NIS 2: EU Reviews Rules for Network and Information System Security
The European Commission, the European Parliament, and the EU Council of Ministers are now reviewing the rules that will operate in Europe concerning the security of networks and information systems. This new law is known as NIS 2 and in essence it will ensure that higher levels of cybersecurity will be in place across the European Union.
So why is the European Union reviewing such EU cybersecurity laws at this time?
The reality is that technological innovation is dramatically changing how vertical industries and business processes operate.
Society is being transformed by new and evolving technologies and this pace of change is very fast. So how can the EU guarantee that the companies operating within this supply chain are providing products and services that are safe and secure? This is the core issue that NIS 2 is seeking to address. The 27 EU member states need to improve their cybersecurity capabilities and do so in a structured manner. There will be closer co-ordination between the European Union and the 27 EU member states in the drawing up of risk assessment and mitigation strategies covering the security of supply chains in Europe. The governance structures that will supervise, enforce, and regulate cybersecurity across Europe will be strengthened. The provisions on NIS 2 will be rigorously enforced. Tough reporting obligations in the case of a security breach are also central elements of this new EU directive.
The Expanded Scope of NIS 2
Industries that were covered by the original EU NIS 1 directive in 2016 included the energy, financial markets, transport, digital providers, and banking sectors. It also included some elements of the digital infrastructure sector such as companies that provided cloud services.
The new NIS 2 proposal eliminates the distinction between operators of essential services and digital service providers. In other words, the telecom sector falls under the full remit of NIS 2 and it will also include companies that, for example, deploy and construct data centres. Other sectors being brought under the scope of NIS 2 include the manufacturing, waste management, chemicals, waste water, health, public administration and space sectors. EU member states, the European Commission and ENISA (European Network Information Security Agency) are to draw up risk assessment plans and identify what measures are required to protect supply chain security. Companies covered by NIS 2 must take appropriate measures that relate to supply chain security and implement risk management strategies accordingly.
NIS 2 Obligations
Medium- and large-scale companies that fall under the scope of NIS 2 must carry out an assessment of the companies who supply to them and be assured that such companies are not a risk to the supply chain. The industry, technology, research and energy (ITRE) committee of the European Parliament voted on the European Commission NIS 2 text on 28 October 2021. Recitals 46 and 47 of this NIS 2 text gives EU member states the discretion to invoke non-technical factors when they are transposing the NIS 2 directive into their respective national laws. Examples of such non-technical factors include the following:
- A strong link between the supplier and a government of a third country.
- The legislative position of a third country, especially where there is an absence of a security or a data agreement between the EU and a third country.
- The characteristics of the ownership structure of a supplier.
The draft NIS 2 proposal as it stands now gives EU member states quite a lot of discretion in defining how they can transpose NIS 2 into domestic law. The best interests of a functioning internal market would be for the 27 member states of the EU to agree common, unified and harmonized rules for NIS 2. This will ensure that the risk to a possible fragmentation of the proper functioning of the EU internal market is removed. What companies and suppliers want in the context of NIS 2 compliance is business certainty and to effectively reduce the level of vulnerabilities that are associated with cybersecurity in Europe.
ENISA, the European Commission, and the 27 EU member states should draw up certified technical rules that can form the central basis for a zero-trust approach to roll-out NIS 2 across the European Union. Supply chain risk should be based on hard evidence and on approved and resilient standards. Such an open, transparent, and non-discriminatory framework will promote higher levels of cyber-security in Europe. Agreeing international standards in the area of supply chain risk management will meet the challenge of ensuring higher levels of cybersecurity in Europe. Securing agreement from both EU and international standard organisations will provide an enhanced levels of security for products and services and avoid unnecessary bureaucratic burden.
So what is next step in the NIS 2 legislative process?
The ITRE committee in the European Parliament has now voted on the NIS 2 legislative proposal. The 27 EU governments representing the EU Council will now have to take a political position with regard to the provisions of NIS 2. This will happen over the next couple of months. Then the European Parliament, the European Commission, and the EU Council will engage in a process of discussion to finalise the terms of NIS 2. This is a process known as ‘trilogue’ negotiations. NIS 2 will be a key legislative dossier that will fall under the French Presidency of the European Union. Final inter-institutional agreement on NIS 2 could yet be secured before the completion of the French Presidency of the European Union. But there are a number of issues that will need to be finalized during this trilogue phase. One important matter that will need to be resolved will relate to the cap size of companies that will fall under the scope of NIS 2. If there is institutional agreement on NIS 2 next year, EU member states will have until 2024 to fully transpose NIS 2 into their national laws.
Read more about Huawei and cybersecurity in Europe.
Disclaimer: Any views and/or opinions expressed in this post by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Huawei Technologies.