It’s getting hard to keep up with the flurry of legislative activity from the European Union these days. Barely a month goes by without a major technology law being announced, whether it’s the DSA, the DMA, the Data Act or the AI Act. Such is the pace of law-making that, sometimes, two significant proposals are announced — or, this being the EU, leaked — within a matter of days of each other.
That happened last week, with the Commission revealing its plans for (1) a law requiring tech companies to scan for and remove child sexual abuse material on their platforms, and (2) an update to the NIS Directive with the aim of enhancing cybersecurity across the bloc.
I think about the original NIS Directive (aka NIS 1) as being one of those events that gets overshadowed by another, bigger event. CS Lewis and Aldous Huxley dying on the same day as JFK. Harriet Quimby becoming the first female pilot to fly over the English channel, the day after the Titanic sank. That type of thing.
Member States were required to implement NIS 1 on 9 May 2018, a couple of weeks before the GDPR. My brain has largely wiped all memory of that period to avoid triggering PTSD, but my hazy recollection is that most clients focused exclusively on the GDPR, even in cases where NIS 1 may have applied to them. Some Member States didn’t get around to meeting the 9 May deadline, and anyway the law wasn’t enforced widely (or at all, in some countries), with the result that a once-ostensibly important event, thanks to the growth of the GDPR Industrial Complex, has largely been forgotten.
The European Commission is hoping to change that, and on Friday announced that it has agreed the terms of an updated NIS Directive (aka NIS 2). Key points are as follows:
- The scope of the Directive has been significantly expanded, with businesses in the healthcare sector (including those that carry out R&D and who manufacture medicines and medical devices) and wider range of “digital infrastructure” providers, such as cloud services providers, data centres, social media services and electronic communications networks, now being caught by the law. What’s more, all medium and large businesses within those sectors will be caught – as will some smaller entities, for which Member States are given discretion.
- In-scope entities must implement a range of cybersecurity risk management measures, including supply chain security and the use of cryptography and encryption (together with the security procedures, risk analysis policies and business continuity measures that comprise one limb of a healthy GDPR compliance programme). Given the advances in technology since ye olden days of 2018, those measures will need to reviewed and revised as needed to meet a cyber-focused law.
- Entities must make initial reports of security incidents to their national authority within 24 hours of becoming aware of events (cf. the GDPR’s 72 notification requirement) where the incident (1) caused or has the potential to cause substantial operational disruption or financial losses for the entity, or (2) affected or has the potential to affect individuals by causing considerable material or non-material losses. They must also report incidents to affected individuals and, in some cases, to the general public.
- Failure to implement security measures or report incidents can result in fines of up to 2% of the preceding year’s annual global turnover, and Member States also have the power to impose periodic penalties in order to comply the entity to stop infringing behaviour.
All of this adds up to a stronger proposition than NIS 1, whose effect was hobbled by divergence of approaches to implementation by Member States (as well as the bigger, badder, cooler GDPR). The Council and Parliament now need to agree on the text of NIS 2, but we can assume that the law will be passed in a largely similar form to the Commission’s proposal — after which Member States will have two years to implement it.
Needless to say the UK appears to be taking a different approach to the reform of NIS 1, in line with its risk-based regulatory strategy for data post-Brexit. Whilst the finalised regimes are likely to be similar in places, entities that are caught by both laws may find themselves wishing for simpler times when NIS 1 was but an event to be shortly overshadowed.
In spite of its notable achievements, the Directive on the security of network and information systems, which paved the way for a significant change in mind-set, institutional and regulatory approach to cybersecurity in many Member States, has by now also proven its limitations.