1 Introduction and context

In the last couple of years, cybersecurity incidents have become a virtually ubiquitous item in the daily news, with ransomware attacks gaining notoriety with double-digit million dollar claims.Footnote 1 This impression is supported by cyber threat landscape reports.Footnote 2 In light of the increased digitalization of the economy and dependency on digitalization amplified by the Covid-19 pandemic, the European Commission (EC) in its Cybersecurity Strategy reiterated the call to revise the EU’s cybersecurity legislation.Footnote 3

The Network and Information Security Directive (NIS1)Footnote 4 was the first piece of EU legislation on cybersecurity. Its specific aim was to achieve a high common level of cybersecurity across all EU Member States. Among other things, the regulatory regime established by NIS1 required EU Member States to make an assessment of which “entities” provide in their economy “a service which is essential for the maintenance of critical societal and/or economic activities” in certain sectors of the economy and identify the respective operators of essential services (OES). National legislation transposing NIS1 was to subject these OES to cybersecurity requirements as well as notification obligations with respect to cybersecurity incidents.Footnote 5

The proposal by the EC for a revised NIS DirectiveFootnote 6 (NIS2) greatly widens the scope of application of NIS1 to cover more entities in existing sectors of the economy as well as including new sectors. Like NIS1, the NIS2 text speaks of “entities” as regulatory subjects. While in practice most will be companies, natural persons would also be included in this definition.Footnote 7 This contribution will focus on those provisions of NIS2 that address the question of which entities are in its scope of application and which kinds of obligations these entities will face. Other matters included in NIS2, namely obligations for EU Member States and cooperation amongst Member States or between them and the EC or the European Network and Information Security Agency (ENISA), will not be addressed in this contribution.

The implementation period of NIS1 was 22 months, and EU Member States had an additional six months to identify OES, i.e. until 9 November 2018.Footnote 8 The EC carried out an evaluation of the functioning of NIS1 starting in mid-2019.Footnote 9 Among its findings were that the scope of NIS1 was not covering all sectors providing key services to economy and society. Furthermore, NIS1 was deemed to have granted too wide powers of a discretion for EU Member States to mandate the kinds of cybersecurity and incident reporting requirements for OES, and NIS1 was considered not to include effective supervision and enforcement. Thus, the EC’s main objectives for NIS2 are to cover a larger share of the economy and society by including more sectors, to replace the identification process established in NIS1, and to create a higher level of harmonization regarding security requirements and reporting obligations.Footnote 10

2 The proposed revision to the NIS regulatory regime

In a first step, it will be examined which entities are in the scope of NIS2. In a second step, the obligations of those entities and their supervision will be considered.

2.1 Identification and new categories

2.1.1 Self-identification

By design, NIS2 does not contain a mechanism like Article 5 NIS1 that enabled EU Member States to identify those entities that are to fall within the scope of the directive pursuant to a set of criticality criteria.Footnote 11 According to the evaluation of NIS1 performed by the EC, the EU Member States carried out the identification process with employing varying amounts of resources. This led to different “levels of maturity in dealing with cybersecurity risks”.Footnote 12 Furthermore, the EC considers the NIS1 identification process to be “complex”.Footnote 13 Therefore, the scope of NIS2 is determined by a single criterion that is to be applied across all EU Member States. This criterion was determined to be an entity’s size. While the EC itself admits that this criterion is “not necessarily an ideal stand-alone criterion to determine the importance and/or criticality” of an entity, the EC nevertheless reasons it to be a “meaningful proxy” in order to determine whether certain entities have key roles for society and economies.Footnote 14

Pursuant to the central provision of Article 2 para. 1 NIS2, a company is within the scope of the directive if it belongs to one of the economic sectors listed in its Annexes I and II—see “Important and Essential Entities” below for further details—and is not considered a micro or small enterprise. This generally leads to the exclusion of any entity that employs fewer than 50 employees and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million.Footnote 15 This so-called “size-cap rule”Footnote 16 would require companies to determine for themselves whether they are in the scope of NIS2, as a determination by the national competent authority (NCA)Footnote 17 is no longer required.

Some entities excluded by the size-cap rule may still be in the scope of application. Article 2 para. 2 NIS2 lists five types of entities for which the size-cap rule does not apply at all (letters a, b, and g) and four non-cumulative criteria (letters c through f), in which case a company is in the scope of NIS2 regardless of the size-cap rule.Footnote 18 While the types of entities are straightforward, the criteria (letters c through f) are less so. Article 2 para. 2 (c) NIS2, for example, could potentially result in the inclusion of such producers with only few employees and an annual turnover below 10 million who—while being the sole producer of a good in an EU Member State—produce a good that would generally not be considered as critical.

The extension of NIS2 to more sectors, together with the size-cap rule, leads to a significant increase in the number of entities covered. This increase is estimated to be seven-fold.Footnote 19

2.1.2 Important and essential entities

The NIS1 terms OES and digital service providers (DSPs) are completely replaced by the two NIS2 categories called “important entities” and “essential entities”. The allocation of an entity to either category is determined by the sector being listed in Annex I (essential entities) or Annex II (important entities). Therefore, all entities belonging to a sector are automatically allocated to that category. The kinds of sectors and sub-sectors in NIS2 were expanded in comparison to NIS1; for an overview please refer to Table 1 below.

Table 1 Comparison of sectors under NIS1 (not in bold) and NIS2 (in bold); sub-sectors in parenthesis. The order of the listed (sub-)sectors corresponds to the one in the NIS2 Annexes

The annexes include references to EU legislation containing the definition of a certain group of entities. Although this may be burdensome to the legal practitioner to find the referenced definitions, it does have the advantage that such definitions are—in most cases—established and quite clear. By way of deletion in other legal acts, cybersecurity requirements and notification obligations for trust service providers in eIDAS and electronic communication providersFootnote 20 in EECC are transferred to NIS2.Footnote 21 However, in some sectors the definitions chosen could be considered quite broad.Footnote 22

2.2 Obligations and supervision

Having established the entities in the scope of NIS2, this contribution will now consider what cybersecurity requirements and reporting obligations the entities newly in scope will face, as well as what will change for entities currently in scope in this regard. Furthermore, the supervision and sanction provisions will be summarized.

2.2.1 Cybersecurity requirements and reporting obligations

Recital 11, Article 18 and 20 NIS2 make it clear that entities in both categories—important entities and essential entities—are subject to the same cybersecurity requirements and reporting obligations.Footnote 23 Article 18 para. 1 NIS2 closely resembles Article 14 para. 1 NIS1 and also references “appropriate and proportionate” measures as well as the standard of “state of the art”. A novelty in comparison to NIS1 is the inclusion of a catalogue of the measures that entities will have to observe at a minimum in Article 18 para. 2. They include (a) risk analysis and information system security policies; (b) incident handling (prevention, detection, and response to incidents); (c) business continuity and crisis management; (d) supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers such as providers of data storage and processing services or managed security services; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; (f) policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures; and (g) the use of cryptography and encryption. Also new in the NIS regulatory regime is the responsibility and accountability of management bodies and their members for the compliance with cybersecurity requirements.Footnote 24 In order to demonstrate compliance with certain cybersecurity requirements, EU Member States may, pursuant to Article 21 para. 1 NIS2, require essential and important entities to have certain information and communications technology (ICT) products, services and processes certified in accordance with the cybersecurity certification schemes adopted pursuant to Art. 49 CSA. This also includes products and services furnished by third parties. The EC is empowered under Article 21 para. 2 NIS2 to specify which types of essential and important entities must obtain certification in accordance with para. 1.

With regard to reporting obligations, the generalized obligation in Article 14 para. 3 NIS1 is replaced with a detailed and tiered plan in Article 20 para. 4 NIS2. Incidents having a significant impact on an entity’s services have to be notified to the EU Member State’s authorities (i) within 24 h at the latest (initial notification), (ii) upon request of the authorities (intermediate report) and (iii) no later than one month after the initial notification (final report).

2.2.2 Supervision and sanction

The only differentiation between important and essential entities provided by NIS2 is in the manner of supervision. For this purpose, NIS2 differentiates between ex ante supervision, i.e. the taking of supervisory measures in advance and ex post supervision, i.e. taking supervisory action when provided with evidence or an indication that an entity does not meet the cybersecurity and incident notification requirements. Essential entities are subject to a “fully-fledged”Footnote 25 supervisory regime (ex ante and ex post), while important entities are subject to a “light”Footnote 26 supervisory regime (ex post only). Necessarily, supervision of essential entities includes for example “regular audits” in Article 29 para. 2 (b) NIS2, while Article 30 (b) NIS2 with regard to important entities includes “targeted security audits based on risk assessments or risk-related available information” only.

A new measure is introduced in NIS2 with regard to the members of management bodies of entities. Under certain circumstances NCAs may levy a professional ban on management personnel of essential entities (see Article 29 para. 5 (b) NIS2), and management personnel may be “held liable for breach of their duties to ensure compliance with the obligations laid down” in NIS2 (see Article 29 para. 6 NIS2). However, the wording of both provisions could be construed in different ways, i.e. whic natural persons should be covered and what legal nature the liability for breach of duty is supposed to have. The latter provision could be read to mean a civil law liability to third parties, which would mean a piercing of the corporate veil, something quite rare in many legal systems in the EU. However, it could also be construed to mean a liability of the natural person vis-à-vis the essential entity in the context of the employee/employer relationship.

The general clause on administrative fines resembles in principle Article 83 GDPR. Article 31 para. 4 NIS2 includes a severe maximum fine of EUR 10 million as well as a fine calculated by up to 2% of total worldwide (group) annual turnover.

3 Key challenges for NIS2 and current status

3.1 Challenges for entities and supervision

There appear to be two central challenges in connection with NIS2 that were identified in this contribution: the material switch from an identification process to the singular size criterion across the EU to determine the scope of application and the consequences arising therefrom for (i) entities and (ii) supervision.

The EC has provided an estimate of the average increases in ICT spending for entities in the first three to four years following the implementation of NIS2. For entities newly in scope of NIS2 the EC estimates cost increases of about 0.63% of the entity’s total turnover.Footnote 27 For entities currently in scope of NIS1, the EC estimates cost increases of 0.58% of the entity’s total turnover.Footnote 28 The main cost driver in NIS2 for ICT spending would evidently be the cybersecurity requirements.Footnote 29 Still, some entities will have invested in ICT of their own volition and in such cases cost increases would of course be lower than the estimates given above. Since NIS2 does not differentiate cybersecurity requirements between its two categories, the cost estimates are identical for essential and important entities. It could prove beneficial to also differentiate the cybersecurity requirements between the two categories.

The approach to supervision will necessarily change from NIS1 to NIS2, given the estimated seven-fold increase in the number of entities to be supervised. If NCAs are to continue their supervision activities at the same level of intensity with essential entities under NIS2 as with OES under NIS1, NCAs will require corresponding financial and human resources even if the identification process were to be omitted.Footnote 30 In order to know the identities of entities to be supervised, NCAs would necessarily need to make an assessment in this regard. Whether the removal of the identification process will prove less burdensome and lead to freeing up capacities at NCAs remains to be seen. The need for NCAs to know the identity of the entities they are to supervise may still require considerable resources.

3.2 Current status of NIS2

The proposal is subject to the ordinary legislative procedure. After the presentation of the proposal by the EC on 16 December 2020, the Council and the European Parliament (EP) are called upon as co-legislators. Pursuant to Article 294 TFEU, both co-legislators may adopt the proposal at first or second reading. If both the Council and the EP have not achieved a consensus, a conciliation committee would be created. However, it is standard practice nowadays that for the adoption of EU legislation, interinstitutional negotiations between the Council, EP and EC (so-called “trilogues”) are conducted usually before the first reading.Footnote 31 For this purpose, each co-legislator adopts a mandate for negotiations in the trilogue. In the case of the EP, the mandate is usually based on a report adopted in committee and in the case of the Council the mandate is typically in the form of a general approach, including the main positions of the Council.

The first draft of the report by the rapporteur in the Committee on Industry, Research and Energy (ITRE) is publicly available and includes 91 proposed amendments on a host of issues.Footnote 32 On the side of the Council, in the discussions within the Council Horizontal Working Group on Cyber Issues (HWPCI) EU Member States broadly welcomed the revised directive, while raising a number of concerns, according to a press release.Footnote 33 The press release mentions concerns of EU Member States regarding the interaction of NIS2 with sectoral legislation like CERFootnote 34 and DORAFootnote 35, as well as the “significant expansion of the scope” and the size-cap criterion as the “sole element to be considered when identifying essential and important entities to be covered”.

4 Conclusion

In summary, the work on NIS2 by the co-legislators is currently progressing. Each co-legislator appears to have a number of amendments that will have to be agreed upon during trilogue. If enacted as originally proposed, NIS2 will bring a significant extension of the scope of application and with it, it will have considerable impacts on the entities themselves and their supervision. That said, the original NIS1 proposal took more than three years before adoption; as such, it remains to be seen how much time negotiations will require for NIS2 to be finally adopted.Footnote 36