Consultation on the proposed revision to the Directive on Security of Network and Information Systems (NIS Directive)

On 16 December 2020, the European Commission published proposals to revise and update Directive (EU) 2016/1148 on security of network and information systems (NIS Directive), which is the first piece of EU-wide legislation on cybersecurity and provides legal measures to boost the overall level of cybersecurity in the EU. While the proposed legislation continues the sectoral approach of its predecessor, it provides for a more comprehensive coverage of sectors and services considered to be of vital importance to the European single market. This proposal is the basis for negotiations with Ireland and other Member States on new cybersecurity legislation via an updated Directive (NIS 2.0) that is now getting underway in Brussels.

The digital transformation of society (intensified by the COVID-19 public health emergency) has expanded the threat landscape and is bringing about new challenges which require adapted and innovative responses. This proposed new legislation on cybersecurity requires increased national cybersecurity capabilities, improved EU level cross border coordination and cooperation arrangements, and enhanced regulation of industry and public sector interests.

The current number of entities that qualify under the existing NIS Directive sectors (energy, transport, banking and financial market infrastructure, health, drinking water, digital infrastructure and certain digital service providers) will be expanded. In addition, new sectors and services are proposed to be included, such as:

• Energy, such as – electricity producers, nominated electricity market operators, electricity market participants, district heating and cooling, central oil stockholding, hydrogen
• Health, such as – reference laboratories, research and development of medicinal products, manufacturing of pharmaceuticals and medical devices
• Wastewater management
• Digital infrastructure such as – data centres, content delivery network providers, telecoms and trust service providers
• Public administration
• Space
• Postal and courier services
• Chemicals
• Waste management
• Food
• Manufacturing services such as – medical devices; computer, electronic and optical products; electrical equipment; machinery; motor vehicles and (semi-)trailers; transport equipment
• Digital providers such as - social-networking platforms

All public and private sector entities in these sectors and services, and the sectors in the existing NIS Directive, that do not meet the size exemption for micro and small business are to be automatically within scope of the governance, risk management, security and reporting obligations. This is to replace the categories of operators of essential services and digital service providers under the existing Directive.

The proposal introduces governance measures requiring undertakings to approve and supervise cybersecurity risk management provisions, and adds a number of minimum basic security elements that must be provided for in any event. In addition, the proposal introduces express requirements to manage third party risks in supply chains and supplier relationships that entities may, and certain essential entities must, demonstrate compliance through obtaining cybersecurity certification under the EU-wide cybersecurity certification framework envisaged by the EU Cybersecurity Act (Regulation 2019/881).

Other elements of the proposal include increased reporting requirements in terms of what must be reported, to whom reports must be made, and within what timeframe. A much greater range of incidents will need to be reported, since any significant incident has to be notified, as will any significant cyber threat that could have potentially resulted in a significant incident.

As part of increased supervision and enforcement measures, EU Member States would be required to provide for administrative fines up to at least €10,000,000 or 2% of the total worldwide turnover (at an undertaking level), whichever is higher. Cyber crisis management will also come within the remit of the proposed Directive. There are also provisions on coordinated vulnerability disclosure and structured information sharing arrangements. There is a focus on increased scrutiny of Member State resourcing through peer reviews of Member States capabilities and resourcing, and obligatory provisions on mutual assistance between authorities.

The scope also includes regulation of top level domain registries and their registrars as regards record keeping, transparency and lawful access in accordance with the General Data Protection Regulation. This is to facilitate law enforcement access in the interests of addressing cybercrime.

This consultation is being held to gather the views of stakeholders which will help us to develop a negotiating position on the Commission’s Proposal.

All relevant documentation, including the European Commission’s proposed new Directive, Annexes and accompanying impact assessment is available online at the Commission’s NIS 2.0 webpage.

The closing date for submissions is 5.30pm Friday 19 March 2021

Submissions should include NIS 2.0 in the subject field and be sent by email to cybersecurityconsultations@decc.gov.ie

In cases where responses exceed five pages, respondents are advised to include a concise executive summary.

We are committed to engaging with stakeholders in a clear, open and transparent manner. Any person or organisation can make a submission in relation to this consultation. All submissions and feedback will be taken into consideration in informing positions to be adopted in negotiations.

Please note that responses to this consultation are subject to the provisions of the Freedom of Information Act 2014 (FOI), Access to Information on the Environment Regulations 2007-2014 (AIE) and the Data Protection Act 2018.

Please also note that the Department intends to publish the contents of all submissions received to this consultation on its website. The Department will redact personal data prior to publication. In responding to this consultation, parties should clearly indicate where their responses contain personal information, commercially sensitive information or confidential information which they would not wish to be released under FOI, AIE or otherwise published.

We would like to draw your attention to the Department's Data Privacy Notice which is available on our website and explains how and when we collect personal data, why we do so and how we treat this information. It also explains your rights in relation to the collection of personal information and how you can exercise those rights.