Art. 38] The proposed NIS 2 Directive also expresses willingness to issue additional implementing guidance on the security requirements at some point after enactment. [NIS 2, Art. 18.5]

Further reading

A pdf copy of this brief is available here.