Search Hill Dickinson

The European Union (EU) Network Information Security Directive 2.0 (EU NIS 2.0):

Implementing a high common level of cybersecurity across the EU

The European Union (EU) Network Information Security Directive 2.0 (EU NIS 2.0):

This article is co-written with Andy Watkin-Child, founding Partner of Parava Security Solutions, a consultancy specialising in helping leaders manage cybersecurity risks.

Research by the Department for Digital, Culture, Media and Sport shows that in the UK:

  • Only 12% of organisations review cyber security risks coming from their immediate suppliers
  • Just one in twenty (5%) of firms address the vulnerabilities in their wider supply chain

With EU directives already passed and proposals underway here in the UK to address and improve cyber resilience, businesses and their supply chains should be looking to get ahead of the game and minimise their risk now.

European Union (EU) Cybersecurity Risk Management Regulation 

The EU has passed regulations to strengthen the resilience of EU member states’ Critical National Infrastructure (CNI) and implement an integrated regime for cybersecurity risk management. This includes the Digital Operational Resilience Act (DORA 2022/2554) for the financial sector, the Network Infrastructure Security Directive 2.0 (EU NIS 2.0 2022/2055 -‘The Directive’) for CNI, the Resilience of Critical Entities Directive (EU 2022/2557) for CNI and the proposed Cyber Resilience Act 2022/0272 (COD) for the security of hardware products and services.

Although the UK, post-Brexit, is no longer required to incorporate EU directives into UK law and it remains to be seen how the government will implement measures to improve the UK’s cyber resilience, there are a number of actions that UK business owners and their supply chains would do well to consider now.

  • Upgrade your compliance programmes in preparation for EU member states transposing the directive into national laws. 
  • Take ‘appropriate and proportionate measures’ to manage the risks posed to the security of network and information systems you use for your operations or provision of services, and to prevent or minimise the impact of any incidents.
  • Ensure you are able to provide oversight and assurance of the risks and their treatment.

This article discusses one aspect of the forthcoming regulations, the Network Infrastructure Security Directive 2.0, and what it means for UK businesses covered under its scope.

What is Critical National Infrastructure (CNI)?

CNI sectors deliver services that are indispensable for the maintenance of vital societal functions and the economic activities of governments and their national markets. They include energy, transport, banking, water, agriculture, production, food processing and distribution, health, financial market infrastructure, digital infrastructure, public administration, and space. Managing the growing interdependencies between CNI is critical for the effective, safe and secure operation of the EU and its member states. 

The EU aims to support the protection of critical infrastructure across the Union through regulation that, to date, has been hampered by diverging regulatory cybersecurity requirements, inconsistent cyber laws, varying levels of resilience and regulatory duplication. This has created an unnecessary administrative burden for companies operating across borders, leading the EU to revise EU NIS 1 (EU 2016/1148). 

The directive lays down harmonised minimum rules for the cybersecurity of essential services, deemed critical for the proper functioning of the EUs internal market. The EU Commission recognises that CNI organisations need to better manage the risks to their operations that may disrupt the delivery of essential services, a threat that was highlighted in the wake of cyber-attacks on CNI sectors across the US and EU in 2021 and 2022. These attacks served to demonstrate that CNI sectors are at increased risk of cyber-attack and the cybersecurity maturity of CNI providers may be insufficient to deal with emerging threats. 

The EU recognises the potential social and economic impact of a cyber-attack on CNI and its customers, and the economic ramifications and societal impact of a systemic cyber-attack.

Aims of the Directive

The Directive was published in the EU’s official journal on 14 December 2022 and took effect from 17 January 2023. Member states now have 21 months to transpose the Directive into their national laws. The Directive should be read in conjunction with The Resilience of Critical Entities (EU 2022/2557), the EU Digital Operational Resilience Act – DORA (EU 2022/2554) published on 14 December 2022 and the proposed EU Cyber Resilience Act (CRA) (2022/0272 (COD)).

The Directive sets out to create an integrated harmonised regime for cybersecurity risk management, for EU member states to codify into law. It lays down requirements for the cybersecurity risk management of entities covered under the scope of application and measures that aim to achieve a high common baseline of cybersecurity across the Union. The Directive sets out obligations for member states to adopt:

  • A national cybersecurity strategy, designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity, and Computer Security Incident Response Teams (CSIRTs)
  • Cybersecurity risk management measures and reporting obligations for entities of a type referred to in the Directive Annex I or II, and for entities identified as critical entities under Directive (EU) 2022/2557.
  • Rules and obligations on cybersecurity information sharing
  • Supervisory, reporting and enforcement obligations

Scope of the Directive

The scope of the Directive is split between two groups. Those entities in sectors deemed ‘Sectors of high criticality - Directive Annex I’, that includes energy (electricity, district heating and cooling, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. The second group consists of ‘Other critical sectors – Directive Annex II’, that includes postal and courier services, waste management, manufacturing, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers and research organisations.

The Directive applies to both public and private entities within sectors of high criticality and other critical sectors, whose turnover is between €10 - 50 million and which employ between 51 - 250 persons and/or have an annual balance sheet of between €10 - 43 million. The Directive also applies to organisations whose turnover is greater than €50 million, employ more the 250 persons and/or whose balance sheet is greater than €43 million. 

Regardless of size, the Directive also applies to entities that provide public electronic communication networks, publicly available electronic communications services, trust service providers, top-level domain name registries and domain name system service providers, domain registration services, entities that are the sole provider of essential services for the maintenance of critical societal economic services, entities where the disruption of services could have a significant impact on public safety, security, health or induce significant systemic risk for a sector, the entity is a public administration entity of central government, regional or local level, education institutions where they carry out critical research, critical entities defined under EU 2022/2557.

Implementation of the Directive by ‘member states’

The success of the Directive in harmonising cybersecurity, relies upon member states implementing appropriate strategic, governance, policy, resourcing, oversight and assurance and reporting infrastructure. It sets out the requirements for member states to adopt a national cybersecurity strategy with coherent strategic objectives, policies to deliver the strategy and appropriate governance to oversee and assure its implementation, with a view to collaborating with other member states, the EU Commission, Council and agencies such as ENISA (the European Union Agency for Cybersecurity) and harmonising the management of cybersecurity nationally and across the EU member states.

The Directive lays out some notable requirements for the EU Commission and member states to:

  • Harmonise cybersecurity risk management measures and reporting obligations between existing sector specific Union legal acts and the Directive.
  • Designate or establish one or more competent authorities responsible for the application of the Directive and cross-border cooperation.
  • Acknowledge EU DORA, the CRA and incident reporting over the Directive.
  • Comprehensively address the cybersecurity risk management obligations of digital infrastructure, DNS, TLD registries, ICT service and cloud service and data centre providers. Promote the use of certified ICT products, services, and processes ahead of the introduction of a cybersecurity certification scheme, proposed by EU 2022/0272 (COD).
  • Address both physical and logical security provisions as part of cybersecurity risk management measures and reporting obligations.
  • Contribute to the establishment of the EU Cybersecurity Crisis Response Framework, set out under EU 2017/1584. Establish one or more Computer Security Incident Response Teams (CSIRTS) to monitor critical entities.
  • Foster alignment with international standards and best practices for cybersecurity risk management.
  • Adopt cybersecurity risk management practices, measures, and risk mitigations by covered CNI entities, that are proportionate to an entity’s exposure to risk and the societal and economic impact a cyber incident could have.
  • Report cyber events to the National CSIRTs within 24 hours.
  • Introduce comprehensive risk-based ex ante and ex post on- and off-site supervision of entities.
  • Implement a civil and criminal penalty regime for failing to comply with the Directive. Penalties that include fines against entities and persons; the temporary suspension of natural persons responsible for failing to discharge their managerial responsibilities defined by the Directive.

The Directive - Implementation by ‘CNI entities of member states’
Cybersecurity risk management, governance, measures and reporting obligations

The products and services that are produced by the CNI sectors in scope are critical to member state national security and the security of the EU. The Directive requires member states to create laws for the management bodies (legally defined accountable representatives) of covered entities to approve their organisation’s cybersecurity risk-management measures.

Member states are required to ensure that management bodies of covered entities undertake cybersecurity risk management training and are encouraged to offer similar training to their employees. The learning objective is to provide sufficient knowledge and skill, enabling the management bodies of covered entities to oversee and assure cybersecurity risk-management, treating the impact of cyber risk on the services they provide.

The implications of these requirements are that the boards of covered entities must implement appropriate corporate governance processes for the oversight and assurance of cybersecurity risks, evaluate control effectiveness and attest to the effectiveness of the risk treatments performed. Boards need to have oversight and assurance of cybersecurity risks in line with changes in business strategy, financial plans, changes in operational performance and changes in an entity’s threat profile.

Covered entities will be expected to follow a proportionate approach to the cybersecurity risk management of their network, systems and physical environment based upon their size and type, including as a minimum:

  1. Policies on risk analysis and information systems security
  2. Incident handling
  3. Business continuity, backup management, disaster recovery and crisis management
  4. Supply chain security, including the security of relationships between entity direct supplier and  service providers
  5. Secure acquisition
  6. Policies and procedure to assess the effectiveness of cybersecurity risk management measures
  7. Policies and procedures regarding the use of cryptography
  8. Basic cyber hygiene and cybersecurity training
  9. Human resources security
  10. Multi-factor authentication

Where entities do not comply to these requirements member states shall ensure that all necessary, appropriate and proportionate corrective measures are taken by the entity without undue delay.

Reporting obligations

In-scope entities must report any incident that has a significant impact on the provision of their services within 24 hours of becoming aware of the incident. Such incidents must be reported to their member state CSIRT or competent authority, and to their customers,  

Examples include incidents that cause, or could cause, severe operational disruption of their services, financial loss for the entity concerned, or which has affected or could affect other natural or legal persons by causing considerable material or non-material damage.

Cybersecurity certification schemes

Member states may require covered entities to use particular ICT products, services and processes, developed by the essential or important entity or procured from third parties, that are certified under European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881.

Supervisory and enforcement

The Directive requires in-scope organisations to take appropriate and proportionate measures to manage cybersecurity risks. Member states are to oversee and assure the compliance of in-scope entities, ensuring that competent authorities provide the necessary compliance oversight and assurance. When exercising their supervisory tasks in relation to essential entities, competent authorities will have the power to subject those entities to, as a minimum:

  1. On-site inspections and off-site supervision, including random checks.
  2. Regular and targeted security audits carried out by an independent body or competent authority.
  3. Ad hoc audits, on the ground of a significant incident or an infringement of the Directive
  4. Security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria.
  5. Requests for information necessary to assess the cybersecurity risk-management measures adopted by the entity concerned.
  6. Requests to access data, documents and information necessary to carry out their supervisory tasks.
  7. Requests for evidence of implementation of cybersecurity policies.

Member states shall ensure that the competent authorities have the powers to issue infringement warnings and set compliance deadlines for entities to adopt binding instructions to prevent or remediate incidents; order entities to cease conduct and desist from repeat conduct; order entities to comply with cybersecurity risk management measures; order entities to inform their clients of potential significant cyber threats; to implement recommendations following security audits; to make public aspects of infringements of the Directive; and issue fines.

Member states are to ensure that the person acting as the legal representative of a covered entity with authority to take decisions on its behalf, or authority to exercise control of it, has the power to ensure compliance with the Directive, as they can be held liable for breach of duty if the Directive is not complied with.

Where enforcement measures are ineffective, member states shall ensure that competent authorises have the power to establish compliance deadlines. Where requested actions are not taken within set deadlines member states are to ensure competent authorities can:

  • Suspend temporarily a certificate or authorisation concerning all or part of the relevant service provided, or activities carried out by the entity.
  • Prohibit temporarily any natural person who is responsible for discharging managerial responsibilities from exercising managerial functions in the entity.
  • Impose administrative fines.

Administrative fines for covered entities that do not comply with the appropriate cybersecurity risk management, oversight and assurance can vary. Entities considered ‘essential’ can face fines of a maximum of at least EUR 10 million or a maximum of at least 2% of the total worldwide turnover from the preceding financial year, whichever is bigger. For entities that are considered ‘important’ a maximum of at least EUR 7 million or of a maximum of at least 1.4% of the total worldwide turnover from the preceding financial year, whichever is bigger.

The Directive - what it means in practice

Businesses covered under the scope, and their suppliers, should consider upgrading their compliance programmes in preparation of member states transposing the Directive into national laws to provide assurance of compliance. Businesses should consider the requirement to ‘take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services’. Businesses should also be able to provide oversight and assurance of the risks and their treatment.

Clearly, the UK will not need to transpose the Directive, and it remains to be seen how the government will implement the outcome of its consultation on proposals to improve the UK’s cyber resilience, including by updating the current Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations). 

The government has announced that it will proceed with these proposals and amend the NIS Regulations accordingly, subject to finding a suitable legislative vehicle.

Additional points that businesses need to consider from a legal perspective are outlined in our linked article here: Cybersecurity is complex, costly and difficult to manage - and now also a regulated risk

How we can help

We can help businesses in all sectors, including shipping and healthcare, to understand and put in place strategies and processes to manage cyber risk (‘left of bang’ support) and to deal with cyber issues when they arise, including litigation (‘right of bang’ support).

Our Cybersecurity leads are here to assist you across the sectors we act for, please contact:

Mark Weston

Mark Weston
Business Services
+44 (0)20 7280 9178
mark.weston@hilldickinson.com 

Technology and IT

Technology law is central to any large-scale business transaction or dispute. Whether you are a technology organisation, or an organisation reliant on technology, as your organisation expands, the need to protect your technologies, your brand, your products and your data services grows.

We are trusted advisors to a wide range of clients within the technology sector. On a wider scale, even more of our clients are heavily reliant on technology - and trends dictate that this is increasing.

Our Tech sector can meet the full scope of your requirements - be it a complex corporate transaction, a data protection or reputation issue, outsourcing requirements, a regulatory issue, or a contracting query.