CyberItalia: The NIS 1 Directive and the new NIS 2 Directive in a nutshell
This second article for the CyberItalia series focuses on the NIS 1 Directive, the first European legislation aimed at harmonizing cybersecurity rules between Member States. We also look at the new NIS 2 Directive, which replaces NIS 1 with the aim of achieving a common, high level of cybersecurity and resilience in the EU.
NIS Directive 1
The NIS Directive 1 (Directive (EU) 2016/1148), an acronym for Network and Information Security, was adopted in 2016. It was the first legislative measure at European level with the aim of enhancing cooperation between Member States and creating a first level of harmonization in the field of cybersecurity.
When?
Adopted on 6 July 2016, with transposition by 9 May 2018 (in Italy by Legislative Decree 65/2018, NIS Decree). The NIS Directive 1 was repealed with the entry into force of the NIS 2 Directive (see below).
Who is it addressed to?
The NIS Directive 1 identifies two categories of entities to which specific provisions are addressed:
- Operators of essential services (ESP): public or private entities that play an important role for society and the economy and provide essential services (commonly identified as critical infrastructure). Member States directly identify ESPs in critical sectors (energy, transport, banking, financial markets, health, drinking water supply and distribution, and digital infrastructure) on the basis of how essential the service is and the risks related to an incident affecting the service.
- Digital service providers (DSP): Companies that provide e-commerce, cloud computing or search engine services (unless they’re SMEs).
The NIS Directive 1 leaves Member States free to expand the sectors / categories of entities to which the cyber obligations should apply.
What does it provide for?
The NIS Directive 1 requires Member States to:
- adopt a national cybersecurity strategy that defines strategic objectives and priorities, appropriate policies and regulatory measures at the national level;
- ensure international cooperation and collaboration with ENISA (European Union for Network and Information Security Agency) through identified mechanisms; and
- designate national authorities, contact points and the CSIRT (Computer Security Incident Response Team), responsible for security incident monitoring at the national level.
With regard to ESP and DSP, the NIS Directive 1 essentially imposes two sets of obligations:
- Security measures – adopt appropriate and proportionate security measures to manage risks and to prevent and minimize the impact of security incidents (with some more specific measures for the DSPs).
- Incident reporting – notify without undue delay to the authorities or the CSIRT incidents with a significant impact on the continuity of essential services (based on the number of users affected, duration and geographical spread).
NIS Directive 1 also encourages entities not identified as ESPs and DSPs to report incidents with significant impact on a voluntary basis.
NIS Directive 2
The NIS Directive 2 (Directive (EU) 2022/2555) responds to the need to update and strengthen the regulatory framework provided by the NIS Directive 1. Major divergences in the implementation of the obligations under the NIS Directive 1 have led to uneven levels of security and vulnerability among the Member States, with possible impacts on the EU as a whole.
The objective of the NIS Directive 2 – which repeals the NIS Directive 1 – is to eliminate the divergences between legal systems, reinforcing cybersecurity obligations, expanding the number of sectors and actors involved and increasing cooperation among Member States to achieve greater uniformity of application.
When?
Adopted on 14 October 2022, currently in force but to be transposed into national legislation by 17 October 2024.
Who is it addressed to?
The NIS Directive 2 overcomes the distinction between ESPs and DSPs. Instead, it introduces some uniform criteria to identify the two new categories of entities that will be subject to the obligations of the Directive, namely:
- “essential” subjects
- “Important” subjects
These entities are to be identified in the “essential” sectors, which include both the sectors already identified under the NIS Directive 1 and a further list of “highly critical” sectors (eg health services, postal services, food and machinery/equipment sector, further digital services). A size criterion is also applied, which excludes small and medium-sized enterprises from the scope of application, with some exceptions depending on the criticality of the service provided (eg electronic communication or trust services).
It will be up to the Member States to define, by 17 April 2025, a list of essential and important players that will be required to provide the necessary information.
What does it provide for?
The NIS Directive 2 substantially strengthens the obligations already present in the NIS Directive 1, in particular:
- Security measures – a “multi-risk” approach in adopting appropriate and proportionate technical, operational, and organizational security measures is to be adopted to:
- manage the security risks to the network and information systems that the entities use for their operations or for the provision of their services; and
- prevent or minimize the impact of incidents on the recipients of the services and other services.
- Incident reporting – strengthening of the obligations to report and notify “significant incidents” to the authorities and the CSIRT according to a multi-stage scheme with predefined timeframes (reduced to 24 hours from knowledge for sending an early warning, followed by the notification of a detailed analysis of the incident within 72 hours from knowledge). Where appropriate, notification without undue delay of significant incidents is also required.
The NIS Directive 2 provides for a minimum list of security measures that must be implemented.
In addition to these provisions, the NIS Directive 2 requires Member States to adopt supervisory and enforcement measures (eg audits and inspections), as well as new obligations regarding the sharing of cybersecurity information.