The implementation of the NIS Directive in the Member States led to additional obligations for certain digital service providers, including in areas such as ensuring cybersecurity or incident reporting. After four years, the existing regulations were found to be insufficient, and a proposal for NIS Directive 2 was published, expanding the group of entities concerned and placing new obligations upon them.

In December 2020, as part of the EU cybersecurity package, a proposal was published for NIS Directive 2[1], to make cybersecurity regulations more consistent across the EU. The proposal includes a range of changes that will have major implications for digital service providers.

The most important change is the change to the scope of entities affected – under the proposal, all entities that are essential entities and important entities will have additional cybersecurity obligations. Essential entities will include for instance cloud computing service providers, data centre service providers, content delivery network providers, trust services providers, or for example certain telecommunications operators that provide public electronic communications networks and electronic communications services. The essential entities are also intended to include all central government units, and, interestingly, ground-based infrastructure operators that provide support for space-based services.

Important entities (providers of less critical services) will include for instance providers of online search engines and online marketplaces, as well as operators of social networking services platforms and postal services.

All of these types of entities will be subject to a range of cybersecurity requirements, such as risk analysis, producing business continuity plan and relevant safeguard testing and audit policies and procedures, or for example use of cryptography and encryption. These entities will also be required to deal with cybersecurity incidents on an ongoing basis, in a two-step procedure. Under this procedure, there will be a requirement to report an incident to the appropriate CSIRT within the extremely short time limit of 24 hours of learning of the incident.

National authorities will have the power to impose oversight measures, such as binding instructions or an order to make a public statement of breach of cybersecurity obligations, for non-compliance with the Directive by essential entities and important entities. In justified cases, they will be able to charge an administrative penalty of up to EUR 10 m or 2% of annual turnover of the entity concerned, if higher.

The proposal for NIS 2 is still at the legislative stage, but it is advisable to consider the future obligations that will be imposed on digital service providers now. The Directive is to be implemented within 18 months of the day on which it becomes law.

[1] Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, COM/2020/823 final, at: https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=72166