The European Commission’s proposed revision of the NIS Directive includes onerous new cybersecurity obligations for all medium-sized and large enterprises.
The European Commission has unveiled a series of cybersecurity measures, including a proposal to revise Directive 2016/1148 on measures for a common level of security of networks and information systems in the Union (the so-called “NIS Directive“), to address the increasing digitization related in particular to the health emergency resulting from the Covid-19 pandemic. In fact, even though only two years have passed since the expiry of the deadline for the transposition of the NIS Directive and the important results achieved during this period in the field of cybersecurity by the EU Member States, the European Commission saw the need to update the existing measures to address the shortcomings of the current NIS Directive and make its provisions adequate and functional for the current era.
The proposed cybersecurity directive introduces considerable changes if compared to the previous regulatory framework. First of all, the NIS Directive 2 foresees a wider application scope by overcoming the distinction between operators of essential services and providers of digital services. In this regard, and to eliminate the differences created between the various Member States in the implementation of the NIS Directive, the proposal foresees that all medium-sized and large companies operating in the sectors covered will have to comply with the obligations of the NIS Directive 2, with micro and small companies being excluded, unless they present high-risk profiles. Also, to determine the applicable sanctions and supervisory regime, covered entities will be distinguished into core and major operators. The proposed legislation will further apply to those operating in certain specific sectors, including postal services, waste management, production and distribution of chemicals, production and distribution of foodstuffs, and medical devices and electronic equipment production.
Operators subject to the NIS Directive 2 will have to adopt appropriate and proportionate technical and organizational measures to manage threats to the security of networks and IT systems and minimize any incidents’ impact. Several minimum security measures are identified that will need to be implemented by operators, including adopting vendor IT security audit systems and the use of encryption. The proposal also introduces more detailed provisions regarding the procedure for reporting incidents, which must be notified to the competent authorities within 24 hours of the operator involved becoming aware of the incident.
Finally, the NIS Directive 2 provides for a new system of sanctions in the event of a violation of risk management measures and notification obligations, reducing the discretionary power of EU Member States in this regard and envisaging sanctions of up to € 10 million or 2% of the total annual worldwide turnover of the party concerned.
From what has been indicated above, it emerges that the revision of the NIS Directive would have a far greater scope of cybersecurity obligations and impact than the current directive, which obliges most companies to keep a close eye on developments.
On a similar topic, you may find interesting the article “NIS Directive applicable, is your cybersecurity plan compliant?“.