The NIS directive was adopted by the European institutions in July 2016 with the aim of ensuring a certain level of security for networks and information systems belonging to critical and sensitive infrastructures in EU member states. Six years later, revisions to this directive are gaining pace, with the first agreements between the Commission, the Parliament and the European Council in May and June 2022. The yet-to-be-adopted new NIS2 Directive is already prompting many questions about its implications and scope of application. Here’s why.
Broader involvement by stakeholders
The increase in cyber-attacks in recent years is forcing EU Member States to increase their levels of security to protect citizens, local and regional authorities and businesses. To meet this challenge, the NIS Directive is being reformed, harmonised and strengthened in version 2.0. According to Thierry Breton, European Commissioner for Internal Trade, this reform must “further secure critical services for society and the economy.” And enable a “modernisation of the rules.”
The first degree of harmonisation will be a broadening of the sectors concerned. Inclusion of the postal services, waste management, chemical production and distribution and agri-food sectors will see the number of sectors covered by the NIS2 Directive increase from 19 to 35. Regarding French national territory, Guillaume Poupard, Director General of the ANSSI, declared in June 2022 that the NIS2 directive would considerably extend its scope, representing “a tenfold increase in the number of stakeholders classified as operators of essential services (OESs).” To date, there is no official figure for the number of companies affected, but early unofficial estimates suggest that several thousand French organisations will be affected.
Local and regional authorities are also included in this reform. According to an interview with Yves Verhoeven, Deputy Director of Strategy at the ANSSI, speaking to the La Tribune newspaper, “the revised NIS provides the option of regulating local authorities and imposing cybersecurity rules on them.” It should be noted that this is only an option, as each Member State has the right to extend the scope of the new directive to its local administrations.
Subcontractors and service providers with access to critical infrastructure, who were overlooked in the first version of the directive, will also be subject to NIS2. That’s because flaws in a provider’s infrastructure could jeopardise the security of the OESs for which it works. The cyber attack on Kaseya in July 2021 is an unfortunate and well-known example of such supply chain attacks. Once NIS 2 has been implemented, the reality on the ground will be very different. For example, in the energy sector, security measures will no longer be imposed solely on electricity producers, transporters and distributors. And all critical infrastructure subcontractors will also be affected. In particular, service providers and other digital services companies will be obliged to report any security incident within 72 hours in order to contain the spread of the attack. It is therefore to be expected that small and medium-sized companies will quickly recruit a CISO role to meet security requirements and continue to work with large accounts. This adds further tension to a labour market that already seems to be at breaking point...
NIS2: the beginning of the end for OESs
Before we talk about their end, let’s start with a quick definition: what is an OES? Designed as an extension of the OIV (operator of vital importance) status established in France by the 2013 Military Planning Act, an OES is an essential service operator for whom an IT system or infrastructure failure would have a significant impact on the functioning of the French economy or society.
However, with the inclusion of subcontractors and service providers in charge of critical infrastructure, the NIS2 Directive signals the end of the OESs. From now on, the scope of these regulated operators will be divided into two types of players: essential entities (EEs) and important entities (IEs), which will be differentiated according to the criticality of the associated sectors. This means that critical entities will obviously have a greater impact than important entities in the event of a service outage. The end of operators of essential services (and digital services providers), and the adoption of the essential and significant business categories, are intended to harmonise all obligations upon these stakeholders.
This desire for harmonisation also raises questions, as companies and operators will be responsible for designating themselves as EEs or IEs. To do so, they will base their decision on one of the 35 sectors of activity previously targeted and the size of their entity (medium to large company, medium-sized company and small and micro company). In addition, each Member State will, at its own discretion, be able to designate certain operators as essential or important according to criteria that have not yet been set out. The selection criteria have not yet been fully defined. At the time of writing, a threshold number of employees or a certain volume of turnover is reportedly under consideration.
A new binding dimension to the Directive
According to Thierry Breton, this reform of the directive provides greater security for entities “by implementing a system of obligations and sanctions.” The NIS2 directive is a “major step forward,” according to the European Commissioner, extending its coercive powers. First of all, the obligation to declare a loss within 72 hours makes it possible to react as quickly as possible and contain the cyber threat. At the same time, companies, subcontractors and local authorities will be required to undergo safety audits in order to receive recommendations and thus meet stringent safety standards.
For companies that fail to cooperate or contravene the regulations, the NIS2 Directive has also introduced revised sanctions. In the event of a security incident and a refusal to cooperate with the authorities, NIS2 provides states with a right of injunction. Companies will therefore be forced to comply with the State’s request, and may be subject to fines of between 1.4% and 2% of turnover. As in the case of the former OES status, the manager may be liable.
But while this reform aims to improve security, it also raises budgetary issues. For the thousands of companies affected, executive committees will be required to focus on their budgets for investment in cybersecurity products – and allow more flexibility in this area. And what about local municipalities, departments and regions? With less flexibility than their private counterparts, these entities will be forced to make do with the opportunities available to them (such as the France Relance plan), with restricted budgets and a lack of human resources. This is a gap in terms of tools and skills that is already difficult to fill, especially for small and medium-sized communities today, and the situation is likely to get even worse following the implementation of the NIS2 directive.
When is NIS2 coming? The answer to that question is not so simple. At the time of writing the first version of this article, the NIS2 Directive was still in the drafting stage. There were still a few validation phases to go before it could be applied. Since then, the European Parliament officially adopted the new NIS2 Directive on Thursday 10 November 2022. Its implementation, at national level, is therefore not expected before the end of 2023 or early 2024. But will this give all the entities concerned time to prepare for a major change in the face of the cyber threat?
