At the end of 2022, the European Parliament adopted the “Directive on measures for a high common level of cybersecurity across the Union” or the “NIS2 Directive” in short. This new Directive needs to be implemented by all EU Member States in their national laws by October 17, 2024, and replaces the former “Network and Information Security Directive”, which dates back from 2016.
A recent review of the former Directive has shown a wide divergence in its implementation by Member States. For instance, the delineation of the scope of the Directive was largely left to the discretion of the Member States; furthermore, the Member States had a very wide discretion as regards the implementation of the security and incident reporting obligations laid down in the Directive, leading to significant differences at a national level.
Where the first NIS Directive mainly focused on the security of network and information systems, the scope of the new NIS2 Directive targets the broader “cybersecurity” topic. Companies who are in scope of the new Directive will be required to take adequate measures in terms of compliance with cybersecurity risk-management measures and reporting obligations. If they fail to do so, they can be subject to fines that are calculated based on their global turnover in a way similar to the General Data Protection Regulation (GDPR).
In view of organising appropriate oversight, the NIS 2 Directive:
For the purpose of compliance with cybersecurity risk-management measures and reporting obligations, the new Directive distinguishes essential entities and important entities. Determining factors are the extent to which they are critical as regards their sector or the type of service they provide, as well as their size. This way, the EU intends to strike a fair balance between risk-based requirements and obligations imposed on companies on the one hand, and the administrative burden stemming from the supervision of compliance on the other.
Each Member State must draw up a list of essential and important entities, including entities providing domain name registration services.
Compared to the first Directive, NIS2 covers additional sectors that are critical for the economy and society, including providers of public electronic communications networks and services, data centre services, waste water and waste management, manufacturing of critical products, postal and courier services and public administration entities. Also, the healthcare sector is covered more broadly, for example by including research and development of medicine or the manufacture of pharmaceutical products.
The following sectors are considered highly critical in terms of the Directive, where all medium and large-sized companies are included in the scope:
Other critical sectors include:
Furthermore, Member States have some discretion in identifying smaller entities that are also to be considered within the scope of their updated national legal frameworks because of their high security risk profile.
Under the first NIS Directive, companies had to take appropriate and proportionate technical, operational and organisational measures to manage their cybersecurity risks, in view of preventing and minimizing the impact of potential incidents. Whilst this principle is kept in the NIS 2 Directive, the new framework clearly takes a risk management approach and imposes more concrete, detailed security obligations upon entities that are within its scope.
In particular, the new Directive provides a minimum list of basic security measures that have to be taken, including specific provisions regarding:
In relation to incident reporting, affected entities must submit an early warning to the CSIRT or competent national authority within 24 hours from when they first become aware of an incident, and can ask them for guidance or operational advice on the implementation of possible mitigation measures. The early warning should be followed by an incident notification within 72 hours of becoming aware of such incident and a final report no later than one month later.
To strengthen the supervision on the compliance of the entities within scope of NIS2, the new Directive provides for a list of supervisory means through which competent authorities may supervise essential and important entities, such as carrying out regular and targeted audits, performing on-site and off-site checks, request information and access to documents or evidence.
Generally speaking, compliance oversight will be organised at a national level, where national authorities are competent to supervise essential and important entities that are established in their Member State. If such an entity is established in more than one Member State, multiple national authorities will have jurisdiction. In such case these authorities will be required to cooperate, provide mutual assistance to each other and, as the case may be, carry out supervisory actions in a coordinated way. Exceptions apply, however, for providers of public electronic communications networks or publicly available electronic communications services, public administration entities, as well as certain digital infrastructure providers and B2B ICT service providers.
The new Directive introduces provides more stringent and far-reaching supervisory powers to national authorities, which can take a wide variety of enforcement actions, such as issuing binding instructions, orders to implement the recommendations of security audits, or orders to bring security measures in line with the Directive’s requirements, and imposing administrative fines.
With respect to the latter, NIS2 distinguishes between:
When imposing fines, national competent authorities should of course consider the particular circumstances of each case, such as the nature, gravity and duration of the infringement, the damage caused or losses incurred, as well as the intentional or negligent character of the infringement.
In view of ensuring real accountability for cybersecurity measures taken by entities within the scope of the Directive, NIS2 introduces liability provisions for natural persons holding senior management positions in the entities that are in the Directive’s scope.
As the focus of the EU is clearly shifting towards more responsibility and accountability of companies in in relevant sectors, it is essential that they adjust / update / upgrade their compliance programs in view of meeting the NIS2 requirements by the October 17, 2024 deadline.
As the NIS2 Directive is only one of the cornerstones of the EU’s plans to increase its security efforts, these programs must also consider other general or sector-specific initiatives taken at the European level, such as:
Therefore, it is essential for entities in scope of NIS2 to take a holistic approach towards cybersecurity and operational resilience, bearing in mind the key legislative principles on the one hand, and provide for sufficient flexibility on the other hand to accommodate for new requirements and initiatives.