Over the past year, Russia’s war against Ukraine has once again shown not only Germany, but the whole of Europe, how tense the cybersecurity situation is in the European region. Even before that, there was ample reason to re-examine the security of European network and information systems and possible threats to the functioning of the European single market. Against this background, the Council and the European Parliament adopted the Network and Information Security Directive (NIS 2 Directive) last December, setting in motion a reform of the legal requirements for IT security in the European area. Following its entry into force on 16 January 2023, Germany and other EU Member States now have 21 months to transpose the regulations into national law and to adapt existing regulations to the new legislation. But affected companies already need to take action. What are the changes and what do companies have to consider now? This article provides an overview.
Purpose of the NIS 2 Directive
There is nothing new about the desire to create a uniform level of security for network and information systems. As the name suggests, the NIS 2 Directive now adopted is a recast of the NIS 1 Directive, which came into force in 2016. This, too, was a response to the heightened threat level and the associated higher demands on IT security in Europe. It was intended to build cybersecurity capacity among Member States by establishing national authorities and single points of contact. In addition to requirements for imposing and taking technical and organisational measures (known as TOMs), it included an obligation to report incidents as well as a system of penalties. It is considered one of the most important pieces of European legislation on cybersecurity. Nevertheless, the EU Commission felt that reform was needed. Why?
Since its implementation, the EU Commission considers the NIS 1 Directive to have been a fundamental success, as it has prompted Member States to rethink cybersecurity concerns and ensured the completion of national legal frameworks on the security of network and information systems. But given the pace of digital change, it was deemed no longer fit for purpose or sufficient to ensure effective cyber defence. The implementation of the directive has also been criticised: in particular, the Commission has complained that penalties are often not properly enforced and that there is insufficient exchange between Member States, especially as regards the categorisation of incidents. Moreover, the scope of the directive proved too narrow.
The NIS 2 Directive aims to remedy this situation. Implementing the EU’s Cybersecurity Strategy for the Digital Decade, which was adopted in 2020, it is intended to bring about standardisation as well as a more in-depth and substantive expansion of the requirements for cyber resilience, thus helping to better protect critical infrastructures and digital services. The provisions of the NIS 2 Directive are based on the those of the NIS 1 Directive, but the requirements, standards and possibilities for control and penalties have been tightened in several places in response to the criticism.
Modified and extended scope
Some of the most important changes relate to the scope of the directive. The previous distinction between operators of essential services and digital service providers will be abandoned now that the NIS 2 Directive has entered into force. Instead, the amended scope now distinguishes between “essential” and “important” entities (cf. Art. 3 NIS 2 Directive). The new subdivision is particularly relevant in the context of the new obligations on institutions and the supervisory and enforcement powers of the competent authorities (more on this below). Which entities are essential and important is identified in the respective Annexes I (“High criticality”) and II (“Other critical sectors”) and is based on affiliation to specific sectors, subsectors and types of entities. In order to avoid too much divergence between the Member States, the exact ceilings for essential and now also important entities are no longer set by the states themselves, but are defined and thus harmonised by the directive. According to this, all enterprises in the critical sectors that employ at least 50 people and have an annual turnover or annual balance sheet total of more than EUR 10 million (medium and large enterprises) are included. Microenterprises and small enterprises (i.e. those below the aforementioned ceiling), on the other hand, are generally exempt. But beware: by way of counter-exception, the new regulations also apply to them, insofar as certain qualifying criteria in Art. 2 II NIS 2 Directive are met, according to which they play a key role for the economy and society. This concerns particular critical services, such as services of public electronic communication network providers or trust services.
The lists of sectors covered have also been significantly extended compared to the old directive. In addition to the sectors already covered by the old directive, the waste water industry, public administration and the aerospace industry are now also named as “essential entities”. “Important entities” now also include postal services, waste management, chemicals, food and manufacturing, as well as digital providers.
Extended catalogue of obligations for companies
The newly extended catalogue of obligations is likely to be of particular interest to companies. The NIS 2 Directive contains a whole raft of new regulations. It imposes more stringent risk management and reporting obligations on the covered entities than its predecessor.
Incidents and reporting obligation
The existing reporting requirements have been clarified with precise guidelines on the procedure, content and timeframe for reporting an incident. There is a new, broader definition of the term “incident”. Previously, only events that had “an actual adverse effect on the security of network and information systems” (Art. 4 No. 7 NIS 1 Directive) were covered. The reform means that the adverse effect requirement is a thing of the past. Instead, an incident is defined as “an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems” (Art. 6 No. 6 NIS 2 Directive). Therefore, the limited availability of data or services is sufficient for an incident to exist.
If a “significant incident” occurs, an initial notification must be made to the competent authority without undue delay and in any event within 24 hours of becoming aware of the incident (Art. 23(4)(a) NIS 2 Directive) and an intermediate report on relevant updates must be submitted upon request. The entity concerned must submit a final report not later than one month after the initial notification.
Prevention, another central pillar of corporate cybersecurity governance, has been further strengthened as part of the reform. Essential and important entities must now take appropriate technical and organisational measures (TOM) to manage the risks of a network and information system. The assessment must take into account European and international information security standards and the appropriateness of a measure in light of the entity’s individual risk exposure.
In Art. 21(2), the NIS 2 Directive lists various examples of measures:
- risk analysis
- crisis management
- supply chain security
- policies and procedures to assess the effectiveness of risk management measures
- use of cryptography and encryption
Supervisory powers, enforcement measures and administrative fines
Particularly in the context of supervisory and enforcement measures, the new distinction between essential and important entities becomes clear. Overall, the NIS 2 Directive provides for stricter supervisory instruments. For example, the authorities can now carry out on-site inspections and request certain information and data access. While a reactive supervisory system applies to important entities (cf. Art. 33 NIS 2 Directive), essential entities (cf. Art. 32 NIS 2 Directive) are subject to much more far-reaching supervisory powers. This allows for measures not related to specific events, such as audits, and this is independent of the risk assessment.
With regard to the means available to the Member State authorities to enforce the obligations, in principle, the same measures can be imposed on operators of important entities as on operators of essential entities. Authorities have a wide range of instruments at their disposal. For example, they can issue binding instructions, set deadlines, impose fines and – only in the case of essential entities – as an ultima ratio, temporarily relieve management of their duties. In the event of infringement, severe administrative fines may be imposed in accordance with Art. 34(4) and (5) of the directive: for operators of essential entities, the maximum fine is either €10 million or 2 per cent of worldwide annual turnover; for operators of important entities, the maximum fine is €7 million or 1.4 per cent of worldwide annual turnover, whichever is greater. Enterprises are to be understood in the context of European law, so that the economic unit is to be considered (all legal and natural persons and partnerships). It remains to be seen, however, whether the strict administrative fines of the NIS 2 Directive can also be imposed on public administration entities in Germany. The EU has left this question to the Member States to regulate in their implementing laws (Art. 34(7) NIS 2 Directive).
How this relates to the GDPR
Companies applying the NIS 2 Directive should always consider the provisions of the GDPR in the event of a significant incident. After all, it is quite conceivable that a significant incident could also involve personal data. In this case, the incident must still be reported to the data protection authority pursuant to Art. 33 GDPR within a reasonable period of time, regardless of whether it has already been reported in accordance with the provisions of the NIS 2 Directive (see Art. 32(1) of the directive).
The only overriding rule involving the NIS 2 Directive and relating to the GDPR relates to administrative fines: if the data protection authority imposes an administrative fine under the GDPR, a fine under Art. 31(4) NIS 2 Directive for the same infringement is excluded. However, other enforcement measures are still possible.
Framework for European Cybersecurity Strategy and cooperation
At the same time, the directive includes a push to strengthen the European Cybersecurity Strategy and improve cooperation between Member States. As well as requiring Member States to develop a national cybersecurity strategy that can be monitored against performance indicators, the directive also requires them to take greater account of supply chain protection. If not already in place, state computer security incident response teams (so-called CSIRTs) must also be established to foster trust and operational cooperation between Member States within a network. Each Member State must also designate an authority responsible for cybersecurity and for the oversight tasks under the directive. In Germany, the BSI (Federal Office for Information Security) is generally responsible. With a view to improving cyber crisis management, an EU Cooperation Group will also be set up to facilitate the exchange of information and a European vulnerability database will be established by the European Union Agency for Cybersecurity (ENISA). Another new feature is that Member States will be subject to subsequent “cybersecurity peer reviews” to assess their cybersecurity measures.
Conclusion and outlook
The NIS 2 Directive introduces a number of innovations to equip the EU for the increased cybersecurity requirements. The reform entails a number of obligations, both for Member States and for the companies concerned. Entities that are now covered by the directive for the first time will have to increase their cybersecurity budget by around 22 per cent. This is the conclusion of the European Commission’s impact assessment of the NIS 2 Directive. On the other hand, companies that already had to take measures under the previous directive can expect additional costs of around 12 per cent. Apart from this, affected companies are advised not to consider the new directive in isolation in relation to the necessary changes, but rather in the context of the wider body of relevant European law. It is conceivable that the addressee of the NIS 2 Directive could also be the addressee of other related European legislation. For example, in addition to the GDPR discussed above, the application of the AI Act or the Digital Security Act may also come into question, depending on the case.
It remains to be seen how the German legislator will adapt the current law based on the innovations of the NIS 2 Directive. By 16 October 2027, the functioning of the directive must be reviewed before its predecessor is repealed with effect from 18 October 2027.
Joint controller agreement: Benefits and challenges of joint controllership
The Joint Controller Agreement (JCA) still seems complicated and cumbersome to many managers in practice. But wrongly so: with the careful design of the agreement, responsible companies can benefit from many advantages, achieve efficiency gains through forward-looking process design and operate a corresponding effective risk management.
The NIS 2 Directive: Key objectives and regulations
Last December, the European Council and the European Parliament adopted the Network and Information Security Directive (NIS 2 Directive), thus initiating a reform of the legal requirements for IT security in the European area. After coming into force on 2023-01-16, Germany and the other EU member states now have 21 months to transpose the regulations…
Anonymisation and pseudonymisation in practice
In this article, we look at how the supposed contradiction between data protection through pseudonymisation and the use of personal data in scientific practice can be dealt with. In addition, we take a look at the special challenges that actors in the health care sector face in this topic.