Reviewing cyber resilience: how will the NIS 2 Directive impact EU businesses?
by Fabio Barbero on 21 Jul 2021
Our work, education, social interactions, and leisure time take place online more than ever before. Every day enough people to populate a city the size of Frankfurt join the World Wide Web, bringing digital technologies to new users. COVID-19 has increased reliance on technologies such as Zoom, Microsoft Teams, Google Classroom, Netflix and e-commerce platforms.
As these become increasingly mainstream, their resilience against cyber threats evolves from an economic concern – how to limit the costs of cyberattacks for businesses – to a societal matter, how to make sure that people can work, chat, shop, or play online without fearing cyberattacks, online fraud, identity theft and so on.
As cyberattacks become the new normal, cybersecurity will knock at your door
The annual cost of cybercrime to the global economy is around €5.5 trillion. This is comparable to the GDP of Germany and France combined. COVID-19 has exacerbated these trends, expanding the attack surface to newly digitised sectors and to personal devices used increasingly for homeworking.
According to Interpol, two-thirds of EU member states reported a significant increase in malicious domains aiming to take advantage of the growing number of people searching for information about COVID-19 online. In the US, the FBI’s Internet Crime Complaint Center (IC3) received up to 4,000 cybersecurity complaints every day in spring 2021, compared to 1,000 in 2019.
Increased cybercrime activity has an even greater impact when it becomes the vector to large-scale operations, such as ransomware attacks against critical infrastructures. The shutdowns of Ireland’s health service in June 2021, the American energy operator ‘Colonial Pipeline’ in May 2021 and the recent paralysis of local administration in the Belgian city of Liege are only the latest examples.
Why do we need new regulations?
The European Union is tackling cyber resilience through legislation. In 2016, it adopted the first EU-wide legislation on cybersecurity, the ‘Directive on Security of Network and Information Systems across the EU’ (NIS Directive). This aimed to boost member states' preparedness, cooperation and security culture against cyber threats.
The threat landscape, however, has evolved since then. An increasing number of sectors now rely on interconnected digital technology. Moreover, disruption in one sector can have far-reaching negative impacts in other areas across the Union. T
To address this evolution, in December 2020, the European Commission made two new proposals: a Directive on measures for a high common level of cybersecurity across the Union - or ‘NIS 2' – and a new Directive on the resilience of critical entities.
NIS 2 – What changes for the tech sector?
The new text aims to address several shortcomings of the NIS 1 Directive. It categorises companies into ‘essential’ and ‘important’ based on the criticality of their services and subjects the two categories to different supervisory regimes. The NIS 2 proposal covers new services, such as the manufacturing of pharmaceuticals, medical devices and chemicals, the food sector, wastewater and waste management, postal and courier services as well as public administration.
Digital infrastructure, such as internet exchange point (IXP) providers, domain name system (DNS) service providers, top-level domain (TLD) name registries, and cloud and data centre providers would be considered ‘essential’ entities. Online marketplaces, search engines, providers of social networking and services platforms would be labelled as ‘important’ entities.
A risk-based framework for resilience
The NIS2 proposal lays down differentiated cybersecurity risk management and reporting obligations for ‘essential’ and ‘important’ entities. This would include, for example: risk analysis and information system security policies to prevent, detect, and respond to incidents; measures to ensure business continuity and crisis management; vulnerability handling and disclosure; testing and auditing, and the use of encryption.
Member states will be responsible for adopting national cybersecurity strategies, designating competent national authorities, single points of contact and computer security incident response teams (CSIRTs).
A level playing field across the Union
The proposal introduces greater harmonisation across the EU. Under the current legislation, member states are free to draw up national lists of services and operators, resulting in the same company being treated differently across the EU internal market. With the new proposal, all medium and large size companies in the relevant sectors would need to comply.
Furthermore, NIS2 introduces harmonised sanctions across the Union. These include fines to up to €10 million or 2% of the entities' total turnover worldwide in case of infringements of the risk management measures or the reporting obligations.
Reinforcing cybersecurity along the supply chain
As the Microsoft Exchange Server (April 2021) or the SolarWinds (December 2020) hacks show, vulnerabilities are unlikely to remain confined to one sector, but rather have cascading effects on other services and the entire supply chain.
The NIS2 proposal requires entities “to assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures”. Such a requirement, partly motivated by geopolitical considerations and EU political priorities, has deep consequences given the nature of the ICT market. The Commission already hinted at the development of supply chain risk assessments, aiming at identifying ICT services, systems or products that are critical for every sector, similar to what happened with the EU-wide coordinated risk assessment of 5G networks security and the EU Toolbox on 5G cybersecurity.
What to expect?
It is widely accepted that cyber resilience needs a boost across the Union. For example, European Union organisations allocate on average 41% less to cybersecurity compared to their American counterparts. Moreover, addressing the fragmentation issues created by the NIS 1 Directive is beneficial for digital service providers operating in the EU, in terms of ensuring a level playing field across the Union and better regulatory clarity.
However, clarity is needed on several issues. Here are some of those that most impact companies:
- How will the proposed NIS 2 Directive fit into the broader cyber resilience ecosystem? For example, the EU has put forward a proposal for a Critical Entities Directive (CED) and for a Digital Operational Resilience Regulation (DORA). Particular attention to avoid duplication and legal confusion is needed, also considering the data protection requirements set by the General Data Protection Regulation (GDPR) and the proposal for an ePrivacy Regulation.
- What is the dividing line between ‘important’ and ‘essential’ entities? This is crucial as some companies may provide ‘important’ and ‘essential’ services at the same time and could therefore be subject to different supervisory regimes.
- NIS 2 should minimise additional administrative burdens on enterprises. For example, mandating companies to report every cybersecurity incident and near-miss is likely to create excessive burdens both for enterprises and for those who analyse these data. There is a need to specify the exact thresholds that lead to reporting obligations.
- The Commission could better clarify how it intends to provide businesses with guidance and assistance, as well as with specific provisions to support small and medium enterprises that provide ‘essential’ or ‘important’ services.
- Absent an EU-wide certification, alignment with well-established standards (such as ISA/IEC 62443) and mutual recognition of cybersecurity schemes will be key, especially regarding supply chain security. At the same time, clarity on how risk assessment is conducted (e.g. which methodology to use) will help enterprises to comply quickly with the new provisions.
- Strict incident notification timeframes (24 hours) can prove challenging in real-life scenarios and may need to be extended to correspond to the ones in force in other regulations such as the GDPR (72 hours).
- The use of encryption, accompanied by a caveat allowing “lawful access” by law enforcement (read “backdoor”) is unlikely to fly with industries, given that they have traditionally been sceptical about lowering privacy standards to comply with the requests of governments.
- Policymakers may want to expand the membership of the NIS Cooperation Group – which provides guidance, best practice and advice on implementing the NIS2 Directive – to businesses.
There are a number of further steps the NIS 2 Directive will have to go through before it is approved. At the end of May, the European Parliament’s lead Committee on Industry, Research and Energy (ITRE) discussed its draft report on the NIS2 Directive. The Committee on Civil Liberties, Justice and Home Affairs (LIBE) discussed its draft opinion in June, while the Committees on Internal Market and Consumer Protection (IMCO), Transport and Tourism (TRAN) and Foreign Affairs (AFET) adopted their opinions this July.
Discussions in the ITRE Committee are expected this autumn, and the Committee will vote on compromise amendments around mid-October 2021. However, since the Council and the Parliament will need to agree on the revision, further changes on the current text can still be made. Once the proposal is agreed and consequently adopted, member states will need to transpose the Directive within 18 months. The Commission will then periodically review the Directive and report on this review.
Legislators will need to strike a balance between ensuring the functioning of our digitised societies and recognising that systems can never be 100% cyber secure. NIS 2 is another opportunity to urge businesses to take cybersecurity seriously. However, legislators must be careful to avoid punishing those who fall victims to cyberattacks more than the criminals who perpetrate the crimes. Lastly, small and medium enterprises providing critical services will need assistance to implement the new provisions. To get all this right, businesses will need to have a say throughout the NIS2 decision-making process, as well as beyond.