Council adopts NIS 2, a renovated framework on Cybersecurity

Giulia Mariuz, Massimiliano Masnada, Elisabetta Nunziante
Hogan Lovells
Contact
LinkedIn
Facebook
X
Send
Embed

Hogan Lovells

The NIS 2 Directive ("Directive" or "NIS2") has been approved by the Council. The Directive will be published in the Official Journal of the European Union in the coming days and will enter into force on the twentieth day following its publication. Member States will have 21 months from the entry into force of the Directive to implement its provisions into their national law. The Directive addresses the shortcomings of NIS1 Directive, and sets forth a renovated framework for cybersecurity in EU.

In brief, the Directive includes

  •  a much wider scope than that of NIS1 Directive. The existing difference between operators of essential services and relevant service providers will be superseded by the new categories of essential and important entities. The new scope is based both on size cap and sectors.  This entails that NIS2 will reach, notably, an extended amount of healthcare operators (including manufacturer of pharmaceuticals and medical devices), online marketplaces, online search engines, social networking social platforms, ICT service management, B2B service providers, public administrations, manufacturers, distributors and productors of chemicals, entities providing  data centre services, research organizations, etc.
  • a more detailed set of minimum compulsory security measures, including governance measures, internal organisation policies (for instance, internal procedures on incident handling, HR conducts, risk assessments and others);
  • a focus on supply chain compliance, with a specific attention to most critical providers;
  • an increase in the powers of competent authorities, particularly for essential entities, which will be subject to ex ante and ex post supervision;
  • increased sanctions, for essential entities up to 10M euro, or 2% of turnover, and for important entities up to 7M euro, or 1.4% of turnover;
  • criteria on jurisdiction, mostly based on main establishment (save from more detailed provisions for instance on electronic communication networks and services), alongside mutual cooperation procedures between authorities.

Next steps

What’s next for involved operators:

  • assessing whether your business falls into the scope of the Directive;
  • Check updates on sector based act such as the Regulation on digital operational resilience for the financial sector (DORA) and the Directive on the resilience of critical entities (CER),
  • monitoring and verifying implementing acts on EU and national level;
  • reviewing and updating governance and procedures within your company;
  • assess your supplier's compliance, and strengthen contractual measures if needed;
  • train management staff and employees on cybersecurity internal policies.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide