ISSN: 2736-6065

By Daniela Giordano, Center for Cyber Security and International Relations Studies

During the last year, the European Commission has promoted several projects and plans aiming at strengthening the position of the Union with regard to the new technologies and the ongoing processes of digitalisation and digitisation. This has started with the President von der Leyen’s announcement of the new strategy for the Union titled ‘Shaping Europe’s digital future’ in February 2020. In the next five years, the Commission will address many aspects of the digital and cyber world, as already proven by the release of the White Paper on Artificial Intelligence (AI) followed a month ago by the Proposal for a Regulation laying down harmonised rules on artificial intelligence. Overall, the strategy aims to follow a human-centred implementation of technologies, with a risk-based approach, while also fostering sustainability of digital means, and open the market to new business opportunities. Additionally, the COVID-19 crisis has further accelerated the processes of digitalisation of our society, thus adding a new urgency to the creation of a safe and secure European digital environment.  

Among its many purposes and with the objective of harmonising the internal market and security standards, the Commission has proposed a revision of the Directive (EU) 2016/1148, better known as the NIS (Network and Information Security) Directive. At the time of its publication, the act was ambitious in its intentions, especially since it represented a first step towards the creation of a common cybersecurity perspective in the Union. However, already at that time, it was clear that the implementation did not match completely the objective that it aimed to achieve.  

The document addressed the security of network and information systems across the Union, especially, but not exclusively, the Internet. In particular, it focused on the transnational nature of threats related to network and information systems and services: the inability to intervene or the unwillingness to report an incident within a Member State could represent a menace for the entire Union. The Directive thus attempted to increase cyber resilience by pushing Member States to adopt national cybersecurity strategies and appoint their national authorities for cybersecurity, Another key measure was the creation of a system of information-sharing and incident-reporting based on the national Computer Security Incident Response Team (CSIRT) and coordinated by the European Network and Information Security Agency (ENISA) and the newly founded Cooperation Group. With the Regulation 2019/881 (Cybersecurity Act), the ENISA has gained a prominent role in promoting cybersecurity in the Union, in particular by helping the Member States to implement the European legal acts, primarily the NIS Directive.  

The NIS Directive has also indicated the specific sectors that were concerned by these provisions and required the Member States to identify the Operators of Essential Services (OESs) for each area. Because of the importance of the services provided, these entities are compelled to reach a certain level of cybersecurity and report any incident. The Commission recognised also another type of actors, the Digital Service Providers (DSPs), namely cloud computing service, online marketplace and online search engines. The DSPs have to notify any “relevant” incident occurred on their network. Contrary to the OESs, the DSPs do not need to be listed explicitly by the Member States.  

As already stated, the ex-post analysis, reported in the Explanatory Memorandum in the first pages of the proposal, recognised the practical difficulties in applying the provisions’ requirements. The Directive’s shortcomings trace back to two main causes. On the one hand, the document was short-sighted in its scope. Since 2016 the world has changed: both technological advancement and the current level of digitalisation are not comparable to five years ago, thus the sectors identified in the Directive are outdated. Moreover, the difference between OESs and DSPs was never clarified in the relevant provisions, making these definitions practically ineffectual.  On the other hand, since the Commission opted for a Directive, as the legal act of choice for pursuing such objectives, the level of discretion of the Member States remained high. Consequently, supervision and enforcement regime, security and incident reporting, and financial and human resources varied widely from one case to another. Moreover, Member States do not exchange information easily. As a result, the cyber resilience within the Union was strongly challenged and the effectiveness of the cybersecurity measures diminished. Between July and October 2020, the Commission also carried on a public consultation on the NIS Directive’s impact. However, its results are still to be disclosed.  

The prominence of the theme and the evident shortcomings of the NIS Directive have convinced the Commission to already start the revision process, progressing more quickly than the usual timeline for this kind of procedure would suggest. The Commission opted for a completely new Directive, instead of a hypothetical “NIS Regulation”, which would have reduced the discretional power of the Member States on the matter. Nevertheless, as underlined by its title, the proposal already marks a decisive step forward to achieve a high common level of cybersecurity within the Union, together with the set of documents, investments, and projects fostered by the European Commission, such as the EU’s Cybersecurity Strategy, the Proposal on the Resilience of Critical Entities, and the Digital Europe Programme. Such clarity in the language deployed can be also found in the new text.  

As a start, in recital 20, the proposal reviews the list of specific sectors identified in the NIS Directive. The novelty is represented by the introduction of space, public administration, postal and courier service, digital services (social network platforms and data centre services), waste water and water management, providers of public electronic communications networks and services, manufacturing of critical products and food. It also establishes two types of entities based on their relevance: essential (Annex I) and important (Annex II). The most notable difference between them is the supervisory and penalty regimes, as the risk management procedures have to be established without prejudice to the type of entity. In addition, the distinction between OESs and DSPs is completely deleted and both categories are required to comply with the new provisions. However, the micro and small enterprises are now excluded from the provisions, except for very specific cases.  

Regarding the harmonisation of the national systems, the proposal’s provisions establish an increased control over the Member States through supervision measures and enforcement based on administrative sanctions, even in case of failure to report incidents. In this context, ENISA is required to maintain a European vulnerability registry to improve the transparency and exchange of information. The Cooperation Group should also help in this process as facilitator for information sharing and institutes a two-year program to achieve the stated goals. The Member States are also required to establish an EU Cybersecurity Crisis Management Framework collaborating with the Cyber Crisis Liaison Organisation Network (EU-CyCLONe). In addition, ENISA is also expected to create a database containing all the providers of cross-border services, for example, domain name system (DNS), cloud computing service providers etc. These entities, whether essential or important, operate by their own nature across many Member States, thus they should be subject to different national legislation. To avoid this, the proposal requires that these actors shall act under the law of those Member States where they have their main establishment.  

The NIS 2.0 seems to promise the progress where its predecessor stopped, but the legislative procedure is still in its initial phase. The proposal has been presented in April before the Industry, Research and Energy (ITRE) Committee of the European Parliament, thus starting the process of codeciding with the Council of the European Union. Although recognising the importance of the Commission’s proposal, the rapporteur, MEP Bart Groothuis, has already presented an emendated version of the proposal. The amendments cover a wide range of provisions. On the one hand, it promotes the use of interoperable route standards to protect the internet ecosystem, while simultaneously recognising that not all the actors using their own DNSs are relevant entities within the scope of the Directive. On the other hand, it highlights the importance of protecting the physical infrastructure sustaining the Internet (e.g. Submarine cables). Another important point emphasized in the draft is the role of Member States in guiding and supporting the Small and Medium Enterprises (SMEs), excluded by the provisions of the Directive but nevertheless exposed to cyber threats and incidents. Moreover, the Member States are required to make an effort to improve the information sharing on cybersecurity among their national CSIRTs without fearing any violation of the General Data Protection Regulation (GDPR). The draft also stresses the need to distinguish between real and potential incidents and report mandatorily only about the former, since disclosing and reporting on every potential threat will overload the system and potentially make it collapse. Both ENISA and national CSIRTs are required to step up their respective roles as part of the European cybersecurity ecosystem. In particular, ENISA’s registry, re-named “database” of disclosed vulnerability, should leverage the international Common Vulnerability and Exposures (CVE) registry. Finally, the rapporteur requires the introduction of education and research as a new sector in Annex II, since higher education institutes and research centres have proven to be easy and attractive targets for hackers.  

The debate is still in its early phase, and even after the approval of the Directive the Member States will still have 18 months to transpose the Directive in their national legislations.

Author bio:

Daniela Giordano holds a master’s degree in Security Studies from the University of Trento and Sant’Anna School of Advanced Studies (Pisa) with a thesis on Cyber Security in the context of the Italian Critical Infrastructure Protection. Since 2020, Daniela collaborates with Center for Cyber Security and International Relations Studies in Florence. 

Published by the European Liberal Forum. The opinions expressed in this publication are those of the author(s) and do not necessarily represent those of the European Liberal Forum. 

whois: Andy White Freelance WordPress Developer London