Directive on European Cybersecurity

The "Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union" (aka Directive on European Cybersecurity, aka NIS2) is a provisional agreement by the European Council and European Parliament to strengthen EU-wide cybersecurity and resilience.^[1]

Overview

NIS2 amends and replaces the Directive on Security of Network and Information Systems (NIS) enacted in 2016. Member States have to transpose the Directive into national law and directly applicable measures by 18 October 2024. NIS2 imposes cybersecurity measures and reporting obligations to essential and important entities and includes fines. Its scope includes top-level domain name registries and domain name system service providers that are under the jurisdiction of the Member State where they have their EU establishment. If they are not established in the EU but offer services in the Union, they should designate a representative. The Commission must specify the cybersecurity risk management measures and reporting obligations for DNS providers and TLD registries via implementing acts by October 2024. EU Member State laws implementing NIS2 shall require registries and registrars to:

1. collect and maintain accurate and complete domain name registration data in a dedicated database;
2. have policies and procedures, including verification procedures, in place to ensure accurate and complete information;
3. make publicly available the domain name registration data which are not personal data;
4. provide access to specific domain name registration data upon lawful and duly substantiated requests by legitimate access seekers, reply without undue delay and in any event within 72 hours of receipt of any requests for access; and
5. cooperate with each other to avoid duplication of collecting domain name registration data.^[2]

Objectives

The NIS2 proposal has three objectives:^[3]

• Increase the level of cyber-resilience of businesses operating in the European Union across all public and private entities across the internal market.

The proposal extends the scope of the original NIS directive by adding new sectors such as telecoms, social media platforms, and public administration; establishes that all medium-sized and large entities active in these sectors have to comply with the security rules put forward in the proposal; and removes the possibility for Member States to tailor the requirements in certain cases which had fragmented NIS1 implementation. It removes the distinction made between online marketplaces, search engines, and cloud service providers. It addresses the cybersecurity of the ICT supply chain, especially the IoT).

• Reduce inconsistencies in resilience across the internal market by further aligning the de facto scope, security and incident reporting requirements, the provisions governing national supervision and enforcement, and Member State authorities' capabilities.

The proposal includes seven elements that all companies must address or implement such as incident response, supply chain security, encryption, and vulnerability disclosure. The proposal describes a two-stage approach for incident reporting: up to 24 hours from when an affected company first becomes aware of an incident, it must submit an initial report and up to a month to submit a final report. It establishes a minimum list of administrative sanctions whenever entities breach the rules for cybersecurity risk management or reporting obligations. The sanctions have binding instructions, an order to implement the recommendations of a security audit, an order to bring security measures into line with NIS requirements, and administrative fines (up to €10 million or 2 % of the entities' total turnover worldwide, whichever is higher).

• Improve joint situational awareness and the collective capability to prepare and respond, by increasing the level of trust between competent authorities, sharing more information, and setting rules and procedures for a large-scale incident or crisis.

The proposal introduces clear responsibilities, appropriate planning, and more EU cooperation. It establishes an EU crisis management framework that requires Member States to adopt a plan and designate national authorities to participate in response to cybersecurity incidents and crises at the EU level and establishes a EUCyber Crises Liaison Organisation Network ("EU-CyCLONe") to support crisis management coordination and ensure the regular exchange of information. It strengthens the NIS Cooperation Group's decision-making role. It requires Member States to adopt a national cybersecurity strategy and to designate national authorities for compliance with the directive and CSIRTs for incident notifications and single-point-of-contact liaisons with other Member States.

Hot Topics

At ICANN 74, IPC held a member session during which Niklas Lagergren, based in Brussels, gave a presentation explaining NIS2 and focused on the following topics of interest to ICANN.^[4]

Article 23

Article 23 of NIS2 is dedicated to WHOIS and includes not only registries but also registrars, agents acting on behalf of registrars, privacy proxy registration services, and domain resellers. It has five pillars:

1. member states should require registrars to run WHOIS databases for the purpose of ensuring the security, stability, and resilience of the domain name system in accordance with EU law regarding personal data.
2. data should be collected and maintained in a database in order to be able to contact the holder of a domain name (the name of the domain, the registration date, the registrant's name, the email address, the phone number or for admin contacts)
3. procedures should be put in place to ensure completeness and accuracy, including specific verification procedures
4. the making available of the WHOIS data should be done without undue delay after registration, at least when it comes to what is not personal data.
5. access should be granted to legitimate access-seekers within 72 hours, and for this purpose, specific policies and procedures should be put in place. It cannot be an arbitrary procedure; it has to be based on necessity.

Recital 62

• Legal persons are out of the GDPR scope. the GDPR rules apply to private persons but not to legal persons where the whole set of data should be accessible.

Recital 59

• It is not just a matter of registrars processing data for WHOIS purposes if they so wish. It's an obligation to do so, which falls under Article 61 of the GDPR.

Recital 60

• Legitimate access-seekers include law enforcement authorities. However, it is not limited to law enforcement, Access-seekers should provide a statement of reasons for why it is seeking access to

facilitate the assessment.^[5]

Positions

In March 2019, ICANN Organization first responded to the proposed NIS2 language. Its positions were that:

1. NIS2’s scope of application to DNS service providers is overly broad
   • reconsider the qualification of different DNS service providers as essential entities
   • implement threshold criteria for DNS service providers to qualify as essential or important entities
   • distinguish between providers of authoritative domain name resolution services and providers of recursive domain name resolution services
2. Article 23 requirements should be clarified and use ICANN's consensus policy requirements for gTLD registrars and registry operators to collect a specific set of registration data elements to close some of the gaps identified in Art. 23 NIS2 Directive^[6]

On May 9, 2021, CENTR argued that Article 23 should: include a clear purpose limitation to the data accuracy obligation, to align with the data accuracy principle in Article 5 of the GDPR; include a legal basis for any collected “relevant information to identify and contact the holders of the domain names” that is strictly necessary and proportionate; omit the vague notion of "complete"; limit legitimate access seekers to national authorities, as designated by Member States under their national cybersecurity strategies, provided the legal basis satisfies the conditions of the GDPR.^[7]

References