There has been a marked increase in the amount of legislation generated at an EU level with a view to improving cybersecurity across Europe. These include NIS2, the Cyber Resilience Act, the Digital Operational Resilience Act (DORA) and the EU Cybersecurity Act. Julie Austin, Privacy & Data Security partner explores these four key pieces of legislation, and what they might mean for you.
The Network and Information Security Directive (NIS2), the Cyber Resilience Act, the Digital Operational Resilience Act (DORA) and the EU Cybersecurity Act are each aimed at strengthening the EU’s cybersecurity framework in light of the heightened threats to cybersecurity in the digital age. In this article, we explore these four key pieces of legislation, and what they might mean for you.
NIS2 Directive
What is it?
In 2018, the Network and Information Security Directive (NIS1) harmonised national cybersecurity capabilities, cross-border collaboration and the supervision of critical sectors across the EU. However, a common criticism levied against NIS1 is that it is inconsistently applied across Member States resulting in divergent security requirements and incident notification requirements. The European Commission conducted a review of NIS1 and developed a proposal for a revised directive, EU Directive 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2). NIS2 will repeal and replace NIS1.
The goal of NIS2 is to expand the scope of NIS1, making it “future-proof”. It provides legal measures which are geared towards boosting cybersecurity in the EU.
NIS2 builds on three elements of NIS1:
1. Competent authorities: Improve the level of joint situational awareness and the collective capability to prepare and respond, by:
- Taking measures to increase the level of trust between competent authorities. In Ireland, this is the National Cyber Security Centre (NCSC)
- Sharing more information
- Setting rules and procedures in the event of a large-scale incident or crisis
2. Reduce inconsistencies in resilience: Further aligning:
- The de facto scope
- The security and incident reporting requirements
- The provisions governing national supervision and enforcement
3. Increase the level of cyber-resilience: NIS2 puts in place rules that ensure that public and private entities across the internal market, which fulfil important functions for the economy and society as a whole, such as energy, banking and financial markets, are required to take adequate cybersecurity measures.
Who does it apply to?
NIS2 extends to a larger part of the economy than NIS1. It applies to entities from a number of “critical sectors” including:
- The energy sector
- Financial market infrastructures
- ICT Service Management (managed service providers and managed security service providers)
- Waste management
- Food
- Machinery and equipment
- Digital providers (online marketplaces, online search engines and social networks)
NIS2 defines two categories of public and private entities within scope: "essential" entities and "important" entities, with more onerous obligations for ‘essential’ entities.
When does it come into effect?
NIS2 was published in the Official Journal on 14 December 2022. As a directive, it must now be transposed into national law by each Member State of the EU. Member States must adopt and publish the measures necessary to comply with NIS2 by 17 October 2024.
The EU Commission will periodically review the functioning of the Directive and report on it to the Council for the first time by 17 October 2027.
What will enforcement look like?
Most entities will fall under the jurisdiction of the Member State in which they have their main establishment. NIS2 provides a wide range of enforcement measures which Member State authorities may take to supervise entities, including regular and targeted audits, on-site and off-site checks, and requests for information. NIS2 also sets up a framework of sanctions across the Union, to include a minimum list of administrative sanctions.
Regarding sanctions, NIS2 distinguishes between essential and important entities. For essential entities, Member States must provide for administrative fines for a breach of NIS2 of up to €10,000,000 or 2% of total worldwide annual turnover for the preceding financial year, whichever is higher. For important entities, NIS2 requires Member States to provide for a maximum fine of at least €7,000,000 or at least 1.4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Cyber Resilience Act
What is it?
The Cyber Resilience Act is a proposal for a Regulation on cybersecurity requirements for products with digital elements. It aims to address the perceived inadequate level of cybersecurity in many products, as well as addressing the inability of consumers and businesses to determine which products are cybersecure.
According to the EU Commission, the Regulation, once implemented, will guarantee harmonised rules for products or software with a digital element. It will also introduce a duty of care obligation for the entire lifecycle of such products, as well as a framework for cybersecurity requirements governing a number of aspects, with a view to providing for obligations to be met at every stage of the value chain.
The main obligations covered by the proposal include cybersecurity by design, vulnerability management and market surveillance.
Who does it apply to?
When in force, the Regulation will apply to “critical” products with digital elements, ie a product with digital elements that presents a cybersecurity risk in accordance with the criteria set out in the proposal.
The obligations will differ depending on whether the product is a Class 1 or Class 2 product.
When does it come into effect?
EU Member States and the European Parliament have come to a provisional political agreement on the Regulation. The European Parliament and EU Council must approve the Regulation before it moves to the next stage of the legislative process.
Once adopted, it will enter into force 20 days after its publication in the Official Journal.
What will enforcement look like?
The draft proposal provides for a number of administrative fines for various offences. These fines can be up to €15,000,000 for a breach of certain obligations, or 2.5% of an undertaking’s total worldwide annual turnover in the preceding year, whichever is higher.
DORA
What is it?
DORA is a package of two pieces of European legislation, a Regulation and a Directive, which aims to strengthen the IT security of financial institutions.
Who does it apply to?
DORA will apply to financial institutions including banks, insurance companies and investment firms but will also have substantial implications for IT service providers who count these institutions as customers.
When does it come into effect?
DORA was adopted in December 2022 and will enter into force in January 2025. 2024 is therefore a critical year for financial institutions to prepare for compliance. Compliance will undoubtedly be aided by the publication of policy documents by EU supervisory entities: the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA).
The first set of final draft technical standards was published on 17 January 2024 and offers clarity on required elements of the risk management framework, the criteria for classifying ICT-incidents and the measures applying to outsourcing, among other things. The second set of draft technical standards was published on 8 December 2023 and remains open for public consultation until 4 March 2024. A finalised version of the second set of technical standards is scheduled for publication in July 2024.
What will enforcement look like?
DORA imposes a uniform set of rules for ICT risk management, incident reporting and operational resilience testing for financial institutions as well as for managing the risk posed by third-party ICT-providers. To this end, DORA will impose requirements on the contractual arrangements between financial institutions and ICT providers and will set the parameters of an oversight framework for managing these third-party risks. Several of DORA’s key requirements are undergirded by a risk-based approach designed to mitigate the compliance burden on financial institutions. It also contains provisions requiring information and intelligence sharing among financial institutions to mitigate risks on a system-wide level.
Cybersecurity Act
What is it?
The Cybersecurity Act is an EU Regulation which came into force in April 2019. It established the EU Agency for cybersecurity (ENISA) and is the basis for an EU-wide framework for the cybersecurity certification of ICT products, processes and services. The European Commission proposed an amendment to the Cybersecurity Act in April 2023 which would enable the adoption of European cybersecurity certification schemes for ‘managed security services’ covering areas such as incident response, penetration testing, security audits and consultancy.
Certification is key to ensure a high level of quality and reliability of these highly critical and sensitive cybersecurity services which assist companies and organisations to prevent, detect, respond to or recover from incidents. These certifications could be used to demonstrate compliance with the security obligations under the GDPR.
Who does it apply to?
The proposed new system would apply to those who provide managed security services within the EU. Managed security services are defined as “carrying out, or providing assistance for, activities relating to… customers’ cybersecurity risk management”.
When does it come into effect?
It is not yet clear when the proposed amendment will come into effect but, as of March 2024, the proposed amendment remains the subject of discussion within the European Council. It is expected to progress through the legislative process during the course of the year. Both providers and users of managed security services should be cognisant of the effects of the amendment and may wish to monitor its progress.
What will enforcement look like?
While the text of the amendment has not been finalised, the proposed amendment is intended to mirror the language of, and therefore complement, the NIS2 Directive. Certification of the providers of these services will act as a mark of quality for potential customers with the scheme aiming to ensure that these services are “provided with the requisite competence, expertise and experience”.
The amendment would have particular implications for service providers as it would aim to ensure that the service provider has “appropriate internal procedures in place to ensure a high level of quality”. While implementing legislation would be required to define the exact standards to be adhered to for certification, the amendment does contemplate a tiered certification system with “basic”, “substantial” and “high” levels of assurance proposed.
Contact our team
For more information and expert advice, contact a member of our Privacy & Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Share this: