New EU Cybersecurity Legislation to Replace NIS Directive

EU Cybersecurity Legislation

Accompanying the launch of the “EU’s Cybersecurity Strategy for the Digital Decade” in mid December last, the EU Commission published a proposal for a new EU cybersecurity law to replace the current NIS Directive. The proposal is now under discussion in Brussels and once adopted will need to be implemented in Ireland.

The proposal is to update the existing legal framework taking account of increased digitisation of society (intensified by the COVID-19 public health emergency) and the evolving cybersecurity threat landscape. This draft legislation requires increased national cybersecurity capabilities, improved EU level cross border coordination and cooperation arrangements, and enhanced regulation of industry and public sector interests.

The current limited number of organisations that qualify under the existing NIS Directive sectors (energy, transport, banking and financial market infrastructure, health, drinking water, digital infrastructure and certain digital service providers) is to be expanded. In addition new sectors and services such as telecoms, chemicals, food, postal and courier services, certain manufacturing services, public administration, social-networking platforms, space, waste management, and wastewater management are proposed to be included. All public and private sector entities in these sectors that do not meet the size exemption for micro and small business (< 50 staff, <10m€ turnover/balance sheet) are to be automatically within scope of the governance, risk management, security and reporting obligations. Furthermore some organisations regardless of size are to be covered, notably in telecoms and DNS. This is to replace the categories of operators of essential services and digital service providers under the existing Directive.

The EU Commission anticipates that over 110,000 organisations throughout the EU would be within scope. That would equate to an almost 20 fold increase in business and utilities being subject to cybersecurity regulatory requirements in Ireland. There are to be 2 categories of regulated organisations, namely “essential entities” that are to be subject to proactive supervision and “important entities” that are to be subject to a lighter supervisory approach.

The proposal introduces express governance measures requiring undertakings to approve and supervise cybersecurity risk management provisions and adds a number of minimum basic security elements that must be provided for in any event. In addition the proposal introduces express requirements to manage third party risks in supply chains and supplier relationships. It also includes the option of mandatory cybersecurity certification of ICT products, services and processes being required in accordance with schemes being developed under the previous EU legislation on cybersecurity, notably EU Regulation 2019/881. Reporting obligations are to be expanded, in terms of what must be reported, to whom reports must be made, and within what timeframe.

As part of increased supervision and enforcement measures, EU Member States would be required to provide for administrative fines up to at least 10m€ or 2% of the total worldwide turnover, whichever is higher. In line with the more stringent enforcement regime applicable to them, essential entities who persist in non-compliance may also see their relevant authorisations suspended or have senior management suspended from exercising managerial functions.

Cyber crisis management would come within the remit of the proposed Directive. There are also provisions on coordinated vulnerability disclosure and structured information sharing arrangements. There is a focus on increased scrutiny of Member State resourcing through peer reviews of Member States capabilities and resourcing, and obligatory provisions on mutual assistance between authorities.

It’s important that industry is aware of these draft new legislative proposals and avails of the opportunity to influence them. The Department of the Environment, Climate and Communications is looking for feedback. The link for the feedback is here along with the documents accompanying the revised Directive proposal, namely Cybersecurity – review of EU rules on the security of network and information systems (europa.eu). Closing date for receipt of feedback submissions is 18 March.