European response to cyberwar. NIS-2 – an opportunity for increased levels of cyber security?30/09/2022
More than two months ago, on 13 July, after a political agreement was reached between the European Parliament and EU Member States, the European Parliament’s Committee on Industry, Research, Telecommunications and Energy approved a draft directive on measures for a high common level of cyber security within the Union, repealing Directive (EU) 2016/1148, the so-called NIS2 Directive. We are currently waiting for its approval by the European Parliament and then by the Council, after which the new law will be published in the Official Journal, and 20 days later the directive will enter into force. For Member States, this moment will mark the start of a 21-month period for the implementation of the directive in national legal orders. In Poland, this will be done by adopting a new (or amending an already existing) relevant law on cyber security.
Find more about our Media & Technology Practice here. The rest of the article below.
The differences between NIS and NIS2
The main differences between the first – still in force – cyber security directive, i.e. network and information security (NIS), and NIS2 concerns ‘obliged entities’; the technical and organisational measures to be implemented and the reporting of incidents and threats. In all the areas mentioned in NIS2, the scope is broadened compared to the provisions of the NIS Directive.
In the NIS2 Directive, ‘obliged entities’ have been divided into two categories: key entities, which includes, inter alia, cloud computing service providers, data centre service providers, content delivery network service providers; and relevant entities, which includes, inter alia, search engine providers, trading platform providers, social network providers and courier service providers. Obligations have been placed on both categories to prepare and implement appropriate cyber security procedures and measures, and to report incidents as well as cyber threats that may result in a significant incident to the relevant authorities.
NIS2 introduces stricter supervisory measures for national authorities, as well as stricter enforcement requirements, and aims to harmonise sanction regimes across Member States. The responsibility for ensuring cyber security will also be placed on those who manage the entities obliged by the directive.
Regulation at an EU level seems to be a necessary step
The regulation, at an EU level, of such a crucial issue as cyber security – especially today – seems to be a necessary step. However, as is usually the case with EU regulations, there is a risk that introducing such a law will be more of a burden (especially in terms of implementing additional measures, creating documentation, etc.) for those subject to it, rather than a real tool to defend the rights that formed the basis for the rationale of its enactment. This risk has been experienced, for example, in respect to the General Data Protection Regulation (RODO), which has translated very little into actual protection of personal data, but rather into the production of documents and the inundation of data subjects with quite often incomprehensible information.
NIS2 wants to increase the level of cyber security, using two tools primarily – the need for entities subject to its provisions to create appropriate documentation and procedures, and the reporting obligation (both of incidents and cyber threats) imposed on these entities. Used in the right way, these tools can achieve the intended purpose of the regulations introduced, but under certain conditions.
Human beings – the weakest link
First of all, it must be taken into account that the weakest link in the area of cyber security in any organisation is the human being. Machines follow all instructions without discussing them, humans are guided by many different factors when making a decision (e.g. whether or not to share information with someone). And this decision is not always in line with what is provided for in his or her procedures. In addition, a person is easily manipulated, especially when so much information about them is publicly available in the internet space.
Thus, in order for an organisation’s documentation, created under the NIS2 requirements of dealing with given cyber security situations and the measures taken to increase the level of cyber security, to be effective and applicable, those who will be required to comply with them need to understand why and for what purpose the various rules are put in place. They should also be aware of the consequences of not complying with them in various cases. It is therefore of the utmost importance that these persons are well and practically trained, and that they are involved in the creation of the rules to which they would then be subject. For these rules must reflect and fit in as much as possible with the actual functioning of the organisation to date. It is pointless to create artificial obligations that will not have a chance to exist in the current state of the organisation. Of course, to the extent that the actual state of the organisation does not correspond at all to the requirements of the directive, it is necessary to adapt the status quo to its provisions (and not vice versa), but this action requires prudence and time in order to be respected at all by those operating within the organisation.
Undoubtedly, it will be more effective to introduce the obligations that NIS2 imposes in an evolutionary manner than to implement them in the short time between the enactment and the entry into force of the Polish law transposing NIS2. Given that the purpose of the enactment of the Directive is ultimately to harmonise the legal orders of Member States, it may be assumed that national legislation will not deviate significantly from its provisions and already now start the process of implementing the new rules on their basis.
Equally important will be the practice of application of the Directive’s provisions by the obliged entities. Practice developed at the outset will then be replicated. This places a heavy responsibility on the largest entities subject to the Directive’s provisions, which will initially be the focus of attention for the other smaller players within the markets covered by cyber security requirements. Prudent, rational and informed implementation of the obligations under NIS2 seems likely to achieve the expected goal of increasing the level of cyber security across the European Union, which is worth the effort and commitment of the obliged entities.
Attorney-at-Law, Counsel at B2RLaw
Media & Technology, Cybersecurity, Intellectual Property