At the end of 2022, the European Parliament adopted the “Directive on measures for a high common level of cybersecurity across the Union” or the “NIS2 Directive” in short. This new Directive must be implemented by all EU Member States by October 17, 2024, and replaces the former “Network and Information Security Directive” (the “first NIS Directive”), which dates from 2016.
A recent review of the first NIS Directive has shown a wide divergence in its implementation by Member States. For instance, the delineation of the scope of the first NIS Directive was largely left to the discretion of the Member States. Further, the former Directive allowed Member States wide discretion as regards the implementation of security and incident reporting obligations laid down in the first NIS Directive, leading to significant differences at a national level.
Where the first NIS Directive focused primarily on the security of network and information systems, the scope of the new NIS2 Directive targets the broader “cybersecurity” topic. Companies subject to the NIS2 Directive will be required to take adequate measures in terms of compliance with cybersecurity risk-management measures and reporting obligations. If they fail to do so, they can be subject to fines that are calculated based on their global turnover in a way similar to the General Data Protection Regulation (GDPR).
In view of organizing appropriate oversight, the NIS2 Directive:
For the purpose of compliance with cybersecurity risk-management measures and reporting obligations, the NIS2 Directive distinguishes between essential entities and important entities. Determining factors are the extent to which entities are critical as regards their sector or the type of service they provide, as well as their size. This way, the EU intends to strike a fair balance between risk-based requirements and obligations imposed on companies on the one hand, and the administrative burden stemming from the supervision of compliance on the other.
Each Member State must draw up a list of essential and important entities, including entities providing domain name registration services.
Compared to the first NIS Directive, the NIS2 Directive covers additional sectors that are critical for the economy and society, including providers of public electronic communications networks and services, data centre services, waste water and waste management, manufacturing of critical products, postal and courier services and public administration entities. Also, the healthcare sector is covered more broadly to include, for example, research and development of medicine and the manufacture of pharmaceutical products.The following sectors are considered highly critical in terms of the NIS2 Directive, where all medium and large-sized companies are included in the scope:
Other critical sectors include:
Member States have some discretion in identifying smaller entities that are also to be considered within the scope of their updated national legal frameworks because of their high security risk profile.
New obligations for entities in scope
Under the first NIS Directive, companies had to take appropriate and proportionate technical, operational and organizational measures to manage their cybersecurity risks, in view of preventing and minimizing the impact of potential incidents. Whilst this principle is kept in the NIS2 Directive, the new framework clearly takes a risk management approach and imposes more concrete, detailed security obligations upon entities that are within its scope.
In particular, the NIS2 Directive provides a minimum list of required security measures, including:
In relation to incident reporting, affected entities must submit an early warning to the CSIRT or competent national authority within 24 hours from when they first become aware of an incident, and can ask them for guidance or operational advice on the implementation of possible mitigation measures. The early warning should be followed by an incident notification within 72 hours of becoming aware of such incident and a final report no later than one month later.
Oversight and enforcement
To strengthen the supervision on the compliance of the entities within scope of NIS2, the NIS2 Directive provides for a list of supervisory means through which competent authorities may supervise essential and important entities, such as carrying out regular and targeted audits, performing on-site and off-site checks, request information and access to documents or evidence.
Generally speaking, compliance oversight will be organized at a national level, where national authorities will supervise essential and important entities that are established in their Member State. If such an entity is established in more than one Member State, multiple national authorities will have jurisdiction. In such case, these authorities will be required to cooperate, provide mutual assistance to each other and, as the case may be, carry out supervisory actions in a coordinated way. Exceptions apply, however, for providers of public electronic communications networks or publicly available electronic communications services, public administration entities, as well as certain digital infrastructure providers and B2B ICT service providers.
The NIS2 Directive introduces provides more stringent and far-reaching supervisory powers to national authorities, which can take a wide variety of enforcement actions, such as issuing binding instructions, orders to implement the recommendations of security audits, or orders to bring security measures in line with the Directive’s requirements, and imposing administrative fines.
With respect to the latter, the NIS2 Directive distinguishes between:
When imposing fines, national authorities should of course consider the particular circumstances of each case, such as the nature, gravity and duration of the infringement, the damage caused or losses incurred, as well as the intentional or negligent character of the infringement.
In view of ensuring real accountability for cybersecurity measures taken by entities within its scope, the NIS2 Directive also introduces liability provisions for natural persons holding senior management positions.
As the focus of the EU is clearly shifting towards more responsibility and accountability of companies in in relevant sectors, it is essential that they adjust / update / upgrade their compliance programs in view of meeting the requirements of the NIS2 Directive by the October 17, 2024 deadline.
As the NIS2 Directive is only one of the cornerstones of the EU’s plans to increase its security efforts, these programs must also consider other general or sector-specific initiatives taken at the European level, such as:
Therefore, it is essential for entities in scope of NIS2 to take a holistic approach towards cybersecurity and operational resilience, bearing in mind the key legislative principles on the one hand, and provide for sufficient flexibility on the other hand to accommodate for new requirements and initiatives.
Sign up for our newsletter and get the latest to your inbox.