Second Network And Information Security Directive Proposal: What Do You Need To Know? – Technology | #itsecurity | #infosec



To print this article, all you need is to be registered or login on Mondaq.com.

The European directive 2016/1148 of 6 July 2016 (the
NIS Directive“) concerns measures for a
high common level of security for network and information systems
across the European Union and has been transposed in the laws of
the countries of the European Economic Area
(“EEA“). It imposes security-related
obligations on “operators of essential services” that are
established and identified in EEA countries as well as
“digital service providers” (online marketplace, online
search engine and cloud computing service providers) established or
offering their services in these countries.

The European Commission has made a proposal to replace this NIS
Directive with a new directive (the “NIS2 Directive
Proposal
“). It will have an extended scope of
application, applying to “essential entities” (replacing
the current “operators of essential services”) and
“important entities” (replacing the current “digital
service providers”) with greater extraterritorial reach. It
will also saddle them with more comprehensive security-related
obligations.

In this article, our cyber security experts summarise the new
proposal and explain how it could affect you.

Essential entities

Whereas “operators of essential services” under the
NIS Directive are undertakings that are identified as such by the
Member State where they are established, all businesses providing
services falling in one of the categories listed in Annex I of the
NIS2 Directive Proposal will automatically become “essential
entities” thereunder.

For instance, essential entities in the digital infrastructure
sector will include all Internet Exchange Point providers, domain
name system (DNS) service providers, top-level-domain (TLD) name
registries, cloud computing service providers, data centre service
providers, content delivery network providers, trust service
providers and certain providers of public electronic
communications.

Interestingly, cloud computing services, which are currently
digital services under the NIS Directive, will become essential
services under the NIS2 Directive Proposal, albeit still being
narrowly defined as “digital services that enable on-demand
administration and broad remote access to a scalable and elastic
pool of shareable and distributed computing resources” (so
that an entity using the cloud only to make available a software -
SaaS – would not ipso facto become an essential entity).

Annex I of the NIS2 Directive Proposal also lists essential
services in the sectors of energy, transport, banking, financial
markets infrastructure, health, drinking water, public
administration and space.

Essential entities will however exclude those that qualify as
micro and small enterprises within the meaning of Commission
Recommendation 2003/361/EC, save in certain circumstances.

Important entities

Although the second category of regulated entities under the NIS
Directive, namely “digital service providers”, is
currently limited to providers of online marketplace, online search
engine and cloud computing services, all businesses providing
services falling in one of the categories listed in Annex II of the
NIS2 Directive Proposal will automatically become “important
entities” thereunder. This includes not only “digital
providers” but also entities providing certain services in the
postal and courier services; waste management; manufacture,
production and distribution of chemicals; food production;
processing and distribution; and manufacturing sectors.

Furthermore, the category of digital providers itself will
include providers of social networking services platforms, in
addition to online marketplace and online search engine providers
(whereas cloud computing service providers will exit this category
to become essential entities, as indicated above).

Important entities will however exclude those that qualify as
micro and small enterprises within the meaning of Commission
Recommendation 2003/361/EC, save in certain circumstances.

Territorial scope

While the NIS Directive already has some extraterritorial reach
inasmuch as it applies to non-EEA “digital service
providers” that offer their services in the EEA (but not to
non-EEA “operators of essential services”), the NIS2
Directive Proposal will generalise this extraterritorial reach to
both essential and important entities.

Non-EEA essential and important entities that “offer
services” in the EEA will therefore have to comply with the
obligations set out by this new regulatory framework.

Recital 65 of the NIS2 Directive Proposal provides some guidance
about what it means to “offer services” in the EEA, using
similar language as that found in recital 23 of the General Data
Protection Regulation. It follows that there will have to be an
intentional element; one will have to intentionally, rather than
inadvertently or incidentally, target customers in the EEA.

When they offer their services in the EEA, non-EEA essential
entities who are DNS service providers, TLD name registries, cloud
computing service providers, data centre service providers and
content delivery network providers, as well as non-EEA important
entities who are digital providers, shall designate a
representative in the European Union.

Security-related obligations

Essential and important entities will have to take appropriate
and proportionate technical and organisational measures to manage
the risks posed to the security of network and information systems
which those entities use in the provision of their service. This
includes supply chain security and security-related aspects
concerning the relationships between each entity and its suppliers
or service providers, such as providers of data storage and
processing services or managed security services, and the use of
cryptography and encryption.

In terms of reporting obligations, essential and important
entities will have to

  • notify, without undue delay, the competent authorities or the
    computer security incident response teams
    (“CSIRTs“) of any incident having a
    significant impact on the provision of their services, and notify
    without undue delay the recipients of their services of incidents
    that are likely to adversely affect the provision of that
    service;

  • notify, without undue delay, the competent authorities or the
    CSIRTs of any significant cyber threat that those entities identify
    that could have potentially resulted in a significant incident, and
    notify the recipients of their services that are potentially
    affected by a significant cyber threat of any measures or remedies
    that those recipients can take in response to that threat without
    undue delay.

TLD registries and entities providing domain name registration
services for the TLD will also be saddled with specific
obligations, such as to collect and maintain accurate and complete
domain name registration data in a dedicated database facility with
due diligence.

Transposition date

Once the NIS2 Directive Proposal ceases to be a proposal and
becomes a directive that has entered into force, Member States will
have 18 months to transpose it into their laws as per its article
38.

Article 25 of the NIS2 Directive Proposal however provides that
essential entities who are DNS service providers, TLD name
registries, cloud computing service providers, data centre service
providers and content delivery network providers, as well as
important entities who are digital providers, will however need to
identify themselves (and, as the case may be, their representative
in the European Union) to the European Union Agency for
Cybersecurity (ENISA) within 12 months of the entry into force of
the directive.

Listen to our UK Data Protection team’s webinar for more information about current data
protection trends and developments.


Read the original article on GowlingWLG.com

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

five + three =