2021 looks likely to be a busy year when it comes to cyber security – here’s an overview of what to expect.
Just before Christmas, the EU Commission (‘the Commission’) published a new EU cyber-security strategy, together with a proposal for the revision of the Network and Information Security Directive (NIS2) and a proposed directive on the resilience of critical entities (‘the CER Directive’).
Companies making new year’s resolutions around cyber security should consider these EU measures, which will affect, among others, manufacturers of connected devices, financial institutions, healthcare providers, car manufacturers, data centres, social network providers, and suppliers of network and information systems.
What are the aims of the cyber-security strategy?
The new strategy reveals ambitious objectives designed to stem the growing threats to companies and individuals in Europe.
At a high level, it aims to enable the EU’s economy, democracy and society to operate on ‘secure and reliable digital tools and connectivity’ and proposes to integrate cyber security into every element of the supply chain.
The strategy is built on three main pillars:
1. Resilience, technological sovereignty and leadership
This pillar aims to ‘increase the level of cyber resilience of critical public and private sectors’, including through NIS2, the proposed CER Directive and a network of AI-enabled security operations centres. The latter will constitute a real ‘cybersecurity shield' for the EU ‘able to detect signs of a cyberattack early enough and to enable proactive action, before damage occurs’.
2. Building operational capacity to prevent, deter and respond
This pillar includes, among other things, a new joint cyber unit, which will aim to ‘strengthen cooperation between EU bodies and Member State authorities responsible for preventing, deterring and responding to cyber-attacks’. The developments recognise expected moves by the EU towards greater integration of approaches of member states despite Brexit.
3. Advancing a global and open cyber space through increased co-operation
The Commission is planning a number of actions under this pillar, including:
- working with international partners to ‘advance international norms and standards that reflect… EU core values’;
- further strengthening the EU cyber diplomacy toolbox; and
- overseeing an ‘unprecedented level of investment in the EU's digital transition over the next seven years’.
Given the multitude of national and international guidelines and legislation that is currently being developed, increased co-operation and harmonisation is likely to be critical to the strategy’s success.
NIS2: wider scope and higher administrative fines
The original NIS Directive, which was the first EU-wide law on cyber security, is now being revised and the proposal for NIS2 will cover more companies from more sectors based on their criticality.
Among other things, it will introduce stricter security and notification obligations, and harmonise sanctions regimes by requiring member states to impose administrative fines on companies. For example, a company found to have insufficient technical and organisational measures could face fines of up to €10m or 2 per cent of total worldwide annual turnover.
CER Directive: 10-sector coverage and obligatory risk assessments
The CER Directive will widen both the scope and depth of the existing EU rules on critical infrastructure (previously focused on energy and transport) to cover 10 sectors, including banking, financial market infrastructure, health, drinking and waste water, space and digital infrastructure.
Under the proposed directive, member states would each adopt a national strategy for ensuring the resilience of critical entities and carry out regular risk assessments. This will allow the Commission to provide support to member states and critical entities, for example by developing an EU-level overview of cross-border and cross-sectoral risks, best practice, methodologies, cross-border training activities and exercises to test the resilience of critical entities.
While NIS2 focusses on cyber security, the CER Directive governs critical infrastructure resilience beyond IT, reflecting the increasing interdependence of different sectors. Part of the objectives of issuing the CER Directive as part of the EU cyber-security strategy appears to aim to ensure synergies between the scope of NIS2 and CER, which should help competent authorities exchange information regarding cyber and non-cyber resilience and ensure that critical entities considered ‘essential’ under the NIS2 shall be subject to more general resilience-enhancing obligations.
Companies designated as critical entities will have to undertake common reporting, including entity-level risk assessments and incident notifications. They also will have to implement technical and organisational measures.
The new directive will introduce an enforcement mechanism designed to ensure, among other things, that national authorities ‘have the powers and means to conduct on-site inspections of critical entities’ and to impose penalties for non-compliance. This will be without determining the amount of fines but instead rely on the discretion of member states to enforce effective, proportionate and dissuasive fines.
What’s next?
The Commission and the High Representative are committed to implement the new cyber-security strategy in the coming months. The European Parliament and the Council have to examine and adopt NIS2 and the CER Directive. Once this is done, member states will have to transpose them within 18 months of their entry into force.
It will be interesting to see how the legislative process is linked to that of the EU Digital Operational Resilience Act (DORA), which:
- introduces rules for third-party providers of information and communications technology (ICT) services, including providers of cloud computing services, for the financial services sector (see this blog post for further information); and
- forms part of the Commission's ambitious new digital finance strategy (see this blog post for more information).
Generally, DORA is:
- considered to take priority over the NIS2 regarding the rules for critical ICT services for the financial services sector; and
- expected to co-exist with other cross-sector regulation on cyber security like the CER Directive.
For the latter Directive, the competent authorities will need to be identical with the ones for supervising DORA. This will also likely require increased co-operation to ensure effective implementation.
As the EU presses towards greater integration, it is presently unclear what steps the UK will take to adopt parallel changes, now that it has fully left the EU. Misalignment between national and international approaches can not only impact resilience to cyber threats generally, but also create additional and potentially conflicting compliance burdens for organisations.
Interestingly, the UK’s National Cyber Security Centre said in its Annual Review 2020 (PDF) that the UK must use cyber security to ‘seize the opportunities for the UK as an independent country outside the European Union’. So it seems likely that the UK will itself want to be on the front foot in developing its own policy, rather than adopting a purely ‘wait and follow’ approach.