Introduction
Cybersecurity continues to be a key risk for organisations across all sectors. IBM, in its X-Force Threat Intelligence Index 2023 identified that organisations operating in the Manufacturing, Finance and Insurance, Professional, Business and Consumer Services, and Energy sectors combine to account for almost 70% of all reports attacks in 2022. A Eurobarometer survey undertaken in November/December 2021 however found that 28% of SME’s operating across industries experienced at least one cybercrime event in 2021.
The European Commission estimates that the cost of cybercrime to the global economy doubled in the five years leading up to 2020, to €5.5 trillion[1] Notwithstanding these stark figures, businesses within the EU spend significantly less on cybersecurity that those in the US[2].
Given that the impact of cybercrime can extend beyond economic factors and jeopardise democracy, peace and security, it is no surprise that the EU is working toward strengthening cybersecurity. In the first quarter of 2023 alone we have seen a significant bolstering of its legal framework with initiatives that seek to advance a comprehensive regulatory environment designed to scale as the level of the reliance on network systems within the EU increases in the years to come.
In this Insight we consider some of those security measures namely, Network and Information Security 2 Directive (NIS2), the Digital Operational Resilience Act (DORA) and the proposed EU Cyber Solidarity Act.
The Network and Information Security 2 Directive
The Network and Information Security 2 Directive builds on the first Network and Information Security Directive which sought to establish, in 2016, a common level of cyber security standards across the EU. That directive had limited success and in the face of a surge in cyber-attacks on Member State infrastructure in recent years, coinciding with the Covid-19 pandemic, the new NIS2 Directive aims to address fragmentation across Member States and to increase cybersecurity capabilities.
The NIS2 Directive aims to do all of this by:
(a) Strengthening of security requirements;
(b) Addressing the security of supply chains;
(c) Streamlining reporting obligations; and
(d) Implementing more stringent supervisory measures and enforcement requirements including harmonised sanctions across Member States.
Those that fell within the remit of the original NIS directive (banking and finance institutions, healthcare, energy, water supply, digital service provides, ICT service management, digital infrastructure and public administration bodies) will now need to comply with NIS2 Directive.
In addition, many medium and large organisations in “other critical sectors” will now fall under the remit of the NIS2 Directive.
These “other critical sectors” now include:
(a) the production, processing and distribution of food; (b) food manufacturers;
(c) postal and courier services;
(d) manufacturers of critical products including medical devices, transport equipment and pharmaceutical and healthcare equipment;
(e) waste management;
(f) research;
(g) social networking sites; and
(h) other data centre services and public electronic communication providers.
The NIS2 Directive may also apply to organisations outside of the EU or EEA if they provide an essential or important services to the European economy or society.
Breach Reporting
The NIS2 Directive sets out enhanced breach notification requirements where an organisation suffers from an incident which is likely to adversely affect the provision of its services or lead to financial loss. In Ireland, notifications are required to be made to the National Cyber Security Centre or, where applicable, to the affected organisation’s competent authority.
Once aware of a reportable incident, an organisation must submit:
(a) an early warning report within 24 hours.
(b) an additional intermediate update within the first 72 hours of being aware.
(c) a final report within a month of the filing of the interim update. The report must provide a description of the incident, the threat or root cause of the incident, mitigation measures applied and if applicable the cross-border impact of the incident.
(d) If an incident is ongoing for longer than one month a progress report must still be submitted at the one-month juncture with further reports to be submitted as necessary
Cyber Security Risk-Management Measures
The NIS2 Directive requires organisations to take ‘appropriate and proportionate technical and organisational measures’ to manage the risks posed to the security of the network and information systems which are used in the provision of services. Such measures should be interpreted broadly and range from policies on risk and cyber security to business continuity planning to the use of cryptography and encryption.
Governance
To ensure adequate oversight, the management of an organisation must approve its cyber security risk-management measures, oversee their implementation and can be held liable for infringements of those measures.
Penalties and Sanctions
Member States are granted discretion to set out effective, proportionate and dissuasive penalties for breaches of the NIS2 Directive including both criminal and civil liability. In addition to these penalties, and analogous to the GDPR, administrative fines may apply for certain breaches of up to €10 million or 2% of annual total worldwide turnover – whichever is larger.
The NIS2 Directive entered into force on 16 January 2023 and sets a transposition date of 17 October 2024 by which that Member States are to implement its provisions into national law. Organisations should now consider whether they are in scope of the Directive and begin preparations to ensure compliance, in particular with the strict incident reporting timeframes.
The Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) entered into force on 16 January 2023 and will apply from 17 January 2025. Importantly as DORA is a regulation, this means that the provisions set out will apply directly to those within scope from 17 January 2025.
DORA’s objective is to ensure financial entities have sufficient measures in place to prevent, mitigate, respond and recover from ICT related disruptions, risks and threats in order to ensure that the financial sector in Europe is able to stay resilient though severe operational disruption and cyber-attacks.
DORA gives a broad interpretation to ‘financial entities’ that fall within the scope of the regulation. Financial entities such as banks, insurance companies and investment firms are naturally in scope. However, DORA also applies to critical third parties which provide ICT services to financial entities such as:
(a) Account information service providers;
(b) Certain crypto asset service providers;
(c) Data reporting service providers; and
(d) Crowdfunding service providers;
In preparation for the application of DORA, financial entities should begin considering how to comply with the following key elements set out in the regulation:
(a) Financial entities must establish an ICT risk management framework that facilitates identification of risks, ensures protective and preventative measures are in place, consistent risk detection is carried out on a regular basis, appropriate response and recovery plans are in place and mechanisms are in place to allow entities to learn and evolve from threats.
(b) Entities must establish and implement a management process to monitor, log and classify ICT related incidents.
(c) Entities must report major ICT related incidents to competent authorities.
(d) All entities must conduct basic digital operational resilience testing.
(e) Monitor risk relating to the reliance on ICT third-party providers.
(f) Harmonise key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring.
(g) Ensure that contracts with ICT third party providers contain all necessary monitoring and accessibility details such as a full service level description, indication of locations where data is being processed and other details.
Further prescriptive details on measures to be taken by financial entities will be set out Regulatory Implementing Standards (RTS) and Implementing Technical Standards (ITS) which will be developed by the European Supervisory Authorities (ESAs). The timeline for draft RTS and ITS to be submitted to the European Commission is between 12-18 months after DORA enters into force. On that basis firms may only have full clarity on requirements just 6 months before DORA becomes directly effective across all Member States on 17 January 2025. With this in mind it would be prudent for financial entities to begin preparations.
A proposal for an EU Cyber Solidarity Act
On 18 April 2023, the European Commission adopted a legislative package to strengthen cybersecurity capacities in the EU consisting of:
(A) A proposal for a regulation setting out measures to strengthen cyber security capabilities in the EU, to be called the Cyber Solidarity Act. It will support detection, preparedness as well as reinforce solidarity, concerted crisis management and response capabilities across Member States;
(B) A proposal for a regulation amending the Cybersecurity Act regarding managed security service known as the Managed security services amendment; and
(C) A communication from the European Commission seeking to close the cybersecurity talent gap to boost the EU’s competitiveness, growth and resilience known as The Cybersecurity Academy. The Academy aims to create a single point of entry and synergies for cybersecurity education and training offers as well as for funding opportunities and specific actions for supporting the development of cybersecurity skills. It will scale up stakeholders’ initiatives to reach a critical mass that will make a difference on the labour market, including for defence. Those activities would align along common goals and key performance indicators to seek greater impact.
The package aims to support detection and awareness of cybersecurity threats and incidents, bolster preparedness of critical entities, as well as reinforce solidarity, concerted crisis management and response capabilities across Member States. It is expected that the public will shortly be invited to share feedback the proposals via the EU Commission’s, Have Your Say consultation platform. A final text must then to be agreed between the European Parliament and Council of the EU and adopted under the ordinary legislative procedure. The regulations will then be adopted, published in the Official Journal of the European Union and enter into force in due course.
Conclusion
While NIS2, Dora and other EU cyber security initiatives address very different things than the GDPR, they do share goals in seeking to harmonise practices by Member States when it comes to technology. It is noteworthy that reporting obligations and the requirement that an organisation has appropriate technical and organisational measures to mitigate against risks draws from similar language from the GDPR.
The demand and requirement for appropriate cyber security resilience is only beginning to take hold so organisations should expect this web of legislation to sit alongside the GDPR when considering compliance obligations for operations in the EU. As a first step, organisations should give some thought as to whether any of these regulations may be applicable and if so, conduct a gap analysis to understand what it will take to ensure compliance as and when they come into effect.
[1] A cybersecure digital transformation in a complex threat environment, European Commission January 2021
[2]
Cybersecurity: why reducing the cost of cyberattacks matters, European Parliament 23/11/2013