 |
|---|
Our investigation
Our objective is to assess whether this directive involves private entities that have decided to voluntarily and freely make online services available to anyone.
In essence, we propose to investigate whether the NIS 2 directive also applies to private individuals (natural persons, legal entities, associations, foundations) who, from the servers they administer, publicly expose services (or specific services) as self-hosted instances on the Internet free of charge, thus making them available to anyone with interest.
Excluded from this survey are entities that qualify as businesses in their configurations (small, medium, and large), so any other entity that carries out the activities identified in the NIS 2 directive for profit.
The EU Directive 2022/2555 - (NIS 2 directive)
The Directive (EU) 2022/2555 of the European Parliament and of the Council, of Dec. 14, 2022, on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) was published in the Official Journal of the European Union on Dec. 27, 2022.
Pursuant to Article 41(1), headed “Reception”
By 17 October 2024, Member States shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof.*
They shall apply those measures from 18 October 2024.
Directive (EU) 2022/2555 (NIS 2) entered into force on 16/1/2023 (Article 45).
Subject of the directive
Paragraph 1 of Article 1 provides:
This Directive lays down measures that aim to achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market.
Who? Which actors are involved
The most relevant part concerns the actors involved, which the European legislator identifies in Article 2 - using a complex technique of normative references that engages even jurists in no small measure - in several categories.
For the sole purposes of this contribution, we will focus on entities not considered enterprises (small, medium, or large), whether public or private.
The phenomenon to which attention should be paid is as follows. Very frequently, we find on the Internet the existence of public digital services, that is, available to anyone who has an interest and requests them. Such services are installed on “instances” (servers) of private individuals who have voluntarily chosen to make them available free of charge.
In the group of private entities, individuals, associations, and foundations that are non-profit should also be included.
Therefore, our examination necessarily begins with identifying the entities identified by the NIS 2 directive to which it applies.
Article 2(1) identifies “public or private entities of a type referred to in Annex I or II which qualify as medium-sized enterprises” recalling for their precise identification Article 2(1) of the Annex to Recommendation 2003/361/EC.
Deliberately excluding, as mentioned above, the categories of entities classified as enterprises (small, medium, and large) according to the definition contained in European legislation, we proceed to the analysis of the individual provisions of the directive.
Article 2(2) states that “Regardless of their size, this Directive also applies to entities of a type referred to in Annex I or II, where”
(a) services are provided by:
- providers of public electronic communications networks or of publicly available electronic communications services;
- trust service providers;
- top-level domain name registries and domain name system service providers;
The qualification of entities
At this point, the following aspects emerge for further investigation:
- the qualification of “entities” as generically proposed by the cited standard;
- the qualification of “entities” regardless of their size, of the types in Annex I or II;
- the identification of “entities” at least as stated in (a) - (i).
Regarding the first point, the definition of “entity” in Article 6(1), number (38), according to which:
‘entity’ means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;
The above definition of entities is so broad as to include, without the possibility of exclusion, all physical persons who can exercise rights and be subject to obligations (capacity to act according to Italian law).
Likewise, the qualification as an “entity” of legal persons who have the same capacity to exercise rights and be subject to obligations is equally broad. In the latter case, no distinction is made either about the legal nature of the legal entity (companies, associations, foundations) or concerning the purpose of any profit-making purpose.
Moreover, the qualification “regardless of their size” contained in the Article as mentioned above 2(2)(a)(i) makes it ruled out as applicable to natural persons, remaining solely a characteristic of legal persons. Consequently, the qualification of “legal persons” is further extended than specified in the previous paragraph since its size is irrelevant.
To complete the framing, it also turns out to be irrelevant whether the “entity” natural or legal person is placed in one of the categories provided in Annexes I and II of NIS 2.
At the end of the examination concerning only the term “entity”, it emerges that any natural or legal person is affected by the NIS 2 Directive.
The identification of services
The decisive element in the qualification of entities (again concerning the objective stated at the beginning of this contribution) to which the NIS 2 directive is to be applied is solely that of the qualification of services.
Specifically, the Article as mentioned earlier 2(2)(a), in paragraphs (i), (ii), and (iii), identifies services, namely the following:
- providers of public electronic communications networks;
- providers of publicly available electronic communications services;
- trust service providers;
- top-level domain name registries;
- domain name system service providers.
For proper qualification, the definitions of the above services, as stated in Article 6 of NIS 2, should be reported.
We report, therefore, the following definitions:
1) Article 6(1)(36)
‘public electronic communications network’ means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972. The system of references used by the European legislator requires that the definition be sought in another piece of legislation (Directive (EU) 2018/1972 - European Electronic Communications Code), which declines it in the following terms:
‘public electronic communications network’ means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services which support the transfer of information between network termination points;
2) Article 6(1)(37)
‘electronic communications service’ means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972.
The recalled definition is as follows:
‘electronic communications service’ means a service normally provided for remuneration via electronic communications networks, which encompasses, with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services, the following types of services:
(a) ‘internet access service’ as defined in point (2) of the second paragraph of Article 2 of Regulation (EU) 2015/2120;
(b) interpersonal communications service; and
(c) services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting.
3) Article 6(1)(24)
‘trust service’ means a trust service as defined in Article 3, point (16), of Regulation (EU) No 910/2014.
The recalled definition is as follows:
‘trust service’ means an electronic service normally provided for remuneration which consists of:
(a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or
(b) the creation, verification and validation of certificates for website authentication; or
(c) the preservation of electronic signatures, seals or certificates related to those services.
4) Article 6(1)(21)
‘top-level domain name registry’ or ‘TLD name registry’ means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are carried out by the entity itself or are outsourced, but excluding situations where TLD names are used by a registry only for its own use.
5) Article 6(1)(22)
‘entity providing domain name registration services’ means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller.
Conclusion: the NIS 2 directive also applies to natural and legal persons
In the light of the hermeneutic path we have outlined, it would emerge that natural persons, associations or foundations can only provide services indicated in item 2 of the list declined in the previous paragraph, to which subjects, therefore, the NIS 2 Directive applies.
Therefore, natural persons, associations and foundations that also provide free of charge an electronic communication service, specifically interpersonal communication services, are subject to the NIS 2 Directive.
It is unclear whether social networking and cloud computing services, which - at present - would seem to be attributable only to entities engaged in business activities with an obvious profit motive, can also be included in the group of electronic communication services, as defined.
Open source and services made publicly free online: what will be the fate?
Once upon a time was digital freedom and the deeper meaning of open source software? This question is the starting point of our investigation.
The path of hermenutic analysis of the mentioned rules contained in NIS Directive 2, leads to some important reflections.
It is well known that open source software is based on its own philosophy, and this is not the place to elaborate.
However, we cannot avoid pointing out how some projects with which protocols defined as “open” or “open standard” have been implemented may be restricted in their global usability as a result of the applicability of the rules of the NIS 2 directive. In fact, entities (individuals, associations, foundations) to which the NIS 2 directive applies, if only to evade the obligations imposed by this discipline, may decide to stop offering services related to open source resources free of charge to the detriment of potential users.
To be clearer, let’s imagine private entities such as individuals (including us), legal entities, associations, foundations, who wanted to install a public instance of Matrix thus making it available to anyone. On the level of identifying the object of the service, there seems to be no doubt that Matrix constitutes an electronic communication service as defined in NIS Directive 2.
Another hypothesis, is that of whoever (private entities such as individuals, legal entities, associations, foundations) has installed or intends to install a public instance of a XMPP service, making it usable free of charge to anyone. Again, since this is an electronic communication service, the entity providing this service will be obliged to comply with the NIS 2 directive with all the consequences as to the fulfilments to be carried out. Without wishing to bore the reader, the same reasoning can be transposed to any communication service offered for free to anyone by private individuals.
In our view, among XMPP services, it would remain excluded from the regulation of the NIS 2 [Snikket] Directive(https://snikket.org) because there is no public access to anyone for registration, with the consequence that the service is not, precisely, public. However, although the registration is not public, we could argue that exposed-the communication service is still provided to users admitted by the administrator. Therefore, even in this case, it needs to be clarified what the regulatory treatment of this type of service will be.
Again, let us imagine a scenario quite similar to the previous ones in the presence of public instances accessible and usable free of charge by anyone for social network, cloud computing or search engine services. Imagine, for example, an instance of Mastodon, of Nextcloud, or a public instance of SearXNG.
In all of the cases mentioned (and they are not the totality) it should be pointed out that entities that voluntarily and freely make online public services available to anyone have costs that they bear at their own expense and sometimes (but not always) with donations. These initiatives should be appreciated and encouraged.
The understandable and supportable purpose of the NIS 2 directive would on the one hand undermine the freedom to offer services for free to anyone (and therefore public), and on the other hand would affect the development of open source software-probably-disincentivizing it.
The nodal point always concerns the search for a balance resulting from a balancing of interests between the (legitimate) need for a European digital sovereignty and the nature and essence of the Internet as it has evolved to date.
This balance should (or should have) been the result of a fruitful joint journey between politics, legislators, stakeholders and civil society.
By the deadline specified in the directive for transposition (17/10/2024), the states of the Union will consciously take steps to make the provisions applicable from 18/10/2024 as planned.
The hope is that - in addition to any useful clarifications to dispel doubts - action will be taken to prevent this arrangement from leading to distortions so acute that they may be seriously detrimental to the development of open source software, those who voluntarily make digital resources available, and those who freely intend to make use of publicly available online services.
If this resource was helpful, you could contribute by
Or donate via
Follow us on Mastodon
Stay tuned!