paul@paulfoleylaw.ie
22 Northumberland Road, Dublin D04 ED73, Ireland, EU
INTRO
INSIGHTS

The coming avalanche in cybersecurity related obligations

By
Paul Foley
Cyber-attacks, besides being among the fastest-growing form of crime worldwide, are also growing in scale, cost and sophistication. As a consequence, a raft of EU cyber security legislation impacting providers and users of digital services and digital equipment will have effect in 2024 and thereafter.

Cyber Resilience Act (CRA)

The context here is, that while existing internal market legislation applies to certain products with digital elements, most of the hardware and software products are currently not covered by any EU legislation tackling their cybersecurity.

The CRA (Brussels, 15.9.2022 COM (2022) 454 final) is expected to be finalised, adopted and come into force early in 2024 and to apply 24 or 36 months from the date of its entry into force. However the CRA, Art 11 reporting obligations, concerning actively exploited vulnerabilities and incidents, are expected to apply 12 months from the entry into force of the CRA.

Amongst other obligations, products with digital elements (as defined) must only be made available on the market where:  (1) they meet the Annex 1, section 1 essential requirements (security requirements relating to the properties of products with digital elements); and (2) the processes put in place by the manufacturer, comply with the Annex I section 2 essential requirements (vulnerability handling requirements) (see in particular Art 5 and Art 10 (obligations of manufacturers)). Annex I and Annex III of the CRA will require detailed review by manufacturers. The Commission argues that the CRA will minimise the regulatory burden put on manufacturers by several product safety acts.

Regulation (EU) 2022/2554 (DORA)

DORA is in force. Member States have to publish the necessary implementing legislation by the 17th of January 2025. DORA is accompanied by Directive (EU) 2022/2556 (Dora Directive) which also applies from 17th of January 2025. As the Central Bank of Ireland, have stated, regulated financial entities should recognise similarities between a number of key DORA requirements and existing Central Bank guidance in relation to Outsourcing, Operational Resilience  and IT & Cybersecurity Risks as well as in existing sectoral guidelines.

Directive (EU) 2022/2555 (NIS2)

The review of NIS1 (Directive (EU) 2016/1148) evidenced a wide divergence in its implementation (it was implemented in significantly different ways) and there are also divergences in its supervision and enforcement. Hence the need for and adoption of NIS2.

This article focuses on private sector aspects of NIS2. NIS2 is in force and is much wider in scope and more prescriptive than NIS1 (which is repealed as of 18.10.2024). Art 20 and Art 21 (referred to below, are particularly onerous). Member States have until 17th of October 2024 to adopt and publish the measures necessary to comply with NIS2.

In scope entities

Entities subject to NIS2 are classified as essential entities and important entities (see Art 3 and Annex 1 (sectors of highly criticality ) and Annex II (other critical sectors) of NIS2). All entities of the type listed in Annexes I and II that do not qualify as essential entities will be considered important entities (Article 3(2)).

essential and important entities have the same cybersecurity management and reporting requirements, but different supervision, enforcement and fines regimes apply to each.

Examples of in scope entities

Digital Infrastructure, ICT Service Management and Digital providers

DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers are all in scope. Additionally, providers of online marketplaces, of online search engines or of social networking services platforms are also in scope.

Manufacture, production and distribution of chemicals

Undertakings carrying out the manufacture of substances and the distribution of substances or mixtures, as referred to in Article 3(9) and (14), of Regulation (EC) No 1907/2006 (REACH Regulation) and undertakings carrying out the production of articles, as defined in Article 3(3), of that Regulation, from substances or mixtures, are in scope.

Health

Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list) within the meaning of Article 22 of Regulation (EU) 2022/123 are in scope.

Transport: Air transport

Air carriers as defined in Article 3(4) of Regulation (EC) No 300/2008 (on common rules in the field of civil aviation security) used for commercial purposes are in scope.

Art 3 entities in scope

qualified trust service providers regardless of their size.

providers of public electronic communications networks or of publicly available electronic communications services which qualify as medium-sized enterprises.

management requirements

management bodies of essential and important entities must approve their Art 21 cybersecurity risk-management measures and oversee their implementation. Management bodies can be held liable for infringements by the entities of the Art 21 obligations (Art 20(1)).

members of the management bodies of essential and important entities are required to follow training, and must offer similar training to their employees on a regular basis. The reason is so they gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity (Art 20(2)).

technical, operational and organisational measures 

Art 21 measures (just below) (as regards compliance with) will require detailed legal review.

essential and important entities must take technical, operational and organisational measures to manage the risks posed to the security of network and information systems which they use for their operations or for the provision of their services (Art 21(1)).

The measures must include at least the following:

  1. policies on risk analysis and information system security;

  2. incident handling;

  3. business continuity;

  4. supply chain security;

  5. security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

  6. policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

  7. basic cyber hygiene practices and cybersecurity training;

  8. policies and procedures regarding the use of cryptography and, where appropriate, encryption;

  9. human resources security, access control policies and asset management;

  10. the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate (Art 21(2)).

Reporting requirements

essential and or important entities must submit to the CSIRT (as defined) or, where applicable, the competent authority:

early warning

without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, must indicate whether the significant incident is suspected of being caused by: (a) unlawful or malicious acts; or (b) could have a cross-border impact;

incident notification

without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, must update the information referred to just above ( ie the early warning)  and indicate:

  • an initial assessment of the significant incident, including its severity and impact,
  • as well as, where available, the indicators of compromise.

Intermediate report

on the request of the CSIRT or, where relevant, the competent authority, an intermediate report on relevant status updates;

Final report

a final report not later than one month after the submission of the incident notification referred to just above including the following:

  • a detailed description of the incident, including its severity and impact; and
  • the type of threat or root cause that is likely to have triggered the incident;
  • applied and ongoing mitigation measures;
  • where applicable, the cross-border impact of the incident (Art 23(4)).

Trust service provider exception

By way of derogation, a trust service provider must, with regard to significant incidents that have an impact on the provision of its trust services, notify the CSIRT or, where applicable, the competent authority, without undue delay and in any event within 24 hours of becoming aware of the significant incident (Art 23(4) last paragraph).

Non-EU established providers

DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms, not established in the Union, but which offer services within the Union, must designate a representative in the Union (Art 26(3)).

The representative must be established in one of those Member States where the services are offered (Art 26(3)).

Registry of entities

ENISA must create and maintain a registry of digital infrastructure, ICT service management and digital providers (Art 27(1)).

The Art 27(1) entities will be required to submit the following information to the competent authorities by 17 January 2025:

  1. the name of the entity;

  2. the relevant sector, subsector and type of entity referred to in Annex I or II, where applicable;

  3. the address of the entity’s main establishment and its other legal establishments in the Union or, if not established in the Union, of its representative designated pursuant to Article 26(3);

  4. up-to-date contact details, including email addresses and telephone numbers of the entity and, where applicable, its representative designated pursuant to Article 26(3);

  5. the Member States where the entity provides services; and

  6. the entity’s IP ranges (Art 27(2)).

The Article 27(1) entities will be required to notify the competent authority about any changes to the information they submitted under Art 27(2) without delay and in any event within three months of the date of the change (Art 27(3)).

Supervision and enforcement powers in relation to essential entities and important entities

The supervision and enforcement powers under NIS2 for competent authorities differ between essential entities ( set out in Art 32) and important entities (set out in Art 33). 

For example under Art 32(5), Member States must ensure that their competent authorities have the power to:

  1. suspend temporarily, or request suspension temporarily of a certification or authorisation concerning part or all of the relevant services provided or activities carried out by the essential entity;

  2. request in accordance with national law, to prohibit temporarily any natural person who is responsible for discharging managerial responsibilities at chief executive officer or legal representative level in the essential entity from exercising managerial functions in that entity (Art 32(5) extract). This requirement is not included in Art 33.

Another example is provided by Art 34(4), which requires that infringements by essential entities of the obligations in Articles 21 or 23 are subject to administrative fines of a maximum of at least €10 million or 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the entity belongs, whichever is higher.

Under Art 34(5), in relation to fines, member states must ensure that infringements by important entities of the obligations laid down in Art 21 or Art 23 are subject to administrative fines of a maximum of at least €7 million or 1.4% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the important entity belongs, whichever is higher.

There are additional obligations imposed on TLD name registries and entities providing domain name registration services in Art 28 (not reproduced here).

Cybersecurity Act 2019 (Regulation (EU) 2019/881)

In 2019, the Cybersecurity Act (Act) entered into force. Amongst other things, it aims to enhance the security of ICT products, ICT services and ICT processes by introducing a voluntary European cybersecurity certification framework.

Finally, on the 18 April 2023, the European Commission adopted a proposal for a Regulation amending the Act as regards managed security services. The proposal aims to avoid fragmentation of the internal market, by enabling the adoption of European cybersecurity certification schemes for managed security services. There is a concrete risk the Commission argue, of fragmentation of the internal market for these services, which the present proposal aims to address.


For advice and drafting in relation to any of the EU measures above, please contact paul@paulfoleylaw.ie or use the Contact Page >

Full copyright policy HERE >
map-markerenvelopetagarrow-left linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram