Automotive Sector Within the Scope of Planned NIS II Cybersecurity Rules
Eszter Sieber-Fazakas L.L.M., Attorney (admitted in Hungary and Germany), Noerr and Partners Law Firm (left); dr. Ildikó Angeli L.L.M., Attorney, Noerr and Partners Law Firm
The current EU cybersecurity directive (Directive on Security of Network and Information Systems, or NIS I) has been revised by the Commission, as outlined in the directive itself, to make “Europe fit for the digital age.”
As part of that process, a consultation was initiated in mid-2020 on the review of the NIS Directive. The outcome of this was a new legislative proposal on cybersecurity (NIS II) issued at the end of 2020. As part of the review, the impact of NIS II was also assessed and received a positive opinion from the Regulatory Scrutiny Board (RSB).
Scope, Entry into Force
The proposed NIS II Directive brings new sectors within its scope and differentiates between operators of (i) essential and (ii) important services. Automotive manufacturers (OEMs and suppliers), as operators of important service providers, are certainly within the scope of NIS II, as long as they are not micro- or small enterprises; this size is not common among automakers.
Automotive manufacturers may also qualify as operators of essential services if they run Intelligent Transport Systems. This means systems in which information and communication technologies are applied in road transport, including infrastructure, vehicles and users, and in traffic management and mobility management, as well as for interfaces with other modes of transportation.
Once the NIS II Directive comes into force, the member states must transpose it into national law within 18 months. The date from which the corresponding national laws must be applied is not outlined in the proposal for the directive.
The NIS II ensures minimum harmonization, i.e., EU member states may adopt provisions guaranteeing a higher level of cybersecurity.
The NIS II Directive introduces two regulatory regimes; one for operators of essential services and another for operators of important services. In the latter case, the competent authorities will apply ex-post supervisory measures, while in the case of the former, authorization has to be obtained upfront. Further, in the case of operators of essential services, the authorities have broader powers when enforcing their decisions.
The proposed directive takes a risk management perspective. Therefore, it specifies a list to be taken into account by all service providers within the directive’s scope. This includes risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, security of network and information systems, policies and procedures to assess the effectiveness of cybersecurity risk management measures, and the use of cryptography and encryption. It also includes precise rules on incident handling.
NIS II aims to strengthen cybersecurity in the supply chain at a European level. In this regard, the member states, the European Commission, and the European Union Agency for Cybersecurity (ENISA) will carry out a coordinated risk assessment of essential information and communication technologies.
The national authorities will have more stringent supervisory rules. The enforcement requirements will also be stricter, and the directive aims to harmonize sanction regimes in the EU member states.
Regarding sanctions, there is the option of imposing fines up to a maximum of at least EUR 10 million or up to 2% of the total worldwide annual turnover of the undertaking in the preceding financial year, whichever is higher. The role of the cooperation group will also be strengthened by increasing information sharing between member states. A new organ of the European Union, an EU registry, will be introduced and operated by ENISA.
This article was first published in the Budapest Business Journal print issue of May 21, 2021.
SUPPORT THE BUDAPEST BUSINESS JOURNAL
Producing journalism that is worthy of the name is a costly business. For 27 years, the publishers, editors and reporters of the Budapest Business Journal have striven to bring you business news that works, information that you can trust, that is factual, accurate and presented without fear or favor.
Newspaper organizations across the globe have struggled to find a business model that allows them to continue to excel, without compromising their ability to perform. Most recently, some have experimented with the idea of involving their most important stakeholders, their readers.
We would like to offer that same opportunity to our readers. We would like to invite you to help us deliver the quality business journalism you require. Hit our Support the BBJ button and you can choose the how much and how often you send us your contributions.