NIS 2 Directive: the draft

The Directive on Security of Network and Information Systems, or short the NIS Directive, has been around for a while now. Even though it had to be transposed into the laws of each member state by May 2018, it has been around since August 2016. This directive states rules and requirements regarding cybersecurity in the EU. It is sectioned in 3 parts: the capabilities of the member state, collaboration across borders with other states and the supervision of critical sectors by the state. The European Commission has decided to review this directive and change some things, since it has been around for a while and things change rapidly in the computerized world.

The NIS 2 Directive will be a revised version of the NIS Directive (concerning measures for high common level of cybersecurity) while the new directive would concern itself around the resilience of critical entities, the CER Directive.

First, we would like to start with the new sectors that would fall under the new directive. Now not only healthcare, transport, the financial sector, digital infrastructure, water & energy supply and digital service providers must comply with the rules stated in NIS 2, but also the following list:

• Public electronic communications networks or service providers
• Wastewater & waste management
• Food industry
• Manufacturing of critical products (pharma, medical products, chemicals, …)
• Space industry
• Digital services (social networking, data center services)
• Postal and courier services
• Public administration

The NIS Directive wants to improve the following 3 big points in Europe: capabilities, cooperation, and cybersecurity risk management. These have not changed but have been expanded. Hereunder you can find a list of the changes that have been made for each bullet point:

• Capability: Instead of just improving your cybersecurity capabilities, you now must introduce better measures and enforcements for supervision. They also will have a list with administrative sanctions which include the fines for breaching these things. Lastly, they will have obligations to report certain activities.
• Cooperation: At first it started as just cooperating with the other member states, but now the Commission wants to establish a cyber crisis liaison to support large-scale incidents. They also want more information sharing between authorities of member states. To end, they want coordinated vulnerability disclosure for new vulnerabilities across the EU.
• Cybersecurity risk management: In the first Directive operators of essential services (OES) and digital service providers (DSP) had to adopt risk management practices. With this came the fact that they had to notify authorities when there were significant incidents. Now the Commission will change that to a list of measures (incident response, crisis management, vulnerability handling, …) for strenghtened security. The increase of accountability will be addressed as well. This will help in assuring that the company complies with the risk management measures. Lastly, a streamlined incident reporting obligation must be created. This will help refining the provisioning of reports.

The organizational security measures that were imposed and proposed in the current NIS Directive remain valid. If your company falls under the scope of the NIS Directive, you should, among other things, draw up an information security policy or you can use your ISO certification to demonstrate your compliance.

Since January 2017, the ePrivacy Regulation has been under negotiation to replace the ePrivacy Directive, to date this is still a work in progress. A binding centralized law for every member state will enter into force. The ePrivacy Regulation concerns privacy and protection of personal data in electronic communications.

Until today, the European Council and the European Parliament still disagree on significant issues. For example, there is still discussion about the definitons of “unwanted calls”, “direct marketing” and about the scope of the Regulation. However, we will try to point out the most important changes and how they will affect business.

Following changes are proposed in the ePrivacy Regulation. Good to know is that the ePrivacy Regulation is complementary to the GDPR rules and it will overrule them wherever both are applied.

• Territorial scope: All users located in the European Union. Companies that process EU user data outside of the Union will also be subject to the Regulation. If the company is not based in the EU, a representative must be appointed in an EU member state.
• Cookies: New rules will try to improve the user’s internet experience while still protecting privacy and personal data. Consent to certain cookie types should be given in the browser’s settings. Users wouldn’t have to consent to cookies for anonymous information processing anymore. The amount of cookie walls should reduce heavily because of this.
• Electronic communications data: The Regulation states that consent should be obtained before this data is processed. There are however some exceptions. The consent is not needed when the data is needed to ensure the transmission of the communications, to meet mandatory quality of service or when it is necessary for billing/calculating payments/detecting or stopping the fraudulent use of the service.

The ePrivacy regulation is still in draft from, at the end of 2021 there were again several discussions to close some chapters and move on to new parts. To be continued …