Instead of an introduction

The so-called NIS2 Directive is DIRECTIVE (EU) 2022/2555 of the European Parliament and of the Council of 14.12.2022 on measures for a high common level of cybersecurity in the Union. This is in fact the updated version of Directive (EU) 2016/1148 adopted in 2016 (Network and Information Security Directive – NIS). The new directive was adopted after the EU acknowledged that the first one had achieved significant results, but was no longer effective enough. Among the achievements of the NIS Directive is the fact that it has contributed to a significant improvement of cybersecurity at national level in the EU and, as a result of its implementation, Member States have adopted national cybersecurity strategies and have designated competent authorities.

There have also been positive results in terms of improved cyber resilience of public and private sector entities in 7 sectors, as well as within several digital services such as online marketplaces, online search engines and cloud-based computing services. Certain obligations have been put in place for providers, including to report incidents. As a result of the Directive`s application, the cooperation between EU countries has been strengthened, albeit insufficiently.

Despite the achievements, the assessment of the scope of the NIS Directive is that, due to the undeniable increased digitalization, the number of sectors impacted by it goes well beyond the previously included energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and delivery and digital infrastructures. On the other spectrum, the directive allowed indeed key service providers not to put into practice security measures and incident reporting. It has also given considerable freedom to Member States, which has led to significant differences in both the incident reporting regime and the control and sanctions imposed.

These and a number of other reasons led to the adoption of the new directive, which establishes quite ambitious cybersecurity goals. It aims to improve the overall cybersecurity situation in the Union by extending the range of sectors covered by its regulation, as well as introducing stricter incident reporting requirements and higher physical and cyber security standards. Countries are required to have their own strategies, designated competent authorities, single points of contact and established incident reaction teams. Each Member State is committed to put in place obligations for relevant subjects related to cyber security management and cyber incident management and reporting.

It can be said that the guidelines of the changes are twofold – broadening the scope in terms of obliged subjects and introducing enhanced obligations for them.

When the changes are vised to take place?

The Directive requires each country to transpose it by 17 October 2024. Therefore, the logical expectation is for the changes to take place on that date. However, this is not quite the case, or rather not at all. As far as a directive is concerned, legal and natural persons become obligated from the moment of its transposition. Although an Act to amend and supplement the Cyber Security Act has been tabled in Parliament. Bulgaria has not done this yet. This means that obligations for companies have not yet occurred. Given the draft law that has been tabled, it will not be the last step in implementing the new requirements. Once it enters into force, the deadline for the Council of Ministers to adopt a new regulation further regulating the legal matter in this area will begin. It will determine, for example, the procedure for accessing, storing and managing the register in which the entities subject to the new obligations will be entered. As of the entry into force of the law, the deadline for the Council of Ministers to issue a decision determining which administrative organs will have sectoral teams for responding to computer security incidents. In other words, there are no obligations for companies yet, but the law will probably be one of the first to be adopted in the new National Assembly, so that Bulgaria is not punished for its delay in introducing the new rules.

Who are the new obliged subjects?

 The Directive considerably expands the scope of entities for which States are obliged to provide new requirements and distinguishes them into two categories – material and significant. There are also differences in the new requirements for the two types of entities. Essential entities are those that belong to the following sectors: energetics; transport; banking; financial market infrastructure; healthcare; drinking water; wastewater; digital infrastructure; public administration; space. Significant entities on their turn are those in the sectors of postal and courier services; waste management; manufacture of articles and substances and distribution of chemicals; food production, processing and distribution; manufacturing and digital suppliers.

In addition to the subject matter of activity, the Directive also differentiates on the basis of the volume of undertakings. Micro and small enterprises are excluded from the scope of the new rules. However, this does not apply to providers of electronic communications networks or publicly available electronic communications services, certification-service-providers, registries of top-level domain names and public administrations, as well as certain other entities, such as sole providers of a service in a Member State. The latter groups should in any case be included in the framework of the changes. It is important to point out that it will be the actual activity carried out that will be the guiding principle and not simply the activity declared by the company concerned. Detailed rules in this connection are expected to be adopted in the sub-legislative framework. Member States have until 17 April 2025 to list the relevant entities, subject to review and update every two years. The draft submitted to the National Assembly foresees that in Bulgaria this list will be in the form of a non-public register managed by the Minister of e-Government.

What next for the countries?

Member States should adopt a national cybersecurity strategy setting out strategic objectives and appropriate policy measures, as well as appropriate regulatory measures to achieve and maintain a high level of cybersecurity. They are also required to establish a framework for coordinated vulnerability disclosure and to designate Cyber Security Incident Response Teams (CSIRTs). National legislation must establish a national competent authority for the management of large-scale incidents and crises, as well as a national single cyber security contact point that will ensure cross-border cooperation. At supranational level, a cooperation group and a network of the different CSIRTs will also be established. The European Commission, for its part, will have to establish a partner review system through which the effectiveness of Member States’ cybersecurity policies will be regularly checked. If the project proposed in the National Assembly is adopted, it will mean that in Bulgaria the national competent authority for all administrative organs will be the Ministry of e-Government, where a National Single Contact Point will be established. It will also have a national incident response team and an inter-agency group. There will also be a Cybersecurity Council responsible for managing large-scale cyber incidents and crises.

What (will) come next for companies?

The Directive requires Member States to ensure that the governing authorities of all obliged entities approve the cybersecurity risk management measures taken by the entities concerned and undergo specific training. Each obliged entity will be required to take appropriate and proportionate technical and organizational measures to manage the cyber security risks to networks and information systems. Entities will also have to notify the national competent authorities or CSIRT of any cybersecurity incident that has a significant impact on the service they provide. Recipients of their services will also have to be notified under certain conditions.

They will be required to be able to participate freely in cybersecurity-related information exchanges. All other companies will be able to voluntarily report significant incidents, cyber threats or near incidents situations.

How the execution will be monitored?

One of the differences in the regulation for the two groups of obliged entities is the form of control. A preliminary (ex-ante) supervision regime will be introduced for essential entities and a posterior (ex post) supervision regime for significant entities. The former will be inspected in all circumstances and the latter when there is evidence or indication that they are not complying with security and incident reporting requirements.

In essence, the control will consist in the possibility for the control organs, primarily the Ministry of e-Government, to carry out on-site or remote inspections as well as targeted security audits. Security checks will also be carried out based on objective, non-discriminatory, fair and transparent risk assessment criteria. Competent authorities will also be able to make information requests needed to assess cybersecurity risk management measures, as well as requests for access to data, documents and any other information. Companies will also have to provide them evidence of the implementation of cybersecurity policies.

When it comes to control (and also to obligatory registration), it is important to clarify that entities are generally considered to fall under the jurisdiction of the Member State in which they provide their services. However, certain types of entities (DNS service providers, top-level domain name registries, cloud computing service providers, certain digital content providers, etc.) are considered to fall under the jurisdiction of the Member State in which their main establishment in the Union is located. In case of cross-border provision of services, there will be cooperation or mutual assistance among the different countries.

If, as a result of the control, violations are detected, penalties may be imposed both on the legal entities themselves and on their individual managers, depending on the type of violation itself. For “essential entities”, financial penalties could reach up to 2% of annual turnover, and for ” significant entities” – up to 1.4% of annual turnover. If the annual turnover is small, the upper limit is raised to BGN 20 million for essential and BGN 14 million for significant entities. The proposed law also envisages a lower limit of BGN 50,000 and BGN 25,000 respectively. Fines ranging from BGN 1 000 to BGN 10 000 could be imposed on the heads of administrative organs and on the managers or members of the management boards of essential and significant entities. This would happen if they have not complied with the obligation to approve the relevant measures or to undergo the training required (which must take place no less frequently than every two years) and to organize the training foreseen for their employees.

How to avoid sanctions?

There are several practical actions to implement the requirements of the Directive (once they are implemented) to avoid possible sanctions. First, each obligated entity should carefully review all applicable cybersecurity measures and procedures to accurately assess compliance with the new requirements. To determine which measures are appropriate for a given entity, it is necessary to consider the results of coordinated security risk assessments of critical supply chains. Policies and procedures already in existence need to be aligned with the Directive or, in their absence, established. Provision should be made for initial as well as subsequent (every two years) training of the governing board and periodic training and knowledge upgrading. In addition to the introduction of written texts and procedures, it is also necessary to implement modern cyber security solutions to report incidents and ensure transparency and, of course, develop an incident response plan.

Atty. Hristo Koparanov