|
Proposal for NIS2
The proposed NIS2 was not turned into a regulation, it remains a directive, meaning that transposition might still differ from one Member State to another. Any sectorial legislation, such as DORA for finance, will override NIS2.
New categories: essential entities/ important entities
NIS2 abolishes the categories of operators of essential services (OES) and Digital Service Providers (DSP). Instead of this former distinction, NIS2 creates two new categories: essential entities (Annex I) and important entities (Annex II).
Essential entities and important entities are covered by similar obligations. However, enforcement is stronger for essential entities. Competent authorities could even suspend a CEO of an essential entity or suspend a certification in case of non-compliance.
On top of the former essential services, new entities are considered essential:
-digital infrastructure: data centres, cloud computing, trust service providers, providers of public electronic communications networks,
-health: entities manufacturing basic pharmaceutical products or medical devices considered critical during a public health emergency, EU reference laboratories, entities carrying out research and development activities of medicinal products (e.g. vaccine),
-public administration,
-waste water,
-space.
Energy, transport, finance banking, hospitals, drinking water, remain covered with an enlargement of covered sub-sectors for energy (e.g. hydrogen added).
In this new category of important entities, the following sectors can be found:
-digital providers: providers of online marketplaces, providers of online search engines, providers of social networking services platform,
-manufacture, production and distribution of chemicals,
-manufacture of computer, electronic and optical products,
-manufacture of electrical equipment,
-manufacture of motor vehicles, trailers and semi-trailers, and other transport equipment
+ other entities (e.g. food production)
Essential and important entities shall submit to ENISA relevant information so that ENISA can keep a registry of essential and important entities.
As a general rule, SMEs are excluded from the scope of NIS2.
However, SMEs are still covered by NIS2 if:
-they provide public electronic communications networks, trust services or top-level domain name registries and domain name systems,
-they are public administration entities,
-they are the sole provider of a service in a Member State,
-a potential disruption of their service could have an impact on public safety, public security or public health or would induce systemic risks,
-they are too important at regional or national level for a particular sector or for other interdependent sectors,
-they are identified as critical entities pursuant to the new directive on critical entities.
Cybersecurity measures to be taken
NIS2 is more precise regarding the measures that essential and important entities shall take to manage cybersecurity risks. Having regard to the state of the art, those measures shall ensure a level of security appropriate to the risk presented.
Among the new measures in NIS2, it is worth mentioning:
-the use of cryptography and encryption,
-supply chain security, including security-related aspects concerning the relationships between each entity and its suppliers or service providers, such as providers of data storage and processing services or managed security services,
- security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure.
The Commission may adopt implementing acts to lay down the technical and the methodological specifications.
Use of European cybersecurity certification schemes
In order to demonstrate compliance with certain requirements, Member States may require essential and important entities to certify certain ICT products, ICT services and ICT processes under specific European cybersecurity certification schemes (Cybersecurity Act). The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parties.
The Commission can adopt delegated acts specifying which categories of essential entities shall be required to obtain a certificate and under which specific European cybersecurity certification schemes. The Commission may request ENISA to prepare a candidate scheme in cases where no appropriate European cybersecurity certification scheme is available.
Standardisation
Member States shall encourage the use of European or internationally accepted standards and specifications. ENISA will give advice, including on existing national standards.
Enlarged reporting obligations
Stronger reporting obligations are laid down for essential and important entities. On top of significant incidents, they must notify to competent authorities or the CSIRT significant cyber-threats that could have resulted in a significant incident.
Entities which are not covered by NIS2 shall be able to submit notifications on a voluntary basis.
Strong enforcement of the measures
For essential entities, supervision or enforcement shall be “effective, proportionate and dissuasive”. For those entities, competent authorities can carry on-site inspection and random checks. They can submit them to targeted security audits and request access to necessary information. A strict scrutiny of compliance is observed. In case of non-compliance, essential entities can be publicly named and fined (these are novelties compared to NIS1).
In addition, if enforcement measures prove ineffective, competent authorities have the power to:
- suspend a certification or authorisation concerning part or all the services or activities provided by an essential entity,
-impose a temporary ban against any person discharging managerial responsibilities at CEO or legal representative level in that essential entity, and any other natural person held responsible for the breach, from exercising managerial functions on that entity.
For important entities, competent authorities can take action through ex post supervisory measures. They can also be subject to targeted security audits, publicly named and fined. However, in the case of important entities, CEOs and high-level representatives cannot be suspended from their functions. Certification or authorisation cannot be suspended either.
For both types of entities, fines cannot exceed 10 000 000 euros or up to 2% of the total worldwide annual turnover of the essential or important entity, whichever is higher. Periodic penalties might also be imposed to cease an infringement.
Supply chain better taken into account
Member States shall adopt a policy addressing cybersecurity in the supply chain for ICT products and services used by essential and important entities. NIS2 also mentions that the NIS Cooperation Group may carry out coordinated risk assessments of specific supply chains, taking into account technical and non-technical risk factors.
The NIS Cooperation Group had already done such a work for 5G cybersecurity, but NIS2 now explicitly stipulates that supply chain security is within its remit.
Coordinated vulnerability disclosure
NIS2 contains an article dedicated to coordinated vulnerability disclosure. Each Member State shall designate one of its CSIRTS as a coordinator for the purpose of coordinated vulnerability disclosure. The designated CSIRT shall act as a trusted intermediary between the reporting entity and the manufacturer or provider of ICT products/services.
ENISA shall develop and maintain a European vulnerability registry.
Cybersecurity information sharing
Member States shall ensure that essential and important entities may exchange relevant cybersecurity information among themselves (e.g., threats, vulnerabilities, techniques and procedures). Such exchange shall take place within trusted communities of essential and important entities. ENISA shall support the Member States in the establishment of cybersecurity information-sharing arrangements by providing best practices and guidance.
Establishment of a European cyber crises liaison organisation network (EU – CyCLONe)
This new EU – CyCLONe is composed of representatives of the Member States’ crisis management authorities, the Commission and ENISA. This network shall support the coordinated management of large-scale cybersecurity incidents and crises at operational level. It will also ensure the regular exchange of information.
Peer review
NIS2 introduces a peer review mechanism for assessing the effectiveness of the Member States’ cybersecurity policies.
Encryption and law enforcement
Recital 54 (non-binding) of NIS2 states that end-to-end encryption should be promoted and, where necessary, mandatory for electronic communications networks and services. However, the use of end-to-end encryption should be reconciled with the Member State’s powers to ensure the protection of their essential security interests and public security.
|
