EU legislators have reached provisional agreement on a significant revamp of cybersecurity rules, likely to enter into force at some point in late 2024 or 2025. The future Directive (EU) 2022/... of the European Parliament and of the Council of .... on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (NIS 2 Directive) will significantly expand the obligations imposed on Member States and on ‘essential’ and ‘important’ entities.
Given the importance of managing cybersecurity as public buyers complete their (late) transition to e-procurement, or further progress down the procurement digitalisation road, the question arises whether the NIS 2 Directive will apply to public buyers. I address that issue in this blog post.
Conflicting definitions?
Different from other recent legislative instruments that adopt the definitions under the EU procurement rules to establish the scope of the ‘public sector bodies’ to which they apply (such as the Open Data Directive, Art 2(1) and (2); or the Data Governance Act, Art 2(17) and (18)), the NIS 2 Directive establishes its own approach. Art 4(23)* defines ‘public administration entities’ as:
an entity recognised as such in a Member State in accordance with national law, that complies with the following criteria:
(a) it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character;
(b) it has legal personality or it is entitled by law to act on behalf of another entity with legal personality;
(c) it is financed, for the most part, by the State, regional authority, or by other bodies governed by public law; or it is subject to management supervision by those authorities or bodies; or it has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities, or by other bodies governed by public law;
(d) it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital.
Procurement lawyers will immediately raise their eyebrows. Does the definition capture all contracting authorities covered by the EU procurement rules?
Some gaps
Let’s take Directive 2014/24/EU for comparison [see A Sanchez-Graells, ‘Art 2’ in R Caranta and idem (eds), European Public Procurement. Commentary on Directive 2014/24/EU (Edward Elgar 2021) 2.06-2.18].
Under Arts 1(1) and 2(1)(2), it is clear that Directive 2014/24/EU applies to ‘contracting authorities’, defined as ‘the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities or one or more such bodies governed by public law’.
Regarding the ‘State, regional or local authorities’, it seems clear that the NIS 2 Directive in principle covers them (more below), to the extent that they are recognised as a ‘public administration entity’ under national law. This does not seem problematic, although it will of course depend on the peculiarities of each Member State (not least because Directive 2014/24/EU operates a list system and refers to Annex I to establish what are central government authorities).
‘Bodies governed by public law’ are also largely covered by the definition of the NIS 2 Directive, as the material requirements of the definition map on to those under Art 2(1)(4) of Directive 2014/24/EU. However, there are two key deviations.
The first one concerns the addition of the requirement (d) that the body must have ‘the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital’. In my view, this is unproblematic, as all decisions concerning a procurement process covered by the EU rules have the potential to affect free movement rights and, to the extent that the body governed by public law can make those decisions, it meets the requirement.
The second deviation is that, under the ‘financing and control’ criterion (c), the NIS 2 Directive does not include finance or control by local authorities. This leaves out local-level bodies governed by public law, but only those that are not financed or influenced by other (local-level) bodies governed by public law (which is odd). However, this is aligned with the fact that the NIS 2 Directive does not cover local public administration entities (Art 2(2a)* NIS 2 Directive), although it foresees that Member States can extend its regime to local authorities. In such a case, the definitions would have to be carefully reworked in the process of domestic transposition.
A final issue is then whether the definition in the NIS 2 Directive covers ‘associations formed by one or more [central or sub-central] authorities or one or more such bodies governed by public law’. Here the position is much less clear, and it seems to depend on a case-by-case assessment of whether a given association meets all requirements under the definition, which can prove problematic and raise difficult interpretive questions—despite eg having extended the legal personality criterion (b) to the possibility of being ‘entitled by law to act on behalf of another entity with legal personality’. It is thus possible that some associations will not be covered by the NIS 2 Directive, eg if their status under domestic law is unclear.
More gaps
Although the NIS 2 Directive definition in principle covers the State and regional authorities (as above), it should stressed that the scope of application of the Directive only extends to public administration entities of central governments, and those at regional level ‘which following a risk based assessment, provide services the disruption of which could have a significant impact on critical economic or societal activities’ (Art 2(2a)* NIS 2 Directive).
In relation to regional procurement authorities, then, the question arises whether Member States will consider that the disruption of their activities ‘could have a significant impact on [other] critical economic or societal activities’. I submit that this will necessarily be the case, as the procurement function enables the performance of the general activities of the public administration and the provision of public services. However, there seems to be some undesirable legal wriggle room that could create legal uncertainty.
Moreover, the NIS 2 Directive does not apply ‘to public administration entities that carry out their activities in the areas of defence, national security, public security, or law enforcement, including the investigation, detection and prosecution of criminal offences’ (Art 2(3a)* NIS 2 Directive). This is another marked deviation from the treatment of entities in the defence and security sectors under the procurement rules [see B Heuninckx, ‘Art 15’ in Caranta and Sanchez-Graells, Commentary, above].
At a minimum, the reference to entities carrying out ‘the investigation, detection and prosecution of criminal offences’ raises questions on the applicability of the NIS 2 Directive to public buyers formally inserted in eg the Ministry of Justice and/or the judiciary, at Member State level. Whether this is a relevant practical issue will depend on the relevant national context, but it would have been preferable to take an approach that directly mapped onto the scope of Directive 2009/81/EC in determining the relevant activities.
Why is this a problem?
The potential inconsistencies between the scope of application of the NIS 2 Directive and the EU procurement rules are relevant in the context of the broader digitalisation of procurement, but also in the narrow context of the entry into force of the new rules on eForms (see here) and the related obligations under the Open Data Directive, which will require public buyers to make data collected by eForms available in electronic format.
Cutting a long story short, it has been stressed by eg the OECD that opening information systems to make data accessible may ‘expose parts of an organisation to digital security threats that can lead to incidents that disrupt the availability, integrity or confidentiality of data and information systems on which economic and social activities rely’. Moreover, given that the primary purpose of making procurement data open is to enable the development of AI solutions, such risks need to be considered in that context and cybersecurity of data sources has been raised as a key issue by eg the European Union Agency for Cybersecurity (ENISA).
Given that all procurement data systems will be interconnected (via APIs), and that they can provide the data architecture for other AI solutions, cybersecurity risks are a systemic issue that would benefit from a systemic approach. Having some (or most) but not all public buyers comply with high standards of cybersecurity may not eliminate significant vulnerabilities if the remaining points of access generate relevant cybersecurity risks.
How to fix it?
In my view, Member States should extend the obligations under the NIS 2 Directive not only to their local ‘public administration entities’, as envisaged by the Directive, but to all entities covered by significant data governance rules, such as the Open Data Directive. This would ensure high levels of cybersecurity to protect the integrity of the new procurement open data systems. It would also have the added benefit of ensuring alignment with the EU procurement rules and, in that regard, it would contribute to a clear regulatory framework for the governance of digital procurement across the EU. _________________________
* Please note that Articles in the provisional text of the NIS 2 Directive will have to be renumbered.