Since 2016, when the EU adopted the first common law guaranteeing a high level of cybersecurity for critical infrastructure (DIRECTIVE (EU) 2016/1148 of the European Parliament and of the Council on measures for a high common level of network and information security across the Union (Network and Information Security( NIS)) various changes have occurred (technology itself, COVID, working from home, rapid digital transformation and interconnectedness of society, including in cross-border exchanges….), technology has been introduced into everyday business and life, but at the same time risks and incidents have also increased, which can jeopardise the pursuit of economic activities in the internal market, cause financial loss, undermine user confidence and cause great damage to the economy and society of the Union.
All the above has shown that the Directive can no longer effectively respond to current and emerging cybersecurity challenges.
Directive (EU) 2022/2555 of the European Parliament and of the Council was adopted on 14 December 2022. on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 575/2013 Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS Directive 2).
The directive entered into force on January 16, 2023.
The deadline for the transposition of the rights and obligations from the directive into national law, which includes the adoption of mandatory provisions of national law or the repeal or amendment of existing regulations, is 21 months from the date of entry into force of the directive, i.e. by 17 October 2024 EU member states must adopt and publish measures to comply with the NIS 2 Directive.
The goal of Directive NIS2 itself, in addition to greater certainty, is to extend the scope of application to new sectors and new stakeholders, strengthen sanctions surveillance and better and more effective cooperation between Member States.
Key events arising from NIS2 include:
Wider scope: NIS2 applies to a wider scope of sectors and entities than those covered by the existing NIS Directive.
In addition to the sectors covered by the NIS Directive, NIS2 will also cover organisations operating in the following sectors:
- Digital infrastructure and digital service providers – including providers of public electronic communications networks or services, social network service platforms and data centre services
- Wastewater and waste management
- Manufacture of certain key products (such as medicines, medical devices, or chemicals)
- Food
- Postal and courier services
- Public administration
A size cap is introduced so that all medium and large entities operating in the sectors covered by the new text must meet the requirements contained in NIS2.
NIS2 applies to certain “important” and “essential” entities (regardless of their size) in special circumstances, such as:
- entities providing certain public electronic communications networks or publicly available electronic communications services
- top-level domain name registers and domain name system providers
- entities offering services where potential disruptions to those services could affect public security, public security or public health
- entities offering services where potential disruptions to the service could cause systemic risks, especially in sectors where the disruption could have a cross-border impact
Supervision and accountability of the ‘managing authority’: NIS2 imposes direct obligations on ‘managing authorities’ regarding the implementation and supervision of their organisation’s compliance with legislation, potentially leading to fines and a temporary ban on the performance of management functions, including at C-Suite level senior management.
Managing authorities of entities falling within the scope of NIS2 may be held liable if those entities breach their obligations under NIS2. Ultimately, shifting responsibility for cybersecurity risk management to the management level of critical and important entities demonstrates a tendency to ensure that cybersecurity risk management is the responsibility of senior management. Managing authorities shall have the ultimate responsibility and any non-recognition that could lead to serious consequences, including management liability and administrative fines, as provided for in implementing national legislation.
Cyber risk management measures – including supply chain analysis: NIS2 requires entities to implement cyber risk management measures, which include security risk reduction requirements and due diligence of third-party suppliers/services.
NIS2 lists seven key actions taken by all key and important actors to manage risks.
These measures are:
- Information system risk analysis and security policy
- Incident handling (prevention, detection, and incident response)
- Business continuity and crisis management
- Supply chain security – including aspects of the security-related relationship between each entity and (i) its suppliers or (ii) service providers (such as data storage and processing service providers or managed security service providers)
- Procurement, development and maintenance of security in network and information systems, including vulnerability handling and detection
- Policies and procedures for assessing the effectiveness of cybersecurity risk management measures
- Use of cryptography and encryption
New cybersecurity measures require entities falling within the NIS2 scope to mitigate security risks in the supply chain to their suppliers/service providers, including assessing and considering the overall quality of products and cybersecurity practices of their suppliers and service providers.
Amended incident reporting requirements: NIS2 introduces phased notification obligations, including initial notification within 24 hours of becoming aware of specific incidents or cyber threats (instead of simply “without undue delay” as in the NIS Directive), “transitional” and “final” reporting obligations.
Fines and penalties: Member States are granted discretion to lay down effective, proportionate, and dissuasive penalties for infringements of NIS2, as well as administrative fines for certain infringements of up to EUR 10 million or 2% of total world turnover (whichever is higher).
Adoption timeline and steps to take at this time
As we have stated in the introductory part by 17 October 2024, EU member states must adopt and publish measures to comply with the NIS 2 Directive.
At this stage, organisations should consider the scope of NIS2 and whether their companies fall within this scope. If an organisation concludes that it is likely to fall within the scope of the new legislation, it should consider the organisational, financial and technical steps that will be necessary to prepare for compliance with NIS2. For example, from the perspective of ICT consumption, the European Commission expects organisations to face a maximum increase of 22% in Terms of ICT security spending in the first few years following the implementation of NIS2 (a maximum increase of 12% is estimated for organisations already falling within the scope of the existing NIS Directive).” Organisations within their scope should monitor how NIS2 is implemented in the key EU jurisdictions in which they operate.
In addition, organisations offering information and network security products/services should also be prepared for due diligence from NIS2 organisations within the scope. Therefore, those organisations outside the scope should ensure that effective, documented procedures are in place to manage the security risks associated with their product/service offering pending such due diligence.