13 December 202416 minute read

Innovation Law Insights

13 December 2024
Data Protection and Cybersecurity

NIS2 Directive from regulation to practice: ENISA’s draft guidance on the implementing Act as a cybersecurity tool

The European Union Agency for Cybersecurity (ENISA) recently published a draft technical guidance to help entities falling within the scope of Implementing Regulation (EU) 2024/2690 of 17 October 2024 to implement the technical and methodological requirements of the security measures set by Directive (EU) 2022/2555 (NIS2 Directive).

Besides providing specific assistance to entities falling within the scope of the Implementing Regulation (EU) 2024/2690, the draft technical guidance provides valuable insights into the technical and methodological requirements for risk-management measures under the NIS2 Directive. It provides an advantageous tool for all entities looking to improve their cybersecurity practices and comply with the NIS2 Directive.

The NIS2 Directive and its implementing act

The NIS2 (Network and Information Security) Directive is a significant evolution in the EU’s approach to cybersecurity. Adopted to replace the original NIS Directive, the NIS2 Directive aims to enhance the resilience and incident response capabilities of critical infrastructure across the EU.

The NIS2 Directive broadens the scope of entities covered by the NIS Directive, including more sectors and services critical to the economy and society. It emphasizes a risk-based approach to cybersecurity, requiring entities to implement appropriate and proportionate security measures. The NIS2 Directive also introduces stricter supervisory measures and enforcement powers, including higher penalties for non-compliance.

Member states have to transpose the NIS2 Directive’s requirements into national law by 17 October 2024. On the same date, the EU Commission adopted the Implementing Regulation (EU) 2024/2690 (Implementing Act) to provide detailed technical and methodological requirements for the cybersecurity measures outlined in the NIS 2 Directive. The Implementing Act is aimed at different types of operators, including DNS service providers, top-level domain name (TLD) registries, cloud computing, data centres, online marketplace platforms, search engines and social networks. It defines the technical and methodological standards for cybersecurity risk management and specifies the criteria for determining when an incident can be considered significant.

Purpose and scope of the draft technical guidance

On 7 November 2024, the same date as the Implementing Act came into force, the ENISA, in collaboration with the Commission and the EU member states in the NIS Cooperation group (NIS CG), developed the Draft Technical Guidance. This 155-pages non-binding document is designed to offer detailed advice and practical examples to help entities understand and comply with the cybersecurity measures mandated by NIS2 Directive. It provides additional explanations of concepts and terms used in the legal text, examples of evidence that can be used to demonstrate compliance, and tables mapping the security requirements to various European and international standards, as well as national frameworks.

The draft technical guidance, adhering to the same scope of the NIS2 Implementing Act, lays down the technical and the methodological requirements for a wide range of NIS2 subsectors:

  • DNS service providers
  • Top-level domain (TLD) name registries
  • Cloud computing service providers
  • Data centre service providers
  • Content delivery network (CDN) providers
  • Managed service providers (MSPs)
  • Managed security service providers (MSSPs)
  • Providers of online marketplaces, online search engines, and social networking services platforms
  • Trust service providers

In addition to these entities, which are directly covered by the Implementing Act, the Draft Technical Guidance offers insights into the technical and methodological requirements of the cybersecurity risk-management measures outlined in the NIS2 Directive that could be beneficial for other public or private actors aiming to enhance their cybersecurity practices.

Structure and content of the technical guidance

The draft technical guidance is a comprehensive document structured to facilitate ease of use and practical enactment of the Implementing Act. It contains several key sections:

  • Technical requirements: The draft covers the overarching cybersecurity requirements that all entities have to adhere to, regardless of their specific sector, including guidelines on risk management, incident handling, business continuity and governance. It also delves into more specific requirements for different sectors, providing tailored advice for each type of entity covered by the Implementing Act.
  • Implementation advice and evidence gathering: These practical sections offer detailed advice on how to implement the requirements, including examples of evidence that can be used to demonstrate compliance. It aims to make the legal text more accessible and actionable for entities.
  • Additional general tips: As the draft technical guidance and evidence as laid down isn’t intended to be exhaustive, the draft also includes additional general tips for the entity to consider when implementing the NIS2 Directive and the Implementing Act, allowing entities to choose alternative methods to fulfil a requirement or use different evidence to demonstrate compliance.
  • Mapping tables: One of the most valuable features of the Draft Technical Guidance is the inclusion of mapping tables. These tables correlate each requirement with relevant European and international standards or frameworks, such as ISO/IEC 27001, NIST Cybersecurity Framework, and national frameworks. This helps entities align their cybersecurity measures with widely recognized standards, facilitating compliance and enhancing security posture.

Key findings and conclusions

ENISA’s draft technical guidance is a significant step forward in supporting the implementation of the NIS2 Directive. By providing detailed, practical advice and mapping the requirements to established standards, the guidance helps entities navigate the complex landscape of cybersecurity compliance.

Once finalized and adopted, the guidance will be a crucial tool for entities covered by the NIS2 Directive. It will provide the detailed, practical support needed to implement the NIS2 Directive and Implementing Act’s requirements effectively. By aligning the requirements with established standards and offering practical advice, it will also help entities enhance their cybersecurity posture and comply with the new regulatory framework.

As the consultation process progresses towards the deadline set for 9 January 2025, it’s essential for stakeholders to engage and provide feedback to ensure that the final guidance is as effective and practical as possible. The successful implementation of NIS2 will depend on the collaboration between regulators, industry stakeholders, and cybersecurity experts, and the ENISA technical guidance is a vital component of this collaborative effort.

Author: Marianna Riedo

 

Intellectual Property

Online evidence and demonstration of design disclosure

The Third Board of Appeal’s recent decision in case R ‑0005/20243 (Buildings [transportable]) is an important reflection on the use of online evidence in invalidity proceedings for registered designs. The case ended with the rejection of the application for a declaration of invalidity and the annulment of an earlier decision of the Invalidity Division, based on the insufficiency of the evidence submitted to prove the disclosure of earlier designs under Article 7(1) of Regulation (EC) No 6/2002 (CDR).

Context of the dispute: The parties’ argument and Cancellation Division’s decision

The dispute stems from an application for invalidation filed against the registered design Buildings [transportable], based on the alleged lack of novelty and individual character, pursuant to Articles 5 and 6 CDR, combined with Article 25(1)(b) CDR.

The invalidity applicant had provided hyperlinks to alleged earlier designs published online as main evidence. The argument was that these designs had been disclosed in such a way as to be reasonably known to specialised circles in the sector, fulfilling the disclosure requirements of Article 7(1) CDR.

In response, the holder of the challenged design had argued:

  • Insufficient evidence of disclosure: Hyperlinks alone don’t demonstrate actual disclosure of earlier designs, as detailed reproductions, multiple perspectives and verifiable data allowing for meaningful comparison were lacking.
  • Insufficient features of the earlier drawings: The images of the earlier drawings didn’t highlight the relevant features, making an accurate comparison impossible.
  • Obvious differences: The contested design had distinctive elements that were immediately recognisable to an informed user, differentiating it from earlier designs.

Notwithstanding these arguments, by decision of 2 November 2023, the Annulment Division declared the contested design invalid. It found the evidence submitted by the applicant to be sufficient to prove disclosure and ordered the owner of the design to bear the costs of the proceedings.

Appeal by the holder

The design owner had appealed the decision of the Invalidity Division, contesting its merits and arguing that the decision was based on an erroneous interpretation of Article 7(1) CDR. In the appeal, the holder had reiterated:

  • Inadequacy of online evidence: The mere presence of hyperlinks or URLs doesn’t prove with certainty the disclosure of prior art, given the possibility of alterations, removals or difficulties in later identification of the information contained.
  • Lack of concrete comparative elements: The reproductions of earlier designs provided by the applicant weren’t sufficiently detailed to permit a strict examination of novelty or individual character.

The Third Board of Appeal’s decision

The Third Board of Appeal upheld the appeal of the challenged design owner and annulled the contested decision of the Invalidity Division. In its analysis, the board highlighted several key points:

  • Disclosure as a prerequisite: Disclosure pursuant to Article 7(1) CDR is an essential prerequisite for the application of Articles 5 and 6 CDR. As disclosure wasn’t adequately demonstrated, there was no need to further examine the novelty or individual character of the challenged design.
  • Insufficiency of links: A hyperlink or URL cannot constitute independent evidence of disclosure, even if active, unless it’s accompanied by concrete evidence, such as screenshots or printouts that include the full content and the relevant URL. This criterion is consistent with the guidelines provided by CP 10 Common Practice – Criteria for assessing disclosures on the Internet.
  • Rejection of nullity application: In the absence of adequate proof of disclosure, the nullity application based on Article 25(1)(b) CDR, read in conjunction with Article 4 CDR, was rejected.

Conclusion

The decision of the Third Board of Appeal is an important step in establishing strict criteria for evaluating online evidence in nullity proceedings. It reaffirms that disclosure is a crucial element in applying Articles 5 and 6 CDR and that digital evidence must be concrete, verifiable and detailed to be considered valid.

This case underlines the importance of careful preparation of evidence in community design proceedings and contributes to enhancing legal certainty and protecting intellectual property in an increasingly digital environment.

Author: Maria Rita Cormaci

 

Food and Beverage

EU food labels are confusing consumers

Food labels in the EU are causing increasing confusion among consumers. This is the finding of a report by the European Court of Auditors, which highlights how the current regulatory system fails to ensure transparency and clarity in an increasingly complex market.

According to the report, claims, logos, and information are proliferating without sufficient regulation, making it difficult for consumers to distinguish reliable information from misleading messages. While EU regulation 1169/2011 requires basic information and CE regulation 1924/2006 governs nutritional and health claims, the system has significant gaps. In particular, the absence of nutritional profiles allows unhealthy products, such as those high in sugars, fats, or salt, to claim health benefits due to the addition of vitamins or fibre.

Another critical issue concerns claims related to plant substances and preparations, on which EFSA has suspended evaluations since 2010. With over 2,000 unregulated claims, each member state has adopted different approaches, leading to regulatory inconsistency. Allergen labelling also faces criticism: vague terms like “may contain” unnecessarily limit choices for people with allergies. And there’s a lack of harmonized European definitions for vegetarian and vegan products. The confusion increases further with front-of-pack nutritional labels, where systems like Nutri-Score and NutrInform Battery coexist. This lack of harmonization, which was supposed to be addressed by the Farm to Fork strategy by 2022, leaves consumers with six different labelling schemes, each with its own evaluation method. Environmental claims often lead to greenwashing due to inconsistent criteria, contributing to overall distrust.

The report also criticizes the lack of attention given to consumer education: from 2021 to 2025, the EU allocated only EUR5.5 million to awareness campaigns on labelling. While official controls on mandatory information are effective, those on voluntary claims and online products are insufficient. The penalties applied are often inadequate and not enough of a deterrent.

The Court of Auditors makes five key recommendations to the European Commission to be implemented by 2027. These include addressing regulatory gaps, monitoring labelling practices, strengthening controls, improving reporting, and investing more in consumer education. To ensure truly informed food choices, the EU must act urgently by adopting a clearer, more consistent regulatory framework focused on consumer protection.

Author: Carlotta Busani

 

Technology Media and Telecommunication

AGCom publishes Resolution 459/24/CONS on the definition of technical standards for optical fibre cables to be followed by undertakings who awarded tenders for implementing network infrastructure

On 20 November 2024, Italian Communications Authority (AGCom) published Resolution 459/24/CONS concerning the “Definition of technical standards for optic fibre cables to be followed by undertakings who awarded tenders for the implementation of network infrastructure”.

The resolution establishes the technical rules for implementing optic fibre network infrastructure by operators who awarded tenders for the development of broadband networks financed with state aid. It was adopted in compliance with Law No. 10 of 1 February 2023, which gives AGCom a new competence in the identification of technical standards.

Article 2-bis of Law 10/2023 converted Law Decree No 187/2022 on urgent measures to protect the national interest in strategic productive sectors. The Law of 31 July 1997, no. 249 (the law establishing the AGCom) included the provision according to which the Authority, having heard the opinion of the Ministry of Enterprises and Made in Italy, “identifies, for optic fibre cables, the technical standards to be followed by those who awarded tenders for the realization of the network infrastructure, so as to ensure adequate levels of quality and high performance of connectivity”.

The AGCom’s new competence is part of the EU’s framework of objectives regarding connectivity, first included in the 2016 Communication on Connectivity for a Digital Single Market in Europe (known as “Gigabit Society”). It was followed by the 2021 Communication on the Digital Decade (known as “Digital compass”). Both of these merged into Decision 2022/2481 of the European Parliament and of the Council establishing the Strategic Agenda for the Digital Decade 2030.

With reference to digital infrastructure, this decision establishes that “all end users at a fixed location are covered by a gigabit network up to the network termination point, and all populated areas are covered by next-generation wireless high-speed networks with performance at least equivalent to that of 5G, in accordance with the principle of technological neutrality”.

As stated in Annex A to resolution 459/24/CONS, achieving these objectives requires adequate investment, and private investors are the primary source of investment, which may be supplemented by public funds if necessary in compliance with state aid rules. For aid to be approved, AGCom points out, it’s necessary for fixed and mobile networks financed by the state to present significantly more advanced characteristics than existing networks. This introduces a “step change” which is achieved if, as a result of the state intervention:

  • the development of the fixed or mobile network financed by the state represents a new, substantial investment; and
  • the state-financed network brings significant new capacity to the market in terms of availability, capacity, speed and competition of broadband services.

The AGCom’s intervention to define technical standards for fibre optic cables is functional to ensure “adequate quality levels” and “high connectivity performance” for all types of networks that will be built with public funding, while preserving for each individual type the characteristics, in terms of requirements and performance, identified on the basis of the indications contained in the Guidelines on State Aid for Broadband Networks (Commission Communication 2023/C 36/01).

The standardsidentified by AGCom cover various technical aspects related to fibre optic cables:

  • The choice of cable type (eg micro-cable, cable for underground/air laying, multi-fibre/mono-fibre cable). Annex A to the resolution states that the choice of cable type is determined by the specific infrastructure and construction conditions relevant to the specific case. The same applies to the geometric, mechanical and construction material characteristics of cables containing optical fibres, as they’re highly dependent on the context in which they’re deployed. In concrete terms, the choice of cable type is determined by the contracting authority in individual calls for tenders on the basis of design specifications and infrastructural and construction conditions and consistent with the step change objectives.
  • The potential of the cable to be used. This, too, depends on the specific installation context and is determined by the contracting party in the various calls for tender, although it’s possible to set principles which must be followed for the choice of cable potential. In any case, the implementation of the connection must comply with the national regulations on the production of electrical and electronic materials, equipment, machinery, installations, and facilities under Law No 186/1968.
  • Optic fibre cables used in the context of backhauling connections, with terrestrial, aerial or submarine laying. In this regard, the AGCom provides that the potential of optic fibre cables for backhauling routes must ensure adequate additional capacity available to guarantee wholesale access to all its components, active and passive, under fair and non-discriminatory conditions to all interested parties.
  • The primary and secondary optic fibre access network. Also in this case, as pointed out by AGCom, cable potential must ensure adequate additional available capacity.
  • The optic fibre termination segments. In particular, Annex A states that the capacity of fibre optic cables for the termination segment must ensure adequate additional available capacity and comply with the suggestions set forth by a specific guide (IEC 306-2).
  • Product certification related to optic fibre cable components. The AGCom points out the contracting authority can require appropriate certification to ensure optimal quality and durability of all optic fibre cable components for at least 20 years.

Authors:Massimo D’Andrea, Flaminia Perna, Arianna Porretti


Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo BardelliCarolina BattistellaCarlotta BusaniGiorgia Carneri, Noemi Canova, Gabriele Cattaneo, Maria Rita CormaciCamila CrisciCristina CriscuoliTamara D’AngeliChiara D’OnofrioFederico Maria Di VizioNadia FeolaLaura GastaldiVincenzo GiuffréNicola LandolfiGiacomo LusardiValentina MazzaLara MastrangeloMaria Chiara MeneghettiDeborah ParacchiniMaria Vittoria Pessina, Marianna RiedoTommaso RicciRebecca RossiRoxana SmeriaMassimiliano Tiberio, Federico Toscani,  Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’AndreaFlaminia Perna and Matilde Losa.

For further information on the topics covered, please contact the partners Giulio CoraggioMarco de MorpurgoGualtiero DragottiAlessandro FerrariRoberto ValentiElena VareseAlessandro Boso CarettaGinevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

Print