A proposal for a new Directive of the European Parliament and of the Council on measures to ensure a high common level of cybersecurity across the Union (hereinafter as the “Directive NIS2“) is currently being prepared at the level of the European Union.
The text of the draft Directive NIS2 is currently being finalised and is expected to be published in the Official Journal of the European Union by the end of 2022. The transposition deadline for Member States is set at 21 months, so it is likely to end in mid-2024.
Purpose of the Directive NIS2 and Czech legislation
The Directive NIS2 is intended to deepen the framework established by Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of network and information systems security in the Union.
In the Czech Republic, this area is currently regulated by Act No. 181/2014 Coll. on Cyber security and on amendments to related acts, as amended (hereinafter as the “Cyber Security Act“), which should be amended on the basis of Directive NIS2 as part of the transposition to meet its requirements.
In particular, the Directive NIS2 is intended to address the inadequate level of cyber security for businesses and institutions operating in the European Union, as well as to compensate for differences between member states.
Among the most important changes to be introduced are:
- widening the range of entities affected by the regulation; and
- the introduction of new obligations in the form of security measures to be complied with by cyber security actors.
The draft Directive NIS2 includes in its annexes a list of sectors that are important for the functioning of society. The sectors are divided according to which annex of the Directive NIS2 they are included in, into essential sectors, which will include, for example, energy, transport, banking, health and pharmaceuticals, digital infrastructure, public administration, and important sectors, which will include, for example, food processing, waste management, postal and courier services and the manufacture of other medical devices, computers and electronics, machinery and motor vehicles.
Private or public organisations will be regulated under the Directive NIS2 if both of the following conditions are met: (i) the organisation provides at least one service listed in the annexes to the Directive NIS2, and (ii) it is a medium or large enterprise.
The definition of a medium and large enterprise is set out in Commission Recommendation 2003/361/EC of 6 May 2003, namely enterprises which employ 50 or more employees or have an annual turnover or annual balance sheet total of at least EUR 10 million. When assessing the size of enterprises, account must also be taken of data from partner and related enterprises.
However, for certain designated sectors, all undertakings will be regulated under the Directive NIS2 regardless of their size. This will include undertakings providing electronic communications services or trust service providers. The draft Directive NIS2 also provides that all obliged entities will automatically be designated as obliged entities under the Directive of the European Parliament and of the Council on strengthening the resilience of critical entities.
Obliged entities are also to be divided into essential and critical entities based on their size and the sector in which they operate. Each of these categories will have different obligations under the Directive NIS2. The group of basic entities will include large undertakings operating in basic sectors (listed in Annex 1 of the Directive NIS2). Medium-sized undertakings providing services listed in Annex 1 of the Directive NIS2 and medium and large undertakings providing services listed in Annex 2 of the Directive NIS2 (i.e. services falling within critical sectors) will be critical entities. However, there will be exceptions to these rules, where some undertakings will be essential regardless of their size.
The essence of the obligations to be introduced by the Directive NIS2 is that the entities affected by the regulation should conduct their own risk assessments and implement preventive steps to strengthen their cyber security.
Compared to the previous legislation, the draft Directive NIS2 defines in more detail the range of security measures that both essential and critical entities will have to implement. The management of obliged entities will be responsible for the approval, implementation and enforcement of security measures. Among the obligations that will be introduced will be the need for management to undergo training on cyber security and the obligation to create an environment that encourages employees of their organisation to participate in such training.
The differences for essential and critical entities will manifest themselves in a more stringent form of obligations for essential entities.
The areas of security measures set out in the Directive NIS2 will include:
- risk analysis and information security policy,
- incident handling, prevention, detection and response, where appropriate,
- business continuity and crisis management,
- supply chain security, including security in the relationship between the entity and its suppliers and service providers,
- security in the acquisition, development and maintenance of network and information systems, including the disclosure of vulnerabilities and their resolution,
- policies and procedures for evaluating the effectiveness of cybersecurity security measures (i.e. auditing);
- basic cyber hygiene practices and cybersecurity education,
- policies and procedures regarding the use of cryptography and encryption,
- human resource security, access and asset management,
- use of multi-factor identity authentication, secure communication tools and emergency communication tools.
Incidents and their reporting
One of the most important security measures to be implemented will be the prevention of incidents, their detection and subsequent resolution of the situation caused. A cybersecurity incident occurs when the security of information related to a regulated service is compromised. This will be any event that compromises the confidentiality, availability, integrity and authenticity of the data or services stored, transmitted or processed.
Incidents may occur even when entities are properly complying with their obligations and implementing measures to prevent them. Essential and critical entities will be required to report incidents with significant impact. The prerequisite for being a significant impact incident will be that (i) the incident has caused or may cause serious operational disruption to the service or financial loss to the affected entity, or (ii) the incident has affected or may affect other individuals or entities or causes significant material and non-material loss. At the same time, a ‘large-scale’ cyber incident to which a Member State is unable to respond or which has a significant impact on at least two Member States may also be a significant impact incident.
Entities will be obliged to report the above-described incidents to the designated CERT or CSIRT team without undue delay (within 24 hours at the latest) of its detection. The reporting requirements will include basic known information, such as whether the incident was caused by illegal behaviour or whether it has a cross-border impact. Subsequently, the information should be refined and, if necessary, further supplemented on the basis of a request from the CERT team. Once the incident has been resolved (usually within one month of reporting), a final report will also need to be sent to the CERT team with the reasons for the incident and a summary of the measures taken to prevent a recurrence.
For clear communication and unification of incident reporting, the National Office for Cyber and Information Security (hereinafter as the “NCIS“) plans to create a single platform in the Czech Republic for registration of obliged entities, incident reporting and communication with the NCIS and other relevant authorities, as appropriate.
Control, sanctions and enforcement
Member States will have an obligation under the Directive NIS2 to ensure that effective and proportionate supervisory arrangements are in place, including the promotion of cooperation between supervisory authorities.
The powers of supervisory authorities in exercising control will include, for example, (i) issuing binding instructions and orders to remedy deficiencies, (ii) ordering the regulation of conduct to ensure compliance with legal obligations, (iii) ordering the regulation of security measures in accordance with the requirements of the Directive NIS2 and (iv) imposing administrative fines.
At the same time, if entities do not follow the instructions of the supervisory authorities and do not comply with their requirements within the time limit, sanctions will be imposed. In terms of sanctions and enforcement measures, the Directive NIS2 will bring only a few changes, but in principle the control mechanisms already in place and currently in force will be continued.
The control and enforcement measures will include, in particular, on-site inspections, security audits, requests for information or data disclosure or proof of the implementation of security policies. If these remedies are unsuccessful, it will be possible to temporarily suspend the certifications or licenses allowing the entity to perform the regulated service for essential entities (if proportionate) or seek a court order temporarily preventing a specific individual in a management position from performing management functions in the regulated entity.
The draft Directive NIS2 also provides for maximum fines. For basic entities, the upper limit of fines will be set at EUR 10 million or 2 % of worldwide turnover (whichever is higher), for important entities the upper limit of fines will be set at EUR 7 million or 1.4 % of worldwide turnover.
The Directive NIS2 should, through the forthcoming amendments described above, deepen the enhancement of cyber security in member states and develop national and international cooperation in this area.
The conclusions described in this article are based on the current draft of the Directive NIS2, on which a preliminary consensus has been reached in the EU legislative process, but it is possible that some parts of the text will be modified.
The transposition deadline for member states is set at 21 months from the publication in the Official Journal of the European Union, and is therefore likely to end in mid-2024, by which time the Czech Republic should have amended the Cyber Security Act and other relevant legislation.
The NCIS has launched a website on the Directive NIS2 to raise awareness – nis2.nukib.cz.
Should you have any questions about the forthcoming cybersecurity directive, we are at your disposal.
Mgr. Kateřina Roučková, junior lawyer – firstname.lastname@example.org
Mgr. Jakub Málek, managing partner – email@example.com
21. 11. 2022