Europe is awaiting the evolution of cybersecurity. On 3 May 2022, the Council and the European Parliament agreed on the so-called NIS 2 Directive (Directive on measures for a high common level of cybersecurity across the Union). NIS 2 repeals the currently effective NIS Directive.
What is going to change? NIS 2 expands the range of entities that will have to comply with cybersecurity rules. NIS 2 will apply on numerous if not most TNT companies. NIS 2 recognizes two types of sectors: essential and important. Most of the TNT companies will belong to the essential sector as the digital infrastructure sector entities. Those entities are internet exchange point providers, DNS service providers, cloud computing and data center services, content delivery network providers, trust service providers according to eIDAS and providers of public electronic communications networks and servicers. Besides digital infrastructure, other essential sectors are health, energy, transport, banking, public administration and space. In addition to the essential sector entities, there will be also TNT companies classified as important sector entities, i.e., postal services, or digital providers. Digital providers are providers of online marketplaces, search engines and social networking platforms. The difference between the sectors is, according to the Recital of the directive, the level of criticality or the type of service as well as the level of dependency of other sectors or services.
Micro and small entities are excluded from the application of the directive unless they are explicitly mentioned by the directive. These SME companies usually play a key role for the economy and society, e.g., providers of public electronic communications networks and services.
It is obvious that NIS 2 will significantly affect extended range of subjects. This extension was the crucial point in a discussion led in the process of adaption of the directive. The new obligations will bring an additional, first and foremost, financial burden to many subjects. However, the new entities should already be accustomed to some measures from GDPR, which makes no distinction between sectors and the size of entities.
The obligations of essential and important entities differ explicitly only in supervision. NIS 2 makes a distinction between ex ante and ex post supervision. The supervision of essential entities may take place in advance, while the supervision of important entities is carried out after a supervisory authority is provided with an evidence or indication that the entity does not comply with the rules. The essential entities will be subject to more stringent supervision and enforcement such as on-site inspections and off-site supervision, incl. random checks and regular audits.
Both essential and important entities have to take appropriate and proportionate technical and organizational measures to manage cybersecurity risks. The implemented measures have to take into account the risks to systems of the individual entity. NIS 2 is based on the assumption that every company is familiar with its own systems and their level of risk. NIS 2 requires an outcome consisting in ensuring of security level appropriate to the risks but leaves up, with a few exceptions, to the entities to assess which measures they implement to achieve the outcome. On the other hand, the measure should not impose disproportionate financial and administrative burden. NIS 2 emphasizes a risk-based approach. The entities have to adjust their cybersecurity risks management accordingly.
Contrary to the currently effective NIS Directive, NIS 2 determines which measures have to be at least taken by both types of entities. These measures are, i.e., risk analysis, information system security policies, incident handling, business continuity and crisis management, supply chain security, development and maintenance, including vulnerability handling and disclosure, policies and procedures to assess the effectiveness of cybersecurity risk management measures, and the use of cryptography and encryption.
The directive makes no difference between the essential and important entities in their obligation to implement appropriate measures: Nevertheless, the measures taken by the essential entity should, by their nature, take into account the importance that NIS 2 ascribes to this sector. The essential entities should certainly go beyond the obligatory measures set by NIS 2. In the future, the Commission may expand the list of obligatory measures taking into consideration new cyber threats, technological development or sector specialties.
By Eva Fialova, Attorney at Law, PRK Partners