By Szymon Ciach and Norbert Lutowski, Osborne Clarke
OsborneClarke_pole

 

Pressured by the latest EU legislation, the IT sector is becoming a regulated industry. Some of these regulations are broader in scope, reaching far beyond this sectors. Outstanding amongst these laws are the new cybersecurity regulations.

In 2017, the European Commission published a communication, Resilience, Deterrence and Defence: Building strong cybersecurity for the EU. In this document, addressed to the European Parliament and the Council, the Commission articulated the basic principles of the revision of the NIS 1 (network and information systems) Directive, the content of which was far removed from modern digital realities and rapidly growing cyber security threats. The NIS 1 Directive[1] itself was introduced into the EU legal system shortly before the communication, on 6 July 2016. However, its relatively conservative nature and narrow scope were among the direct reasons for its extremely rapid obsolescence.

NIS Directive 2[2]

The changes introduced by the NIS 2 seek to improve the original directive, to ensure that the IT systems of the entities required to comply are watertight. The update significantly increases the list of sectors, industries and business fields affected by the cybersecurity regulations. This applies in particular to the manufacturing, waste management and ICT service management sectors.

A distinction has been made between essential and important entities, allowing for differentiation of penalties and supervisory measures depending on the significance of the entity concerned. ‘Essential entities’ are in particular those above the SME ceiling, active in one of the business sectors listed in Annex I of the Directive – the breadth of which is repeatedly underestimated.

Essential entities – defined as entities that provide services vital to the functioning of society and the economy – are considered to be an integral part of a critical infrastructure that crosses the territory of individual Member States. Thus, one of the prerequisites is size – essential entities are considered to be at least medium-sized enterprises, defined as those with more than 250 employees and an annual turnover exceeding €50 million, or with an annual balance sheet total exceeding €43 million. Another prerequisite is the relevant sector of the entity’s business activity, which can be one of the industries as diverse as energy, digital infrastructure, wastewater or drinking-water management or space exploration. Simultaneously, some specific business profiles of companies have been identified as associated with the status of an essential entity regardless of its size. These include trust service providers or DNS (Domain Name Systems) service providers.

Important entities are those, whose activities are not absolutely crucial to the survival of the fabric of society and the EU economy, but still have a serious impact. As in the case of the essential entities, the size criterion includes companies that are at least medium-sized or have an annual balance sheet total exceeding €43m. A differentiating factor is the designated industries such as postal and courier services, digital service providers or R&D.

Compared to the first version of the directive, NIS 2 introduces more detailed risk management requirements, including the obligation to implement basic technical and organisational measures in each entity, referred to by the directive as ‘cyber hygiene’. In addition, stricter reporting rules have been introduced for information security incidents – including the obligation to report their occurrence within the first 24 hours of their detection.

The new directive standards also address the topic of security in the supply chain, essential and important entities to conduct a risk assessment of the supplier and its subcontractors each time, resulting in the introduction of appropriate measures to manage the risks detected. In addition, the directive introduced new, more severe financial penalties (in some situations up to 2% of a company’s annual worldwide turnover) and gives the relevant authorities broader supervisory powers.

Draft amendment to the Polish law on the National Cybersecurity System

NIS 2, as a directive, is a tool for the moderate harmonisation of member state law within the EU legal system. Its direct effect is achieved through the transposition of the standards it contains into national law – de facto the introduction of new provisions and the adaptation of old ones to the requirements set out in the EU act. However, each directive leaves a degree of discretion to member state legislators, allowing for more detailed or stricter treatment of certain issues.

The transposition of the NIS 2 Directive into Polish law is problematic. The current draft is already the umpteenth iteration, and in this case, an iteration that is being proceeded after the transposition deadline imposed by the EU, which passes on 17 October 2024. Nevertheless, the current proposal for the revision includes measures to tighten some of the standards established by the directive.

In particular, any large enterprise operating in the sectors relevant to important entities will be granted an essential-entity status. And the range of industries in which the activity will always trigger the requirements equal to those of the essential entities will be extended.

The final determination of the form of the Polish implementation of the principles of the NIS 2 Directive requires further observation. The project was planned to be enacted by the end of Q3 2024.

RCE Directive[3]

The RCE (resilience of critical entities) Directive focuses on the resilience of specific groups of entities in the EU deemed to be critical. While the NIS 2 Directive focuses on the security of the digital domain, the RCE Directive addresses the realm of physical security of information infrastructure – the physical facilities that ensure the functioning of information technology, including servers, network and transmission infrastructure, power generation centres and facilities (in particular nuclear).

Qualification as a critical entity occurs as a result of a single, specific decision by a member state. Potential critical entities are those operating in sectors such as energy, transport, banking, health and digital infrastructure, for example. It is left to the member states to establish the final framework for the identification of critical entities.

The catalogue of regulated infrastructure operators includes internet traffic exchange point providers, DNS service providers, top-level domain name registries, cloud service providers, data processing service providers, content or data or content delivery network providers, trust service providers, public electronic communications network providers, electronic communications service providers. Providers of these services will be able to fall under the NIS 2 Directive and the RCE Directive at the same time.

Member states will be able to provide financial support to fulfil the obligations set out in the RCE Directive, such as providing essential services should it becomes uneconomic for the operator to continue providing them.

Cybersecurity Act[4]

The aim of this regulation is to achieve a high level of cybersecurity, cyber resilience and trust in the EU by reorganising and strengthening the ENISA (the European Union Agency for Cybersecurity). In pursuit of this objective, a legal framework has been established for voluntary EU cybersecurity certification to completely replace any analogous national certification available in member states.

Ultimately, this is intended to allow businesses to place products labelled as meeting EU cybersecurity standards on the common market.

Cyber Resilience Act (the “CRA“)[5]

At the time of writing, the CRA is in the draft stages of the legislative process. Its aim is to establish cybersecurity standards for products with digital elements – broadly defined internet-connected devices. This primarily concerns devices based on so-called ‘Internet of Thingsor ‘IoT’ solutions.

As part of the new regulation, responsibilities for the security of software installed on these devices, other than the embedded, underlying software, are defined. This includes maintaining an adequate level of security for this software on the devices and the detection and remediation of vulnerabilities.

DORA Regulation[6]

The Digital Operational Resilience Act (DORA) is a sector-specific regulation addressed to financial sector entities. Its standards for these entities essentially replace the provisions of the NIS 2 Directive, introducing a much more thorough ICT risk management framework.

Key provisions of DORA address the ICT risk-management framework, in particular setting out requirements for certain entities to regularly test organisations for operational resilience. In addition, the area of ICT incident management, including the reporting of incidents to the relevant authorities and the sharing of relevant cyber security information, is harmonised. As with the NIS 2 Directive, DORA addresses the issue of the supply chain of IT services with strict requirements for monitoring, verifying and collecting information on suppliers and their subcontractors.

In addition to the new legal framework for ICT in financial entities, DORA provides for the largest ICT providers in the EU to be subject to direct supervision by administrative authorities. Such providers will be designated by the authorities based on criteria set out in DORA in terms of the number and size of the financial entities to which they provide ICT services. Providers will have the possibility to self-identify as a key provider, as well as to appeal against a possible decision of the authority in this regard.

DORA raises compliance risks for financial market operators and IT suppliers working for financial market operators by transferring the legal framework, hitherto governed by supervisory guidelines, to the level of common law. Adapting to the new requirements is a major organisational challenge, involving the need to annex sometimes hundreds of contracts for ICT services, as well as to adopt and update internal procedures.

Summary

The recent cybersecurity regulations are part of a new wave of legislation cleaning up the digital sphere. Although only part of this larger whole, the significant financial penalties and the expansion of the powers of certain competent authorities, including supervisory authorities, ensure that they should be taken seriously here and now.

[1] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union

[2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cyber-security within the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148.

[3] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC

[4] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Cyber-Security Agency) and on information and communication technology cyber-security certification and repealing Regulation (EU) No 526/2013.

[5] Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.

[6] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on operational digital resilience in the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011