We are the flag of Portugal on the internet

Blog

Marta Moreira Dias

.PT Board of Directors

31-03-2023

NIS and NIS2: what will change. Cybersecurity in the sights of the EU legislator

We start from a common ambitious horizon: a more secure, stronger and resilient Europe in terms of cybersecurity. In a purely holistic view, I would say this is the essence of both pieces of legislation.

The idea of generalized mobilization of member states for the preparation and implementation of national cybersecurity strategies, based on principles of strong collaboration from a national and international point of view, and the perception that security matters should have a transnational approach and a broad sectoral horizontality, are common bases of two instruments from a community source that are seven years apart, and are part of an already long legislative pipeline of regulation of the European digital space.

The NIS Directive, transposed at national level by Law 46/2018, had the undeniable merit of contributing to alerting to the impact and need for the treatment of security matters of network and information systems, reinforcing their normative dignity. With this, a path was started to change mentalities - where everything starts - followed by a timid, but also costly, reinforcement of internal infrastructures, training of teams, implementation of security operation centers - of which the PTSOC is an example -, and the creation of cooperation groups and networks of national computer security incident response teams (CERTs, CSIRTs, etc.).

Between 2016 and 2023, taking into account the challenges we have all been and continue to be subjected to, cybersecurity attacks increased exponentially in volume, sophistication and impact; the resilience and preparation of people, companies and the State proved to be insufficient, with their flaws being easily exploited. Adding to it is the lack of a common, dialoguing and effective strategy to respond to this war. Today, the stage of evolution, the expectations and the impact are diverse. We are all several steps up. There is a learning curve that must be observed and understood. This is, in short, the major challenge the NIS 2 wants to address.

We start by identifying where both directives intersect, understanding the rationale behind the process which presided over the revision of the NIS, and which resulted in the publication of the NIS 2. Let us now look at those which are the most striking changes between both diplomas, especially under the lens of the .pt top level domain name registry.

Five major changes are immediately identified: broadening of the subjective scope of application, particularly at sectoral level; risk management-oriented approach, focusing on prevention and mitigation, thus going beyond purely reactive measures (accompanied by new reporting obligations); responsibility of the management bodies of companies and organizations; strengthening of the role of collaboration; and, finally, under the inspirational mantle of the GDPR, a clear definition of a heavy administrative offence framework.

Broadening the scope and sectors covered by NIS 2 implies that more organizations will have to formally address and deal with the topic of cybersecurity, and a distinction is made between "essential entities" and "important entities". Beyond the semantic issue, the differences between the two categories are residual. We highlight the fact that, for the former, supervision may be performed ex ante (preventively) and ex post (after verification of an incident). For the important entities, supervision will only be done ex post.

The .PT, today qualified in the light of the NIS, and subsequently of Law no. 46/2018, as operator of essential services will assume the nature of an essential entity. This categorization is accompanied by another, equally new one, that of "critical sectors" and "other critical sectors". The classification of an entity in one of these sectors is independent of its qualification as an essential or important entity.

The .PT, as a Top Level Domain Name (TLD) registry, will be framed as a critical sector integrated in the digital infrastructures. Focusing down on the TLDs and their registrars, new obligations gain normative echo. We refer specifically to those arising from the management of the WHOIS database, an important tool especially for criminal investigation actions and, therefore, capable of contributing to the so-called high common level of cybersecurity throughout the EU. Here emerge burdensome obligations to collect, verify, monitor and provide contacts associated with domain name holders, which, on critical analysis, go against the rules of proportionality and data minimization that merge as basic principles of the GDPR.

The NIS 2 extends its territorial scope of application to entities that are not based in Europe but provide their services in this circumscription. If, once again, we see European TLDs falling into an increased mesh of rules that are not common to the other more than 1,000 entities that compete with them on a daily basis, at least this safeguard seems to mitigate, even if residually, that same imbalance.

Prioritising cybersecurity at the level of leadership is another innovation vector of the NIS 2. An example of this is top management’s accountability for identified non-conformities regarding the adoption of cybersecurity risk management measures and the obligation to provide training and capacity building in the area.

We hope that the NIS 2, and especially its transposition into national legislation, becomes an instrument that generates more confidence and legal security for citizens, companies and organisations in general; that has the virtue of controlling this escalation that, everyday, pinches the security of our networks and systems, and that seems to highly inhibit innovation, the free movement of data and ideas and enhance a fragmented internet.

The new regulatory framework seems to have fewer rules than the NIS, but is there really a simplification in the rules?

The NIS 2 clearly strengthens the standard of measures applicable to cybersecurity and that were already crystallized at the national level in two central pieces of legislation, Law No. 46/2018, of 13 August, which establishes the legal regime for cyberspace security, and Decree Law No. 65/2021, which regulates the Legal Regime for Cyberspace Security and defines the obligations on cybersecurity certification in implementation of Regulation (EU) 2019/881 of the European Parliament.

In parallel, and in addition to various separate legislation, there are guidelines and best practices issued from various sources, such as, for example, the recent "Technical Guideline: Security Measures for Top-Level-Domain Name Registries" by the NIS Cooperation Group, various recommendations issued by ENISA and, within borders, the CNPD's Guideline/2023/1 under the GDPR "On organizational and security measures applicable to the processing of personal data", as well as the technical guides and recommendations produced by the National Center for Cybersecurity.

We are clearly not in a situation of legal vacuum, in a no man's land, where a new or diametrically opposed regulatory framework would be imposed.

The consultation conducted with the NIS Member States revealed, in the words of the EU legislator, "intrinsic weaknesses that prevent it from responding effectively to current and emerging cybersecurity challenges". If we bear in mind that cyberspace, besides its transnational nature, capable of challenging any principle of territoriality or national sovereignty, is a dynamic reality, increasingly complex and constantly changing, we can easily understand the difficulty of creating a legislative structure with fewer and simpler rules. In truth, our reservations are attenuated when we verify that there was a concern to, for example, simplify the communication of information and adopt automatic and direct communication mechanisms, or to promote the use of open source tools, which tend to facilitate interoperability between security tools, or to stimulate cooperation to, for example, facilitate the coordinated disclosure of vulnerabilities, optimizing time and resources.

Under a more detailed analysis, we have reached a point of no return where the goal of promoting a more secure, open and resilient cyberspace has literally collided with an exhaustive and disproportionate range of obligations that are anything but simple.

Let us look at two specific cases, part of the domain registration ecosystem: the TLDs - for example, the .pt - and the DNS service providers - for example, a registrar - in addition to the strict compliance with new cybersecurity risk management measures, typified in Article 21, by October 17, 2024, the Commission must adopt implementing acts establishing technical and methodological requirements associated with them, and which should be subject to strict compliance. But it is reiterated, especially for TLDs, that the path has not been one of simplification. However, and in truth, the obligations that now derive from Article 28 [on the domain name registration database] resulted from a long and highly debated negotiation process.

Let us not forget the Opinion of the European Data Protection Supervisor on this article, very much in line with the position of European registries materialised in CENTR’s public comment which alerted to the importance of the clarification of concepts such as ‘relevant information’ and ‘lawful and duly justified’ request and, above all, to the fact that the GDPR, per se, already grants due protection to personal data, namely those processed in the WHOIS.

The NIS 2 brought additional obligations for TLDs and registrars to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence and in compliance with EU data protection law. This data processing constitutes a legal obligation within the meaning of the GDPR. But the EU legislator has gone further and even listed the types of data that must be processed - far beyond what happens today - requiring TLDs to have verification policies and procedures in place, as well as rapid mechanisms to make information requested in this context available without undue delay and, in any case, within 72 hours of receiving access requests.Less rules and more simplification? The peremptory answer from a TLD can only be one: no

How to anticipate the application of NIS 2 in Portugal, what are the potential problems and challenges?

For the NIS 2 directive to take effect at a national level, Portugal must adopt a law to transpose it, which must happen by October 17, 2024. As a rule, directives only take effect after their transposition.

However, and therefore anticipating possible delays in internal legislative procedures, the Court of Justice of the European Union has been considering that a directive that has not been transposed may have direct effect in the internal legal order.

Under this assumption, and similarly to what happened with the transposition of the NIS, we will have to wait for the national legislator's options for harmonization and hope that the transposition process itself is already inspired by the principle of inter-institutional collaboration so emphasized in the articles of the Directive itself.

It is also the State's responsibility, in the very letter of the Directive itself, to "safeguard the functionality and integrity of the Internet and promote the security and resilience of the DNS", to ensure that the relevant stakeholders, namely the EU private sector entities, are encouraged to adopt a strategy of diversifying the resolution of the DNS, as well as a European, public and secure DNS resolution service. This is obviously a matter close to the .PT's heart.

The NIS 2 also entrusts the national legislator to set up a system providing for effective, proportionate and dissuasive sanctions, for example, in cases of serious infringements.

The current National Strategy for Cyberspace Security (2019-2023) will also need to be revisited in order to, inter alia, strengthen policies promoting active cyber protection as part of a broader defensive strategy and to rethink effective policies to respond to the increase in ransomware attacks. Also in this field, actions to be developed and implemented at national level are identified.

An interesting figure brought by the NIS 2 into the area of cybersecurity is the creation of public-private partnerships (PPP) to exchange knowledge, alerts, exercises on cyberthreat and incident, crisis management and sharing of best practices.

Another major challenge will be to ensure that people, companies and the state are adequately equipped, in terms of technical and organisational capacity, to prevent, detect, address and mitigate incidents and risks. Alongside a reinforced technical infrastructure, there should always be a team duly trained and prepared to mitigate and treat, and above all, to prevent and anticipate the growing sophistication of cyberthreats. All this comes at a cost and will have a serious impact on the budgets of the entities covered. The anticipated framework of administrative offences and the level and impact of the responsibility of management bodies will probably lead to the demand for civil liability insurance in the area of cybersecurity’.

Many other challenges lie ahead. I would like to mention one last challenge, which has to do with enforcement, specifically the importance of defining effective mechanisms and competencies, accompanied by the necessary resources to control and monitor the application of the law, good practices and guidelines that derive from the NIS 2.

In short, challenges rather than problems are anticipated. I am confident that the new legal framework, complete with the transposition of the NIS 2, may contribute decisively to a more secure, open and resilient cyberspace. As a representative of .PT, which by its legal nature will be strongly impacted by the new rules and obligations of the NIS 2, I am left with a feeling of expectation, together with a high commitment and sense of responsibility.

Please note: the articles on this blog may not convey the opinion of .PT, but of its author.

Back to Posts