Securing Europe’s Critical Entities from Cyber Attacks

On 28 October 2021, the Parliament of the European Union (EU) adopted the revised Network and Information Security (NIS) Directive, commonly referred to as NIS-2, which builds on and repeals Directive (EU) 2016/1148 on Security of Network and Information Systems (NIS Directive) (1). The NIS Directive initially implemented in 2016 is the first piece of EU-wide legislation on cybersecurity aimed at providing legal measures to boost the overall level of cybersecurity in the EU and its specific aim was to achieve a high common level of cybersecurity across the member states.

Although the NIS Directive increased the cybersecurity capabilities of member states, its implementation has proved difficult, resulting in fragmentation at different levels across the internal market. As such, the new NIS-2 Directive is designed to update the previous version issued in 2016 by modernizing the existing legal cybersecurity framework to reflect the ongoing digital transformation of society. This transformation has been intensified by the COVID-19 pandemic, which has expanded the threat landscape by bringing about new challenges with potential cascading effects that can negatively impact the delivery of critical services across the whole of the internal market (2). The number of cyber-attacks continues to rise, with increasingly sophisticated attacks coming from a wide range of sources from both within and outside the EU.

The revised NIS-2 Directive has been assigned to the Committee on Industry, Research, and Energy (ITRE), within the European Parliament, and is intended to form one of the baselines for the European cybersecurity framework, as well as act as a central tool in advancing Europe’s strategic autonomy and the Digital Europe Programme (3).

Aims and key changes contained in NIS-2

Scale. In response to the growing threats posed by digitalization and the surge in cyber-attacks, particularly during the COVID-19 pandemic, one of the key changes encapsulated in NIS-2 is the broadening of the scope of the original NIS legislation. NIS-2 significantly increases the number of entities covered by receiving greater clarity as to what constitutes “essential services”. This increased coverage, however, implies that cyber resilience measures will need to be taken at a much larger scale across the European continent due to growing interconnectedness across businesses, rapid digitization, and ubiquitous connectivity across multiple sectors (4). As a collective, more enterprises are becoming systemically important to defend from the risk of cyber-attack.

Governance. The new NIS-2 directive has taken significant steps towards enhancing security governance by making senior managers accountable for cyber resilience. The hope is that this obligation will drive change in a ‘top-down’ approach within organizations. The intention is that cyber resilience must be considered a priority at board and senior management level rather than be confined to the remit of technical teams.

Fines and sanctions. NIS-2 also mandates a more comprehensive set of powers to be conferred on competent authorities in terms of imposing fines and sanctions. The new directive requires EU member states to impose administrative fines for cybersecurity risk management and to report obligations breaches that reach up to €10 million or 2% of total worldwide annual turnover for essential entities (whichever is higher) (5). It is hoped that regulatory fines at this scale that have occurred in other jurisdictions such as with Uber in the United States (US), which was fined US$148 million (€148 million) for a data breach cover up in 2018 (6), and with British Airways in the United Kingdom (UK), which was set a record £183 million (€212 million) fine for infringement of General Data Protection regulation (GDPR) rules for a breach of customer data, also in 2018, will act as a major lever for resilience (7).

Incident response obligations. In a further measure, NIS-2 clarifies what constitutes a “significant impact” on a commercial entity. Under the new guidance, this will no longer constitute a defined metric (number of impacted users) but rather whether there was disruption to critical services, or if a firm incurred financial or material loss (4). In addition, the notification period has been reduced from 72 to 24 hours, with reporting obligations to users of services, and potentially the public, depending on the scale and nature of the attack.

Overall, the NIS-2 Directive seeks to strengthen security requirements, address the security of supply chains, streamline reporting obligations, promote encryption and vulnerability disclosure, introduce more stringent supervisory measures, as well as stricter enforcement requirements, including harmonized sanctions across the EU (8). It is hoped that such measures will promote greater transparency to all parties affected by a potential breach and encourage commercial entities to be more responsible in being cyber resilient, as building a more resilient digital ecosystem is now considered an absolute strategic necessity.

Cyber risk for the lifesciences

Research conducted by Deloitte has found that the pharmaceutical industry is among the most threatened areas for cybercrime globally, a phenomenon that has been further heightened during the COVID-19 pandemic (9). The pharmaceutical industry is built on innovation, comprising all of the characteristics that make it attractive to cyber-attacks, including extensive spend on R&D, highly sensitive intellectual property (IP), a near total reliance on the underpinning technology to efficiently run operations, high income generation as well as trade secrets that also make it a target for industrial espionage. It is estimated that IP can constitute more than 80% of a company’s value, while for smaller organizations this can be close to 100% (10). For the pharmaceutical sector, the consequences of a data breach go beyond just the financial implications of exposed data. It also affects the company’s reputation, diminishes patient and stakeholder trust, and results in operational disruption and potential regulatory fines.

The implications of NIS-2 for the pharmaceutical sector

One of the key changes in NIS-2 is the broadening of the scope of the existing legislation (Table I). In addition to the sectors covered by the existing directive, NIS-2 now includes public administration and manufacturing of certain critical products, such as medical devices. This significant broadening of the scope of the healthcare sector, by including medical device manufacturers, is indicative of the critical nature of healthcare to society and the economy, and the vulnerabilities the industry faces in the aftermath of the COVID-19 crisis. It also means that it is incumbent upon pharma companies to be more proactive in safeguarding their digital assets.

As with the 2016 NIS Directive, micro and small commercial entities are excluded from the scope of the new NIS-2 Directive.

Next steps

The political agreement reached by the European Parliament and the Council is now subject to formal approval by the two co-legislators. Once published in the Official Journal, the new NIS-2 Directive will enter into force 20 days after publication, whereby member states will then need to transpose the new elements of the directive into national law (11). Assuming that the two‑year transposition period remains, the new organizations encapsulated in the broader scope of the legislation will have to be ready to comply with NIS-2 protocols by 2024.

References

1. EC, Directive of the European Parliament and of the Council on Measures for a High Common Level of Cybersecurity Across the Union, Repealing Directive (EU) 2016/1148, Legislation, 16 Dec. 2020.
2. EC, Proposal for Directive on Measures for High Common Level of Cybersecurity Across the Union. Shaping Europe’s Digital Future, Policy and Legislation, 16 Dec. 2020.
3. ECSO, “The European Parliament Adopts the NIS-2 Directive,” Press Release, 28 Oct. 2021.
4. W. Dixon, “What Does the EU’s NIS-2 Cyber Directive Cover?” Computer Weekly, 1 June 2022.
5. C. O’Donoghue, “Cybersecurity 2.0: European Parliament Adopts New Draft Directive,” Technology Law Dispatch, Reed Smith LLP, 20 Jan. 2022.
6. H. Somerville, “Uber to Pay $148 million to Settle Data Breach Cover-up with U.S.,” Reuters, 26 Sep. 2018.
7. Pinsent Masons, “British Airways Faces £183 million GDPR Fine,” Out-Law News, 8 July 2019.
8. European Parliament Think Tank, “The NIS2 Directive: A High Common Level of Cybersecurity in the EU,” Briefing, 16 June 2022.
9. Deloitte, Deal Breaker: Cyber Risk in Life Sciences M&A, Report (2018).
10. E. Mossburg, D. Fancher, and J. Gelinne, “The Hidden Costs of an IP Breach,” Deloitte Review, Issue 19 (2016).
11. EC, “Commission Welcomes Political Agreement on New Rules on Cybersecurity of Network and Information Systems,” Press Release, 13 May 2022.

About the author

Bianca Piachaud-Moustakis is lead writer at Pharmavision, Pharmavision.co.uk.

Article details

Pharmaceutical Technology Europe
Vol. 34, No. 10
October 2022
Pages: 8–9

Citation

When referring to this article, please cite it as B. Piachaud-Moustakis, “Securing Europe’s Critical Entities from Cyber Attacks,” Pharmaceutical Technology Europe 34 (10) 2022.