Under the NIS-Act, providers of essential and digital services are subject to certain security and reporting requirements. In the preamble of the underlying NIS-Directive, it is stated that one reason for this distinction between essential services and digital services is that the degree of risk is higher in practice for the former, which is why the security requirements for suppliers of the latter should be lower. In the NIS2-Directive, this distinction has been abolished as it is now considered obsolete and does not reflect the importance of these sectors and services for societal and economic activities in the EU internal market. Instead, two main roles in the new Directive are essential and important entities. We set out the definitions of these terms in the next section.
The NIS2-Directive includes the following important news:
(i) Relevant entities are now automatically covered by the rules. It is no longer a prerequisite for Member States to identify them. According to the preamble of the NIS2-Directive, the purpose of this amendment is to eliminate the large differences between Member States’ fulfilment of the obligation to identify the entities concerned, thereby ensuring legal certainty with regards to cybersecurity risk-management measures and reporting obligations of all relevant entities.
(ii) The regulatory framework now covers a larger number of sectors and entities. For example, the digital infrastructure sector now includes providers of data center services and content delivery networks. Further, providers of trust services, public electronic communications networks and publicly available electronic communications services are now covered. There is also a new sector for ICT service management (business-to-business). ICT service is defined as a service consisting fully or mainly in the transmission, storage, retrieval or processing of information by means of network and information systems. In this sector, managed service and managed security service providers are covered. Under the NIS2-directive, these service providers are defined as follows:
"Managed service provider" means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely.
"Managed security service provider" means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk-management.
However, a prerequisite for the above-mentioned entities to be subject to the obligations under the NIS2-Directive is that they qualify as essential or important entities (explained below).
(iii) The regulatory framework now sets out a list of minimum requirements regarding which cybersecurity risk-management measures that essential and important entities must take. The contents of these minimum requirements are considered below.
(iv) Supervisory authorities now have the power to impose significantly higher administrative fines for non-compliance with the rules. For example, the maximum amount is increased from SEK 10 million (under the NIS-Act) to the equivalent of EUR 10 million or 2% of total global annual turnover in the previous financial year (whichever is higher) for essential entities.