Automotive Sector Within the Scope of Planned NIS II Cybersecurity Rules

As part of that process, a consultation was initiated in mid-2020 on the review of the NIS Directive. The outcome of this was a new legislative proposal on cybersecurity (NIS II) issued at the end of 2020. As part of the review, the impact of NIS II was also assessed and received a positive opinion from the Regulatory Scrutiny Board (RSB).

Scope, Entry into Force

The proposed NIS II Directive brings new sectors within its scope and differentiates between operators of (i) essential and (ii) important services. Automotive manufacturers (OEMs and suppliers), as operators of important service providers, are certainly within the scope of NIS II, as long as they are not micro- or small enterprises; this size is not common among automakers.

Automotive manufacturers may also qualify as operators of essential services if they run Intelligent Transport Systems. This means systems in which information and communication technologies are applied in road transport, including infrastructure, vehicles and users, and in traffic management and mobility management, as well as for interfaces with other modes of transportation.

Once the NIS II Directive comes into force, the member states must transpose it into national law within 18 months. The date from which the corresponding national laws must be applied is not outlined in the proposal for the directive.

The NIS II ensures minimum harmonization, i.e., EU member states may adopt provisions guaranteeing a higher level of cybersecurity.

Main Changes

The NIS II Directive introduces two regulatory regimes; one for operators of essential services and another for operators of important services. In the latter case, the competent authorities will apply ex-post supervisory measures, while in the case of the former, authorization has to be obtained upfront. Further, in the case of operators of essential services, the authorities have broader powers when enforcing their decisions.

The proposed directive takes a risk management perspective. Therefore, it specifies a list to be taken into account by all service providers within the directive’s scope. This includes risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, security of network and information systems, policies and procedures to assess the effectiveness of cybersecurity risk management measures, and the use of cryptography and encryption. It also includes precise rules on incident handling.

NIS II aims to strengthen cybersecurity in the supply chain at a European level. In this regard, the member states, the European Commission, and the European Union Agency for Cybersecurity (ENISA) will carry out a coordinated risk assessment of essential information and communication technologies.

The national authorities will have more stringent supervisory rules. The enforcement requirements will also be stricter, and the directive aims to harmonize sanction regimes in the EU member states.

Regarding sanctions, there is the option of imposing fines up to a maximum of at least EUR 10 million or up to 2% of the total worldwide annual turnover of the undertaking in the preceding financial year, whichever is higher. The role of the cooperation group will also be strengthened by increasing information sharing between member states. A new organ of the European Union, an EU registry, will be introduced and operated by ENISA.

This article was first published in the Budapest Business Journal print issue of  May 21, 2021.