The approval on 13 May by the European Council and Parliament of a near-final draft Directive on European Cybersecurity (NIS2) brings the world’s most far-reaching cyber regime closer to realization. What is generally unknown, however, is the broad scope and global extraterritorial jurisdiction reach of the Directive. It applies to almost every online service and network capability that exists as infrastructure or “offered” anywhere in Europe. It is perhaps the most aggressive exercise of subject matter and extraterritorial jurisdiction seen in recent times. How it is accomplished will be not only a challenge for the EU, but also affect global network provisioning and shape international law.

The draft legislation is formally known as the “Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union.” The NIS2 instrument itself consists of two parts—43 Articles containing the provisions and two annexes containing a list of those entities subject to the provisions—with an array of nine other EU instruments incorporated by reference. Together, the ensemble is referred to as NIS2 because it replaces an earlier draft developed in 2016. The objective is “ensuring a high common level of cybersecurity within the Union.” For this purpose, NIS2 establishes: 1) obligations on Member States to adopt national cybersecurity strategies, and designate national authorities, single points of contact and CSIRTs; 2) cybersecurity risk management and reporting obligations for provider entities; and 3) rules and obligations on cybersecurity information sharing.

The various components of this ambitious regime are slated to come into force between one and two years after adoption and require an array of ambitious actions by all Member States and entity providers that are facilitated through the European Union Agency for Cybersecurity (ENISA). NIS2 also mandates extensive supervision and enforcement measures together with penalties for non-compliance. The list of required measures taken against provider entities is extensive, relatively intrusive, and highly detailed—spanning nearly five pages. The potential fines are significant—“at least 4 million Euros for a legal person,” or 2% of the annual worldwide turnover per year.

In addition to all the other cybersecurity mechanisms, Art. 21 of NIS2 also enables potential normative requirements for “entities to use particular ICT products, services and processes certified under specific European cybersecurity certification schemes adopted pursuant to [the 2019 EU certification regulation].” These certification requirements and processes would be established through further legislation and regulatory processes. Similarly, Art. 22 of NIS2 “encourage[s] the use of European or internationally accepted standards and specifications relevant to the security of network and information systems” and mandates that ENISA, in collaboration with Member States, draw up advice and guidelines implementing these standards, as well as EU Member national standards.

There are two linked jurisdictional components to the exercise of NIS2 authority over providers and the Member States—entity subject-matter and territorial. Noteworthy is the establishment of global extraterritorial jurisdiction.

Entity Subject-matter jurisdiction

NIS2 exercises entity subject-matter jurisdiction through: 1) a complex mix of service enumeration “sectors” found in two entity annexes combined with 2) definitions in NIS2, 3) definitions and constraints, and 4) exclusions of certain types of services and providers. The complete ensemble of provisions is spread across the NIS2 draft and nine other EU legal instruments.

The legislation was accomplished via a lengthy EU political process involving rapidly evolving technologies and service offerings that can lead to a certain lack of coherency and consistency. The result is a kind of odd, extraordinarily complex entity subject matter jurisdiction gerrymandering which in a world of increasingly virtualized NFV orchestrated network architectures and services will be ever more challenging to implement by EU authorities and Member States.

In addition, because the provisions are implemented through “transposition” into national law of Member States, significant variants may ultimately emerge. The “recitals” that preface the many EU instruments constituting NIS2 are intended to provide implementation guidance for consistency.

The service sector entities enumerated in Annex I include a number of physical system infrastructures having digital network components such as energy, transport, banking, financial market, health, drinking water, waste water, public administration and space. Also included are two sectors that are called infrastructures but, in fact, consist of an inchoate mix of “providers” of online “services.” These two sectors include providers of: internet exchange points, DNS service, DNS TLD name registries, cloud computing service data center service, content delivery, trust service, public electronic communications networks or electronic communications services, managed B2B service providers and managed security service providers. The term “services” itself has its own complex definitions and exclusions in a separate Services Directive.

Annex II then enumerates still more sectors and entities that include: postal/courier services, waste management, chemicals, food and manufacturing of an array of different products. Annex II notably adds three additional online service providers: online marketplaces, online search engines and social networking.

The two significant broad exclusions in NIS2 include: 1) all national government entities that governmental activities outside the scope of Union law, and 2) public or private entities that qualify as micro, small or medium enterprises (SME) are excluded from some of the sector obligations. A SME any entity employing fewer than 250 people and an annual turnover not exceeding 43 million Euros. For small, the numbers are 50 people and 10 million Euros, and for micro, 10 persons and 2 million Euros.

There are additionally other exclusions in referenced EU instruments. The most notable are those in the Service Directive and exclude services “not provided via electronic processing/inventory systems” and those “not supplied at the individual request of a recipient of services.” Voice telephony and fax services are expressly excluded, as are broadcast television and radio.

The introduction to the latest NIS2 proposal noted that the significantly expanded scope of the Directive covering entity offerings was the “main concern” of Member States. The current resulting text is a compromise proposal that was supposed to be responsive to that concern.

While it is relatively clear that some kinds of ICT services offered by diverse providers are included under NIS2, there are many that remain unclear. The complexities of weaving together so many provisions of ten different EU instruments with their various definitions, annexes, exclusions, and recitals—not to mention the real-world technological, operational, and business aspects—create a large number of fuzzy boundaries that will be tested over time.

Territorial jurisdiction

The extraterritorial jurisdiction feature of NIS2 is arguably the most aggressive and far-reaching international telecommunication law action taken in recent times. Art. 24 of the Directive is devoted to jurisdiction and territoriality, and paragraph 3 deals with extraterritoriality.

3. If an entity [within the subject-matter jurisdiction] is not established in the Union but offers services within the Union, it shall designate a representative in the Union. The representative shall be established in one of those Member States where the services are offered. Such entity shall be deemed to be under the jurisdiction of the Member State where the representative is established. In the absence of a designated representative within the Union under this Article, any Member State in which the entity provides services may take legal actions against the entity for non-compliance with the obligations under this Directive.

The introduction to the latest NIS2 Directive Proposal notes that Member States “expressed concerns with the consequences of having a differentiated jurisdiction for entities in the ICT sector” as well as over-reporting. The resulting NIS2 proposal provisions have arguably exacerbated those concerns—underscored recently by the head of ENISA.

Recital 65 of the NIS2 Directive Proposal provides some guidance about what it means to “offer services” in the EU, suggesting the provider “should designate a representative” and provides some significant clarification for taking the action.

In order to determine whether such an entity is offering services within the Union, it should be ascertained whether it is apparent that the entity is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the entity’s or an intermediary’s website or of an email address and of other contact details, or the use of a language generally used in the third country where the entity is established, is as such insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the entity is planning to offer services within the Union. The representative should act on behalf of the entity, and it should be possible for competent authorities or the CSIRTs to contact the representative. The representative should be explicitly designated by a written mandate of the entity to act on the latter’s behalf with regard to the latter’s obligations under this Directive, including incident reporting.

The broad sweep of entity subject-matter jurisdiction combined with an equally broad application of extraterritorial jurisdiction will potentially result in very large numbers of service providers worldwide seeking an EU Member country in which to establish a representative to meet NIS2 obligations.

Additionally complicating will be: 1) establishment of meaningful structured information sharing in light of existing practices already long-established among industry ISACs which are not recognized in the Directive, 2) variations in trust levels in the acquisition and sharing of information, 3) the rather vicarious, incongruous treatment of name resolver and routing service provisioning, 4) the reality of expanding global network and service virtualisation, 5) integration of Common Criteria like certification schemes of dubious efficacy and implementability, and 6) use of standards behind huge paywalls and not readily accessible.

How different EU Members approach this potentially large-scale administrative challenge remains to be seen. However, it is possible some Members may establish combinations of NIS2 transpositions and sensible enterprise-friendly implementation mechanisms that attract large numbers of designations worldwide. A prominent example is the adoption of the Critical Security Controls and Facilitation Mechanisms published by ETSI, which are already widely used by enterprises globally to meet NIS2 requirements and free of paywall constraints.