Upcoming changes in cybersecurity environment for PSAPs
New, heightened cybersecurity requirements established by Directive 2022/2555 on measures for a high common level of cybersecurity across the Union (“NIS 2”) will apply to Essential and Important entities within the EU from 18 October 2024. This directive builds on the earlier NIS 1 directive, the first EU law on harmonising cybersecurity efforts and enhancing cooperation among Member States.
While neither NIS 1 nor NIS 2 create direct obligations for PSAPs, both directives create obligations for some companies that provide important services to PSAPs. Notably, NIS 2 expands the range of companies that have to comply with its cybersecurity requirements to include providers of public electronic communications networks and services, sectors that are particularly important for PSAP operations. The directive also strengthens reporting requirements for entities already covered by NIS 1, such as cloud computing service providers.
How does NIS 2 improve on NIS 1?
The NIS 1 Directive, adopted in 2016, created two categories of entities that would need to comply with heightened security requirements: essential services and digital service providers. It also required all EU Member States to develop a national strategy on the security of network and information systems, appoint national competent authorities, single points of contact and computer security incident response teams (CSIRTs), and create cooperation networks among Member States.
While NIS 1 was a step in the right direction, it had some drawbacks. These include a lack of detail on what specific cybersecurity features were required to comply with the directive, and an unclear definition of essential entities. This led to Member States defining essential entities in different ways, undermining the directive’s effectiveness. As a result, in addition to expanding the scope of NIS 1, NIS 2 will reduce divergences in the definition of Essential and Important entities and enhance cybersecurity obligations for companies within its scope.
To improve clarity, NIS 2 establishes uniform criteria for essential and important entities and expands the list of critical sectors in Annex I to include new actors involved in the EU’s digital infrastructure. Member States are obliged to provide the Commission with a list of the essential and important entities based in their territory by 17 April 2025.
Essential and important entities will also be subject to stricter cybersecurity requirements compared to NIS 1. In this regard, NIS 2 substantially improves on Chapters IV and V of NIS 1, which required essential entities and digital service providers to take “appropriate and proportionate” measures to manage cyber risks without defining what these measures should include.
In contrast, NIS 2 specifies that these “appropriate and proportionate” measures must be based on an “all hazards approach” and comply with ten specific criteria listed in Article 21. These criteria include creating policies on risk analysis and information system security, ensuring supply chain security, implementing procedures to assess the effectiveness of cybersecurity risk management measures, and providing cybersecurity training for staff.
NIS 2 also strengthens significant incident reporting requirements for essential and important entities. While NIS 1 required incidents to be reported without undue delay, NIS 2 clarifies that “without undue delay” means providing an early warning notification within 24 hours, followed by an incident notification within 72 hours, and a detailed final report within one month.
Member State governance will also be improved through new supervisory and enforcement mechanisms, and improved Member State coordination.
How will NIS 2 benefit PSAPs?
The inclusion of providers of public electronic communications networks and services is of particular importance to PSAPs, as Mobile Network Operators (MNOs) will now be obliged to comply with the heightened cybersecurity standards of NIS 2. PSAPs will also benefit from the stronger cybersecurity requirements established in NIS 2 and accelerated incident reporting timelines.
It is also notable that while the directive excludes certain small companies with less than 10 million euros in assets from its scope, it still obliges smaller entities to comply with its requirements when a disruption of the service provided by that entity could have a significant impact on public safety. As disruption of the continuity of services by MNOs to PSAPs due to a cyberattack would significantly impact public safety, smaller MNOs should, therefore, also come under the scope of the directive.
A false date of application?
While the NIS 2 Directive will apply from 18 October 2024, it will not directly apply to each Member State until it has been transposed into national law. As of September 2024, at least six countries had not yet completed this transposition, despite the deadline being 17 October.
The European Commission has also not yet adopted any secondary legislation and should have provided it by 17 October. Without this secondary legislation, and particularly an implementing act providing detailed uniform conditions for implementing the ten criteria “which appropriate and proportionate” cybersecurity measures should include, it will be difficult for Member States to transpose this legislation effectively and for entities to comply with its obligations.
Therefore, while NIS 2 will result in safer cybersecurity rules for the essential infrastructure which PSAPs rely on, it may be some time before these new rules are implemented across Europe.
Peter Lonergan
Share this blog post on: