New EU Cybersecurity Strategy: European Commission accelerates push for EU to lead in cybersecurity regulation

On 16 December 2020, the European Commission launched the EU’s new Cybersecurity Strategy for the Digital Decade, seeking to bolster Europe’s cyber resilience and step up the EU’s leadership in cybersecurity regulation.

The announcement could not have come at a better time, just days after a cyberattack against the European Medicines Agency exposed sensitive information on two Covid-19 vaccines and at a moment when the SolarWinds breach unravels into possibly the most consequential cyber incident ever, affecting businesses across all sectors, public administrations and governments worldwide. “The time of innocence is over. We know that we are a target,” Commission Vice-President Margaritis Schinas told reporters when presenting the proposals last week.

In addition to announcing a number of investment and policy instruments, including the set-up of a ‘EU Cyber Shield’ (a European early detection system powered by artificial intelligence) and a ‘Joint Cyber Unit’ to respond collectively to cyber incidents and threats, the new strategy anticipates significant regulatory change. The highlights of the proposed regulatory package, which will affect many public and private entities doing business in the EU, are summarised below.

Proposal for a NIS 2 Directive

In 2016, the NIS Directive introduced the first piece of EU-wide legislation imposing cybersecurity requirements and incident reporting obligations on operators of essential services and digital service providers. Just two years after the deadline for EU Member States to transpose the NIS Directive into national law, and following a review process accelerated by the Covid-19 pandemic, the European Commission is now proposing a revamp announced as the ‘NIS 2 Directive’.

The Commission’s proposal seeks to “modernise” the current regime to take account of the evolving cybersecurity threat landscape and address “several weaknesses that prevented the NIS Directive from unlocking its full potential” (see Explanatory Memorandum, at p. 1). Here are the key changes proposed.

Extended scope

Whilst the proposed NIS 2 Directive continues the sectoral approach of its predecessor, it provides for a more comprehensive coverage of sectors and services considered to be of vital importance to the European internal market. In addition to the sectors already covered under the current regime (energy, transport, banking and financial market infrastructure, health, drinking water, digital infrastructure and certain digital service providers), new sectors are brought into scope, including telecoms, chemicals, food, postal and courier services, certain manufacturing, public administration, social-networking platforms, space, waste management and wastewater management (see Annex of the proposal). Furthermore, instead of the current identification of individual operators at a national level, the proposed rules introduce a size-cap to cover, within the selected sectors, all medium and large enterprises as defined under EU law. Micro and small entities are exempt, unless they have a high-security risk profile in which case the proposed rules apply regardless of the entity’s size.

Broadening the extra-territorial effect already in place under the current regime, selected providers of digital infrastructure or digital services who do not have a European establishment, but offer services in the EU, will also fall under the scope of the proposed NIS 2 Directive (and, to that end, will have to designate a representative in the EU). This will affect DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers, as well as providers of online marketplaces, online search engines and social networking services platforms.

Essential and important entities

The proposed NIS 2 Directive no longer distinguishes between operators of essential services and digital service providers but, instead, classifies entities between essential and important categories. Both essential and important entities will be subject to the same cybersecurity management and reporting requirements, but the supervisory and penalty regimes will differ: whereas a full-fledged, ex ante supervisory regime will apply to essential entities, important entities are subject to lighter ex post supervision in the event of evidence or indications of non-compliance. This way, the European Commission seeks to address the frequent criticism that, under the current NIS Directive, some entities are facing a disproportionate compliance burden.

Cybersecurity management and reporting obligations

The new rules introduce, for the first time, express governance requirements, requiring management of subjected entities to approve and supervise cybersecurity risk management measures and to follow cybersecurity training. In terms of the cybersecurity risk management itself, the proposed revamp continues the open-ended standard of taking, with regard to the state of the art and the risk posed, ‘appropriate’ and ‘proportionate’ measures, but adds a number of minimum basic security elements that must be provided for in any event. Significantly, the proposed NIS 2 Directive would introduce express requirements to manage third party risks in supply chains and supplier relationships, thus addressing one of the most important challenges facing cybersecurity today. The proposal provides that the European Commission will lay down the technical and methodological specifications of the minimum requirements, and anticipates that entities may (and certain essential entities must) demonstrate compliance through obtaining cybersecurity certification under the EU-wide cybersecurity certification framework envisaged by the recent EU Cybersecurity Act.

Reporting obligations will be expanded, in terms of what must be reported, to whom must reports be made, and within what timeframe.

• In line with the current regime, entities must report to the competent authorities or CSIRT any incidents with a significant impact on the provision of their services. In addition, under the new rules, entities would also be required to report any significant cyber threat that could have potentially resulted in a significant incident.
• Entities subject to the new rules would now also be required to notify the recipients of their services of any incidents that are likely to adversely affect the provision of the relevant service. In case of a significant cyber threat potentially affecting the relevant service, service recipients must be notified of any measures or remedies that those recipients can take in response to that threat and, “where appropriate”, of the threat itself. The recitals to the proposed NIS 2 Directive clarify that this should be done “free of charge” and that this does not discharge the subjected entitiy itself from the obligation to take, at its own expense, appropriate and immediate measures to prevent or remedy any cyber threats and restore the normal security level of its service (see recitals 52-53).
• In terms of timing, notification must, as under the current regime, be made “without undue delay”. However, for the reporting to the competent authorities or CSIRT, a two-stage approach is introduced, requiring entities to, within 24 hours of becoming aware of the incident, submit an initial notification followed by a final report within a maximum time frame of one month. Remarkably, under the proposed rules, the competent national authorities or CSIRT must also respond, within another 24 hours, to the initial report with initial feedback on the incident and, if requested, guidance on the implementation of possible mitigation measures.

In what is perhaps the package’s most eye-catching element, EU Member States would be required to provide for administrative fines up to at least EUR10 million or 2% of the total worldwide turnover (at an undertaking level), whichever is higher. In line with the more stringent enforcement regime applicable to them, essential entities who persist in non-compliance may also see their relevant authorisations suspended or have senior management suspended from exercising its managerial functions (each time until the necessary remedial action has been taken).

Coordinated vulnerability disclosure

Finally, and significantly, the proposed NIS 2 Directive seeks to encourage coordinated vulnerability disclosure practices, whereby an entity invites outsiders (often ‘ethical hackers’) to report vulnerabilities in a manner allowing to diagnose and remedy the vulnerability before it being disclosed to (and potentially abused by) third parties. To that end, the EU’s cyber security agency, ENISA, would be required to develop and maintain a European vulnerability registry to enable important and essential entities and their suppliers of network and information systems to disclose and register vulnerabilities in ICT products or ICT services.

Interaction with sector-specific regulation

If adopted, the proposed NIS 2 Directive would apply alongside sector-specific lex specialis, including the proposed Directive on the Resilience of Critical Entities for critical infrastructure (discussed below) and the recently proposed ‘DORA’ Regulation on digital operational resilience for the financial sector. However, a sector-specific lex specialis will prevail to the extent it imposes cybersecurity risk management or notification obligations of at least an equivalent effect to the obligations set out in the NIS 2 Directive.

Feedback on the regulatory proposal

The proposed NIS 2 Directive is open for feedback until 15 February 2021.

Proposal for a Critical Entities Resilience Directive

Acknowledging the increasing interconnection and interdependency between physical and digital infrastructures, in addition to the proposed NIS 2 Directive, the European Commission is also looking to enhance the resilience of critical entities against physical threats by replacing the current 2008 European Critical Infrastructure Directive with a new Critical Entities Resilience Directive. The new Critical Entities Resilience Directive would expand the scope of the existing EU rules on critical infrastructure from two (energy and transport) to ten sectors, covering energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space. By advancing the expectation that entities designated as critical entities under the Critical Entities Resilience Directive at the national level will also classify as essential entities subject to the proposed NIS 2 Directive, the European Commission seeks to subject those critical entities to more general resilience-enhancing obligations in order to address both cyber and non-cyber risks.

As with the proposed NIS 2 Directive, the proposed Critical Entities Resilience Directive is open for feedback until 15 February 2021.

Some side dishes

As part of the announcement, the European Commission also reiterated its pledge to other regulatory initiatives in the area of cybersecurity, including with respect to 5G security, the EU’s autonomous cyber sanctions regime and an ‘Internet of Secure Things’.

5G Security

In January 2020, the European Commission endorsed the EU 5G Toolbox that sets out the measures agreed by EU Member States to address security risks in 5G telecommunication networks and, in particular, the exposure to high-risk suppliers. The European Commission now published another update report on the implementation of the EU 5G Toolbox (see here) and urges EU Member States to complete, by Q2 2021, the legislative processes to introduce specific security restrictions currently underway at the national levels.

EU Cyber Sanctions

In July and again in October of this year, the EU imposed financial and travel restrictions on Russian, Chinese and North-Korean individuals and entities for their alleged involvement in a number of widely-publicised cyberattacks including the ‘WannaCry’ and ‘NotPetya’ ransomware attacks, the US$81 million Bangladesh Bank cyber heist and the 2015 Bundestag hack. Significantly, these sanctions prohibit any EU business from making funds or economic resources available, either directly or indirectly, to or for the benefit of those listed, including when that business falls victim to a cyberattack and is extorted into paying a ransom to have their systems decrypted (earlier post here). The European Commission now seeks to bolster this sanctions regime, and announces a proposal for the Council to decide on future listings by qualified majority rather than unanimity.

IoT

Finally, the European Commission stresses the on-going work in the development of a European cybersecurity certification schemes for internet of things (IoT) devices, and says it is considering new horizontal regulation for the cybersecurity of connected products and associated services offered in the European market. This horizontal regulation could include a new duty of care for connected device manufacturers to address software vulnerabilities (including the continuation of software and security updates) and an obligation to delete personal and other sensitive data at the IoT device’s end of life.

Next steps

The European Commission’s proposals will now need to go through the legislative process, and be discussed by – and agreed between – the European Parliament and the EU Member States via the Council. Whilst it may take a number of years for the rules to be adopted, implemented and become enforceable, the proposals put forward by the European Commission clearly set the tone for what is about to come.