25 January 2023 | By Marten Männis
A new cybersecurity regime brings enhanced agencies, reporting obligations
The EU cybersecurity regime recently underwent a notable reform. In January 2023, Directive 2022/2555, the new NIS 2 Directive – the EU-wide legislation on cybersecurity – entered into force, amending existing legislation and repealing Directive 2016/1148, in place since 2016. The goal of the new legislation was to modernise existing legal framework to better address the threats and challenges within the cybersecurity realm, introducing new reporting requirements and giving additional competences to existing agencies.
The preamble of the Directive emphasises the influence that the first NIS 2 Directive had in creating an environment that can address cybersecurity threats within the EU. It lists the completion of specific national frameworks on security and the implementation of regulatory measures covering essential infrastructures as some of the successes that the regime brought. However, the old regime saw a lack of harmonised measures across the Union, which created scenarios where the rules set for two Member States could potentially be in conflict with one another. Furthermore, the fragmentation carried significant cost implication potential for vendors who offer cross-border goods or services. This in turn could make cybersecurity risks more potent.
One key change that this Directive introduces concerns the expansion of sectors and activities covered. In addition, the Directive does not differentiate between operators of essential services and digital service providers anymore. The types of entities that the Directive applies to is established under Annexes I and II. The companies, in addition to falling under one of the sectors and who provide services/carry out activities within the EU, must qualify as medium-sized enterprises, i.e., employ over 50 persons with their annual balance sheet exceeding €10 000 000. Other entities, e.g. critical infrastructure, falls under Article 2(2) of the Directive.
The Directive, like its predecessor, requires Member States to adopt a national cybersecurity strategy under Article 7. The comprehensive strategy must include the following components:
- Its objectives and priorities
- A governance framework on how to achieve the objectives
- A governance framework on the roles and responsibilities of actors and stakeholders
- A mechanism for identifying assets and risks
- Identifying the mechanisms that ensure readiness and responsiveness in addressing threats
- A list of the relevant actors involved in implementing the strategy
- A policy framework for enhanced coordination
- A communication plan for raising societal awareness regarding cybersecurity risks
The national strategies must be assessed at least every five years, using relevant KPIs to make changes if necessary.
Article 10 requires Member States to establish computer security incident response teams (CSIRTs). Its obligations and capabilities are established under Article 11, amongst others including the requirement to be adequately staffed and trained to always ensure availability of their services. The CSIRTs must monitor and analyse cyber threats and incidents on a national level, providing early warnings, responding to incidents, collecting data, and participating in the EU-wide network to provide mutual assistance. A list of all the members of the network can be found here.
The updated capabilities of CSIRTs are one of the major changes in the updated Directive, as the tasks outlined under Article 11(3) are concrete in their requirements and shifts the network from a support unit to a proactive network tasked with monitoring, communicating, analysing forensic data, and responding to cybersecurity threats and similar incidents. Furthermore, Member States must ensure that each CSIRT has a secure communication and information infrastructure at their disposal, for which CSIRTs are obligated to contribute to the deployment of secure information-sharing tools.
The Directive also establishes a European cyber crisis liaison organisation network (EU-CyCLONe), a platform which targets EU-wide cybersecurity incidents and aims to increase the coordination and increase the level of preparedness of such potential incidents.
Another update to the new regime concerns risk-management and reporting obligations that entities falling under Article 3 – essential and important entities – now hold. Such entities must have compliant risk-management measures established, with management of such entities having the necessary training required to identify and assess cybersecurity risk-management practices and the impact that they have. This requires such entities to undertake an all-hazards approach, which includes response measures, risk and security policies, network security, HR security and access control policies, and supply chain security. The latter includes security-related aspects concerning the relationships between each entity and its direct suppliers or providers.
Furthermore, essential and important entities have an obligation to notify their CSIRT (or other competent authorities, if applicable) of all incidents with a significant impact on their operations. This notification must be done within 24-hours of becoming aware of the incident. A second notification must be done within 72-hours, expanding on the initial notification, which includes an assessment and severity of the incident. Besides relevant status updates, the entity must compose a final report containing a detailed description of the events, the mitigation measures undertaken, and any potential cross-border implications that the incident has.
Companies operating in the energy sector have the potential to qualify as an essential or important entity as defined by Article 3 and Annex I. TotalEnergies, one of the largest energy companies in the World, certainly must establish policies and procedures that ensure compliance with national legislation derived from the NIS 2 Directive. Jonathan Marsh, President of ECLA and International General Counsel at TotalEnergies, said the following:
“The NIS 2 Directive will require the relevant large companies active in the EU to improve their cybersecurity risk-management measures and report incidents promptly, although this will create additional burdens on management and legal teams to implement upgrades to internal policies and procedures, I believe it is well worth the effort so as to achieve a higher common level of cybersecurity across the EU in the face of globally rising cybersecurity risks.”
International General Counsel, TotalEnergies
President of ECLA
The adoption of the regime should definitely be interesting to follow and to hear further feedback from legal executives. Given the wide scope of the legislation and the obligations that companies must undertake, in addition to the discretion that Member States have when implementing a directive to national law, the legislation has the potential to significantly influence cyber security policies for both larger and especially medium-sized companies.