On November 28, 2022, the Council of the European Union formally adopted the Network and Information Security 2 Directive (NIS 2 Directive), replacing the current NIS Directive (Directive 2016/1148/EC). On 27 December 2022, it was published in the Official Journal of the European Union. The NIS 2 Directive builds on the original NIS Directive (the first cybersecurity legislation in Europe) and extends its scope with the aim of further harmonising cybersecurity requirements in the European Union and strengthening security against cyberattacks across a broader range of sectors.
The NIS 2 Directive will enter into force 20 days following its publication on the Official Journal. EU Member States will have 21 months from the entry into force of the Directive to incorporate the NIS 2 Directive into national legislation, meaning the NIS 2 Directive will be in force by late 2024.
In November 2022, the UK Government confirmed that it is moving forward with plans to update the NIS Regulations (UK NIS) as they apply to the United Kingdom. Its consultation outcome for a proposal to improve the UK’s cyber resilience (UK Proposal) suggests that some, if not most, of these changes will be very similar to the NIS 2 Directive.
While there has been some alignment between the two regimes since the United Kingdom’s exit from the European Union, the recent news in the Official Journal of the European Union confirms that the similarities between the two in the way cybersecurity of critical infrastructure is regulated will continue to be very similar despite the split.
However, the timeline for implementation in the United Kingdom is less clear. The UK Government is committed to bringing the necessary legislation forward “when parliamentary time allows.” Given current government priorities, we expect the new legislation to be in place no earlier than 2024.
This article outlines some of the main points organisations need to know about the NIS 2 Directive and the UK NIS (collectively, the “EU/UK NIS”) and details how they interplay with the General Data Protection Regulation (GDPR).
INCREASING THE NUMBER OF SECTORS IN SCOPE
Under the current NIS Directive and UK NIS, operators of essential services (e.g. banks, healthcare providers and providers of drinking water and energy) and digital service providers (e.g. providers of cloud services and online marketplaces) are already obliged to improve their digital security and to report cyber incidents.
In the European Union, the NIS 2 Directive significantly extends the scope. Entities falling within the scope of the NIS 2 Directive are classified into two categories: operators of essential services and important entities. The operators of essential services mainly cover entities operating in key sectors including healthcare, energy and transport sectors. The important entities cover digital providers, manufacturers of certain critical products and postal and courier servicers.
Likewise, under the UK Proposal, the UK Government seeks (1) to expand the scope of digital services regulated under the UK NIS to include “managed services” and (2) for providers of digital managed services to be subject to the same duties as other digital service providers.
INTERPLAY WITH GDPR: SIMILARITIES AND DIFFERENCES
The EU/UK NIS and the GDPR address different things. The GDPR (which, for purposes of this discussion includes the UK GDPR as it was retained under domestic UK law post-Brexit) concerns personal data, whilst the EU/UK NIS concern the security of systems.
However, there is considerable overlap between the EU/UK NIS and the GDPR given the GDPR’s provisions on security and the likelihood that most organisations covered by the EU/UK NIS will be data controllers and/or processors.
Below are the main similarities and differences between the EU/UK NIS the GDPR, and how these legislative initiatives interoperate together.
1. Security of Systems vs Protection of Personal Data
Security approaches that focus on the security of systems and those that focus on the protection of personal data are different. While organisations should take the appropriate steps to ensure both approaches are followed, it is important to understand the differences between the two to ensure the required level of security and data protection are implemented.
Like most data protection laws, the GDPR takes a data-centric approach to security. The focus on its data protection obligations is to ensure that the data itself is secure and protected from unauthorized access, use or other processing. In contrast, EU/UK NIS concern the security of systems. These laws look at the IT systems operated by an organisation and focus on preventing unauthorised access and use of those systems. The requirements under EU/UK NIS are focused on system-level security measures, such as system and data encryption, identity and access management, and other measures for securing systems through people, processes and technology-related controls.
There are notable strengths and weaknesses to these two approaches. Controls that focus on data, for example, tend to emphasize the protection of data assets that have more value and risk to the organisation. Controls that focus on systems provide potentially broader protection, yet may not focus on the more valuable and risky data assets.1
2. Security Incident Reporting vs Personal Data Breach Notification
The EU/UK NIS and the GDPR require the operators encompassed to notify security incidents and data breaches to the relevant authorities.
Both the United Kingdom and the European Union intend to update their NIS requirements so that a greater number of incidents are reported by organisations.
The NIS 2 Directive will require a two-step process for reporting security incidents to the relevant supervisory authorities. First, once an organisation becomes aware of a security incident, it must submit an initial report within 24 hours of first becoming aware of the incident, with a full “incident notification” required within 72 hours. From there, the organisation has one month to submit a final report.
Meanwhile, under the UK Proposal, the definition of “incidents” is being expanded to include “incidents that do not actually affect the continuity of the service directly, but nonetheless pose a significant risk to the security and resilience of the entities in question and the essential services they provide.” The final legal definition is yet to be determined, with exact thresholds to be set for each sector by competent authorities. It is likely that the 72-hour reporting deadline will remain.
Under the GDPR, controllers must report a notifiable breach to the relevant data protection authority without undue delay, but no later than 72 hours after first becoming aware of it. When controllers take longer than this, they must provide reasons for the delay.
Organisations under the EU/UK NIS and the GDPR will need to operationalize these different notification obligations into their security response plan and protocols. Under GDPR, companies typically took a data-centric notification analysis, focusing on whether personal data was at risk and triggered the GDPR’s notification obligations. Now, with the new EU/UK NIS requirements, the potential notification trigger has broadened and, at least under the NIS 2 Directive, become shorter. In addition to updating security response plans and protocols, companies are well advised to conduct tabletop exercises with scenarios that would require notifications under these new requirements to be better prepared for the short timeframe within which key decisions must be made.
3. Security of Supply Chains and Flowing Down Obligations to Third Parties or Processors
Under the NIS 2 Directive, regulated entities must guarantee the security of the “supply chain” of services, meaning they must flow down their security standards onto their third parties. Organisations must also consider specific suppliers’ vulnerabilities and cybersecurity practices and are encouraged to incorporate cybersecurity measures into contractual arrangements with their direct supply chains.
The GDPR similarly requires (under Article 28(3)(c)) contractual terms between controllers and processors, whereby processors are contractually required to take all security measures necessary to meet the requirements of GDPR Article 32 on the security of processing.
The UK Government has said that increased cyber resilience in supply chains across the UK, including critical national infrastructure sectors would be one of the key benefits which would be expected as a result of the direct outcomes under the Proposal.
Accordingly, organisations subject to EU/UK NIS and the GDPR will need their third-party contracts to incorporate requirements under both the EU/UK NIS and the GDPR. Adding in the new EU/UK NIS requirements will take considerable effort for some organisations. While there is still time before the EU/UK NIS requirements come into effect, companies can anticipate these requirements and incorporate necessary language in their current forms and upcoming contracts.
4. Security Measures Organisations Need to Put in Place
As highlighted, the NIS 2 Directive seeks to harmonise requirements across the EU Member States by setting out minimum rules for regulatory frameworks and establishing clearer and stronger minimum cybersecurity measures that must be implemented.
The NIS 2 Directive will require “essential” and “important” entities to take appropriate and proportionate technical and organisational measures to manage the threats and risks posed to the security of systems used for their operations.
The UK Government seems to be moving in the same direction. The UK Proposal aims to capture a longer-term vision for the protection of the United Kingdom’s essential services, critical national infrastructure and the increase of wider cyber resilience across the UK economy. Similar measures to the NIS 2 Directive are expected in this respect.
Some of the key measures organisations should implement under the NIS 2 Directive include:
Risk analysis and information system security policies;
Incident handling protocols;
Business continuity plans;
Supply chain and network security measures; and
In line with the NIS 2 Directive, both controllers and processors under the GDPR are obliged to put in place appropriate technical and organisational measures to ensure the security of any personal data they process, which may include under Article 32, as appropriate:
Encryption and pseudonymisation;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
The ability to restore access to personal data in the event of an incident; and
Processes for regularly testing and assessing the effectiveness of security measures.
The overall purpose of the new legislation is to achieve a high common level of cybersecurity across all EU Member States. Equally, the primary goal in the EU’s enactment of the GDPR was to “harmonise,” the data protection laws of the 28 EU Member States.
NIS 2 Directive brings clarity of the EU’s cybersecurity requirements in the same way GDPR brought European national data protection frameworks into conformity with each other.2
The security requirements under EU/UK NIS are similar to what GDPR requires from data controllers, although they differ by specifying a number of elements that must be taken into account. When determining security measures under EU/UK NIS, organisations are allowed to consider the state of the art (for example, the state of technological development and in line with that, the type of security measures which are available to the organisation). This is similar to the GDPR and NIS 2 Directive follows this criteria. However, under the UK NIS Regulations, organisations are not allowed to consider the costs of implementation.
Organisations subject to EU/UK NIS should start preparing for the change by pursuing the following:
Visibility: Gain a clear understanding of security implications for all system assets, including those provided or managed by third parties.
Proactive Approach: Carry out a thorough gap analysis exercise and ensure plans are in place to address any issues.
Accountability: Ensure proper incident handling policies and processes are in place to follow in the event of incident.
Remediation Plans and Risk Mitigation: Following an incident, organisations should implement appropriate remediation plans to assess potential risks.
The extraterritorial jurisdiction feature of the NIS 2 Directive is very similar to the extraterritorial effects of the GDPR. The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union (or United Kingdom) regardless of whether the processing takes place in the European Union. The NIS 2 Directive broadens the extraterritorial effect already in place under the NIS Directive. While the NIS Directive already has some extraterritorial reach in that applies to non-European Economic Area (EEA) “digital service providers” who offer services in the EEA (but not to non-EEA “operators of essential services”), the NIS 2 Directive will generalize this extraterritorial scope to all covered entities.
Like Articles 3(2) and 27 of the GDPR, the NIS 2 Directive establishes that in the instance an organisation is not established in the European Union but offers services within it, the organisation shall designate a representative who is established in one of the EU Member States where the services are offered. Such entity shall be deemed under the jurisdiction of the EU Member State where the representative is established. In the absence of a designated representative within the European Union, any EU Member State in which the entity provides services may take legal actions against the entity for noncompliance with the obligations under the NIS 2 Directive.
Given the United Kingdom’s alignment with the European Union on the applicability of the GDPR and the representative appointment, we anticipate a similar approach will be taken under the updated UK NIS.
6. Competent Authorities
NIS 2 Directive requires European Member States to designate one or more “competent authorities” responsible for cybersecurity and certain supervisory tasks under the legislation. Under the current NIS Directive, equivalent authorities include the ANSSI in France, the BSI in Germany and the CCB in Belgium. The National Cyber Security Centre is the UK NIS’s competent authority.
Different authorities come into play for GDPR. In the UK, the Information Commissioner’s Office (ICO) is the data protection regulator. The ICO already regulates the organisations covered under the scope of the UK NIS, but only in the context of data protection law. The same applies in Europe with respect to local data protection authorities and the processing of personal data of those organisations covered by the NIS 2 Directive.
7. Sanctions for Noncompliance
The EU/UK NIS and the GDPR have considerable financial fines available to applicable regulators to properly incentivize organizations to comply. NIS 2 Directive allows EU Member States to implement administrative fines of at least €10 million or up to 2% of the total worldwide turnover of an entity for the preceding financial year (whichever is higher) for entities in scope of NIS 2 Directive who breach the cybersecurity risk management measures and/or the cybersecurity incident reporting obligations. Additionally, EU Member States will have wide discretion to implement their own national rules on penalties for infringement of the directive, once implemented at national level.
In the United Kingdom, the UK NIS was updated in 2020 to “make the enforcement framework more robust,” and there are fines of up to £17 million for the most severe material contraventions of the legislation.
Under the GDPR, a maximum fine of €10 million (£17.5 million in the United Kingdom) or 4% of the annual global turnover—whichever is greater—can be imposed for infringement of any of the data protection principles or rights of individuals.
KEY TAKEAWAYS AND NEXT STEPS
Security and data protection go hand in hand. Although they are not the same, they interplay very closely with each other. EU/UK NIS concern the security of network and information systems and the ‘digital data’ within them. By contrast, GDPR concerns the processing of personal data.
Despite the differences in scope under the legislative initiatives, it is very plausible that organisations may be subject to regulatory action under either regime separately or collectively, depending on the nature of the incident. Organisations must therefore attend to the requirements under both sets of legislation and plan their incident response accordingly.
This new evolving legislative landscape is an opportunity to assess current practices and put in place and maintain policies, procedures, and training to comply with obligations under GDPR and the NIS 2 Directive and strengthen cybersecurity readiness. Of course, for organisations with data or operations outside of the EU and UK, other jurisdictions are rapidly advancing similar changes to security and incident laws that must be added to the compliance effort.
1 New security strategies, such as Zero Trust, theoretically offer the best of both worlds by taking both system and data-centric approaches to security. In many jurisdictions, regulators are taking note and requiring Zero Trust security approaches.