Will NIS 2 be as problematic as the NIS 1 directive?

All in all, the framework is a set of binding security requirements for the operators of critical infrastructure to implement appropriate measures in case of possible and ongoing cyberattacks. These requirements include reporting significant digital incidents to national authorities and cooperating with them to achieve a high level of communication between the member states and entities falling under the directive’s scope. Additionally, the directive established sanctions for non-compliance, making it essential for entities to comply with the directive’s rules. Although the directive was quite promising for a future state of cybersecurity in the EU, the implementation of NIS 1 revealed some critical shortcomings to its effectiveness that had to be addressed.

Soon after the implementation of NIS 1 into national law, the NIS 2 directive, which came into force this year, was introduced by the EU Parliament in response to the increasing cyberattacks during the COVID-19 pandemic and the shortcomings of its predecessor, NIS 1 (Lekshmi 2022). Thus, making the new legislation to be a crucial step towards the harmonized level of cybersecurity across the Member states of the EU. Although the NIS 2 drastically revised the NIS 1 directive by making NIS 2 less ambiguous and more standardized in terms of reporting processes, some of the new additions are hard to consider as “improvements”. Therefore, it is necessary to emphasize these negative aspects of the NIS 2 directive, as they could affect the overall effectiveness of the directive compared with the expectations set by Parliament. Nevertheless, the shortcomings of the NIS 1 were exposed mainly during the implementation of NIS 1 by the Member states, indicating that a fair assessment of the legislation can only be made after some time has passed (Bitkom 2021; Directive (EU) 2022/2555, Recital 6 & 37).

Before the legislation came into force, its unfinished version was improved with the help of criticism from organizations related to cybersecurity as well as organizations that stand for the EU consumers’ rights, for instance, the European consumers’ organizations. Despite that, some criticisms and suggestions from these organizations were not fully incorporated into the final version of the directive. As a result, leaving the new legislation with some issues that could be addressed only in the future amendments to the directive as was the case with the previous directive (Legislative Train Schedule 2023).

In other words, these omissions have the potential to result in divergent implementations of the directive by Member states, highlighting the need for their consideration in future amendments to the NIS 2 directive.

One of the major issues with the NIS 1 directive was the ambiguity of its terms and the excessive autonomy granted to Member states in determining which entities fell under its scope. This led to inconsistencies in the implementation of the directive across Member states. NIS 2 addresses the problem with too much autonomy by introducing a list of sectors that should be considered either as essential or important entities and included within the scope of NIS 2, harmonizing the implementation process among the member states. However, there are concerns that the problem with autonomy remains regarding small enterprises (SMEs). So, the member states can “identify smaller entities with a high security risk profile” (Cyber Risk GmbH 2023). As was marked by DIGITALEUROPE, this kind of autonomy could cause inconsistency and problems for SMEs that are operating in several member states, “as they may be within scope in one Member State but not another” (BEUC 2021, 4-5; DIGITALEUROPE 2021, 6-7).

Nevertheless, the main problem with the ambiguous terms remains. For example, entities are required to report not only ”significant incidents” but also incidents that could potentially be considered as threats or ”near misses.” These incidents, based on “potentiality”, can be interpreted too broadly by entities, leading to burdensome reporting requirements for them and the national authorities (EBF 2021, 3). It is crucial for Centria to engage in discussions with the national authorities to establish a clear understanding of what types of incidents should be categorized as ”near misses” or ”potential incidents.” This proactive step will help prevent over-reporting and alleviate the burden placed on Centria’s employees.

The NIS 2 directive strives to standardize and, therefore, simplify the reporting process for entities by adopting a two-stage approach: swift reporting and in-depth reporting for significant incidents (Directive (EU) 2022/2555, Recital 101). While this approach heavily mitigates the over-reporting for entities with the introduced standardization, the deadline for the final report is too strict (one month) and doesn’t consider that the report process of more critical or ongoing cyberattacks could take several months in global enterprises (Bitkom 2021, 16). Consequently, this could result in a less comprehensive final report and divert the entities’ attention away from taking effective measures against cyberattacks. Our university and its research and development (R&D) should focus on this aspect, cooperating closely with the national authorities to avoid sanctions and improve reporting process since now educational institutions and R&Ds are in scope under NIS 2 directive.

In addition, as the Rapporteur stated, the incidents that are based on potential harm will lead to over-reporting despite standardization considering that medium and large entities “can have tens or even hundreds of potential significant cyber threats in a single day”. Furthermore, the extended scope on entities that must reported will tremendously increase the burden of national authorities (European Parliament 2021; Schmitz-Berndt 2023, 10).