On account of the increasing degree of digitization and interconnectedness in society, the European commission noted concern on the rising number of malicious activities at the global level and decided to update the 2016 NIS directive (Directive (EU) 2016/1148). In follow up to the directive proposed in December 2020, the European Parliament and EU member states reached a political agreement for a high common level of cybersecurity across the Union (Network and information systems 2 Directive i.e., the NIS2 Directive). The new directive aims at improving cybersecurity and the resilience of both public and private sector entities in the European Union.
In the series of control over the ill effects of the digital revolution, recently, the European Commission proposed a plan to “detect, report, block, and remove” child sexual abuse images and videos from online service providers, including messaging apps, an action that prompted concerns that it may undermine end-to-end encryption (E2EE) protections. In a similar vein, the draft version of NIS2 explicitly spells out that the use of E2EE “should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security and to permit the investigation, and detection and prosecution of criminal offences in compliance with Union law.”,
THE ISSUE WITH NIS DIRECTIVE
The scope of implementation left to the member states led to fragmentation across states. The reasons for such fragmentation include the unclear delimitation of the NIS Directive’s scope of application, security and incident reporting obligations, and the supervision and enforcement requirements.
NETWORK AND INFORMATION SYSTEM 2
With a significant increase in the number of entities covered, the NIS2 obliges more sectors to take technical and organisational measures to manage risks posed to the security of networks and information systems. In fact, where the NIS Directive included in its scope of application operators of essential services and digital services providers, the NIS 2 Directive proposes to replace the same with two new categories of entities
Now the NIS2 Includes:
- Annex I: ‘Essential sectors’ covered by the new security provisions include: health, energy, transport, banking, digital infrastructure, public administration and space sectors.
- Annex II: ‘Important sectors’ include: entities manufacturing medical devices, postal services, waste management, food production and processing and digital providers.
Public and Private:
Article 2 of the NIS 2 Directive establishes that the directive applies to certain public and private ‘essential entities’ operating in the sectors listed in Annex I of the Directive (energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, and space) and to certain ‘important entities’ operating in the sectors listed Annex II of the NIS 2 Directive (postal and courier services, waste management, manufacture, productions, and distribution of chemicals, food production, processing, and distribution, manufacturing, and digital providers). In addition, a size-cap rule is introduced, according to which all medium and large entities, as defined by Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises, operating in the above mentioned sectors, would automatically fall within the NIS 2 Directive’s scope of application (Recital 8 of the NIS 2 Directive).
Flagging & Into Effect:
The revamped legislation requires the flagging of cyber security incidents within 24 hours of the reporting, failing which monetary penalties can be imposed. Also, as per the agreement, the European Union member states are mandated to incorporate the provisions into their national law within a period of 21 months from when the directive goes into force.
Note: For the adoption of the NIS2 Directive, both the Parliament and the Council, as co-legislators, will need to agree on the final text.