Will NIS 2 be as problematic as the NIS 1 directive?

Iurii Fedorenko

The NIS 1 directive is one of the legislative measures introduced by the EU in 2016, which was met with positive anticipation. This directive aimed to enhance cyber resilience across the EU, especially within critical sectors such as healthcare, energy, and transportation etc. The directive proposed a common framework that would harmonize the level of cybersecurity among the member states.

All in all, the framework is a set of binding security requirements for the operators of critical infrastructure to implement appropriate measures in case of possible and ongoing cyberattacks. These requirements include reporting significant digital incidents to national authorities and cooperating with them to achieve a high level of communication between the member states and entities falling under the directive’s scope. Additionally, the directive established sanctions for non-compliance, making it essential for entities to comply with the directive’s rules. Although the directive was quite promising for a future state of cybersecurity in the EU, the implementation of NIS 1 revealed some critical shortcomings to its effectiveness that had to be addressed.

Soon after the implementation of NIS 1 into national law, the NIS 2 directive, which came into force this year, was introduced by the EU Parliament in response to the increasing cyberattacks during the COVID-19 pandemic and the shortcomings of its predecessor, NIS 1 (Lekshmi 2022). Thus, making the new legislation to be a crucial step towards the harmonized level of cybersecurity across the Member states of the EU. Although the NIS 2 drastically revised the NIS 1 directive by making NIS 2 less ambiguous and more standardized in terms of reporting processes, some of the new additions are hard to consider as “improvements”. Therefore, it is necessary to emphasize these negative aspects of the NIS 2 directive, as they could affect the overall effectiveness of the directive compared with the expectations set by Parliament. Nevertheless, the shortcomings of the NIS 1 were exposed mainly during the implementation of NIS 1 by the Member states, indicating that a fair assessment of the legislation can only be made after some time has passed (Bitkom 2021; Directive (EU) 2022/2555, Recital 6 & 37).

Before the legislation came into force, its unfinished version was improved with the help of criticism from organizations related to cybersecurity as well as organizations that stand for the EU consumers’ rights, for instance, the European consumers’ organizations. Despite that, some criticisms and suggestions from these organizations were not fully incorporated into the final version of the directive. As a result, leaving the new legislation with some issues that could be addressed only in the future amendments to the directive as was the case with the previous directive (Legislative Train Schedule 2023).

In other words, these omissions have the potential to result in divergent implementations of the directive by Member states, highlighting the need for their consideration in future amendments to the NIS 2 directive.

Ambiguity and Inconsistency

One of the major issues with the NIS 1 directive was the ambiguity of its terms and the excessive autonomy granted to Member states in determining which entities fell under its scope. This led to inconsistencies in the implementation of the directive across Member states. NIS 2 addresses the problem with too much autonomy by introducing a list of sectors that should be considered either as essential or important entities and included within the scope of NIS 2, harmonizing the implementation process among the member states. However, there are concerns that the problem with autonomy remains regarding small enterprises (SMEs). So, the member states can “identify smaller entities with a high security risk profile” (Cyber Risk GmbH 2023). As was marked by DIGITALEUROPE, this kind of autonomy could cause inconsistency and problems for SMEs that are operating in several member states, “as they may be within scope in one Member State but not another” (BEUC 2021, 4-5; DIGITALEUROPE 2021, 6-7).

Nevertheless, the main problem with the ambiguous terms remains. For example, entities are required to report not only ”significant incidents” but also incidents that could potentially be considered as threats or ”near misses.” These incidents, based on “potentiality”, can be interpreted too broadly by entities, leading to burdensome reporting requirements for them and the national authorities (EBF 2021, 3). It is crucial for Centria to engage in discussions with the national authorities to establish a clear understanding of what types of incidents should be categorized as ”near misses” or ”potential incidents.” This proactive step will help prevent over-reporting and alleviate the burden placed on Centria’s employees.

Over-reporting

The NIS 2 directive strives to standardize and, therefore, simplify the reporting process for entities by adopting a two-stage approach: swift reporting and in-depth reporting for significant incidents (Directive (EU) 2022/2555, Recital 101). While this approach heavily mitigates the over-reporting for entities with the introduced standardization, the deadline for the final report is too strict (one month) and doesn’t consider that the report process of more critical or ongoing cyberattacks could take several months in global enterprises (Bitkom 2021, 16). Consequently, this could result in a less comprehensive final report and divert the entities’ attention away from taking effective measures against cyberattacks. Our university and its research and development (R&D) should focus on this aspect, cooperating closely with the national authorities to avoid sanctions and improve reporting process since now educational institutions and R&Ds are in scope under NIS 2 directive.

In addition, as the Rapporteur stated, the incidents that are based on potential harm will lead to over-reporting despite standardization considering that medium and large entities “can have tens or even hundreds of potential significant cyber threats in a single day”. Furthermore, the extended scope on entities that must reported will tremendously increase the burden of national authorities (European Parliament 2021; Schmitz-Berndt 2023, 10).

Cyber threat information-sharing

NIS 2 introduces a cyber threat information system to assist entities in dealing with incidents. So, ENISA and entities themselves collaborate to securely exchange information on cybersecurity voluntarily (Directive (EU) 2022/2555, Article 29). Although this initiative can be beneficial for entities, it is essential to establish a foundation of mutual trust and ensure that information sharing does not become burdensome for participating organizations which cannot be said about this initiative. So, the member states set the rules on procedures and operational elements of threat-sharing arrangements as well as mandate entities to notify competent authorities when organizations join or leave such arrangements (where applicable). However, the involvement of public authorities in these arrangements, as highlighted by the EBF (European Banking Federation), could be counterproductive, potentially discouraging entities from voluntary participation due to the associated burden (Backman 2023, 98; EBF 2021, 4-5).

Conclusion

The NIS 2 directive is a key step towards harmonizing cybersecurity in EU Member states. While it improves reporting processes and reduces ambiguity, there are concerns to address. Autonomy issues of the Member states remain, especially regarding small enterprises, and reporting potential threats introduces burdensome reporting. The strict reporting deadline may hinder comprehensive reporting and divert attention from proactive measures. Additionally, the involvement of public authorities in information-sharing arrangements raises concerns about voluntary participation. Future amendments should focus on minimizing inconsistencies, providing clearer definitions, realistic reporting deadlines, and encouraging voluntary participation without excessive burdens. Besides, it is essential to focus on promoting transparency and providing clear guidelines on the roles and responsibilities of public authorities can help alleviate concerns and facilitate effective cooperation between the Member states and entities. Striking the right balance is crucial for the effective implementation of the NIS 2 directive and achieving desired cybersecurity resilience across the EU.

References

Backman, S. 2023. Risk vs. threat-based cybersecurity: the case of the EU. European Security (32)1, 85-103. Available at: https://www.tandfonline.com/doi/full/10.1080/09662839.2022.2069464. Referenced 25th May 2023.

BEUC – The European Consumer Organisation 2021. Review of the Network and Information Systems Directive (NIS2). Available at: https://www.beuc.eu/sites/default/files/publications/beuc-x-2021-042_review_of_the_network_and_information_systems_directive.pdf. Referenced 24th May 2023.

Bitkom 2021. Bitkom position on the proposal for a renewed Directive on security of network and information systems. Available at: https://www.bitkom.org/sites/default/files/2021-03/210318_pp_nis-directive-2.pdf. Referenced 24th May 2023.

Cyber Risk GmbH 2023. The NIS 2 Directive. Available at: https://www.nis-2-directive.com/. Referenced 25th May 2023.

DIGITALEUROPE 2021. DIGITALEUROPE’s position on the NIS 2 Directive. Available at: https://cdn.digitaleurope.org/uploads/2021/03/DIGITALEUROPE-position-on-NIS2-Directive.pdf. Referenced 24th May 2023.

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive). Available at: https://eur-lex.europa.eu/eli/dir/2022/2555. Referenced 25th May 2023.

European Banking Federation (EBF) 2021. EBF key messages on the proposal for a Revised Directive on Security of Network and Information Systems (NIS2). Available at: https://www.ebf.eu/wp-content/uploads/2021/06/EBF-key-messages-on-NIS2-proposal.pdf. Referenced 24th May 2023.

European Parliament 2021. Draft Report on the proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148. EXPLANATORY STATEMENT. 2021. Available at: https://www.europarl.europa.eu/doceo/document/A-9-2021-0313_EN.html. Referenced 25th May 2023.

Legislative Train Schedule 2023.  Review of the Directive on security of network and information systems. European Parliament. Available at: https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-review-of-the-nis-directive?sid=6901. Referenced 25th May 2023.

Lekshmi S. A. 2022. Growing concern on healthcare cyberattacks & need for cybersecurity. PsyArXiv. Available at: https://www.researchgate.net/publication/357753537_Growing_Concern_on_Healthcare_Cyberattacks_Need_for_Cybersecurity. Referenced 25th May 2023.

Schmitz-Berndt, S. 2023. Defining the reporting threshold for a cybersecurity incident under the NIS Directive and the NIS 2 Directive. Journal of Cybersecurity (9)1, tyad009. Available at: https://academic.oup.com/cybersecurity/article/9/1/tyad009/7160387. Referenced 25th May 2023.

Iurii Fedorenko
Project assistant
Centria University of Applied Sciences
Tel. 041 487 9476

Facebooktwitterlinkedinmail