Introduction

At the end of 2022, the European Parliament adopted the “Directive on measures for a high common level of cybersecurity across the Union” or the “NIS2 Directive” in short. This new Directive must be implemented by all EU Member States by October 17, 2024, and replaces the former “Network and Information Security Directive” (the “first NIS Directive”), which dates from 2016.

A recent review of the first NIS Directive has shown a wide divergence in its implementation by Member States. For instance, the delineation of the scope of the first NIS Directive was largely left to the discretion of the Member States. Further, the former Directive allowed Member States wide discretion as regards the implementation of security and incident reporting obligations laid down in the first NIS Directive, leading to significant differences at a national level.

Where the first NIS Directive focused primarily on the security of network and information systems, the scope of the new NIS2 Directive targets the broader “cybersecurity” topic. Companies subject to the NIS2 Directive will be required to take adequate measures in terms of compliance with cybersecurity risk-management measures and reporting obligations. If they fail to do so, they can be subject to fines that are calculated based on their global turnover in a way similar to the General Data Protection Regulation (GDPR).

In view of organizing appropriate oversight, the NIS2 Directive:

• sets out minimum rules regarding the functioning of a coordinated regulatory framework between the Member States;
• lays down mechanisms for effective cooperation among the responsible authorities in each Member State; and
• provides for effective remedies and enforcement measures which are key to the effective enforcement of those obligations.

Scope

For the purpose of compliance with cybersecurity risk-management measures and reporting obligations, the NIS2 Directive distinguishes between essential entities and important entities. Determining factors are the extent to which entities are critical as regards their sector or the type of service they provide, as well as their size. This way, the EU intends to strike a fair balance between risk-based requirements and obligations imposed on companies on the one hand, and the administrative burden stemming from the supervision of compliance on the other.

Each Member State must draw up a list of essential and important entities, including entities providing domain name registration services.

Compared to the first NIS Directive, the NIS2 Directive covers additional sectors that are critical for the economy and society, including providers of public electronic communications networks and services, data centre services, waste water and waste management, manufacturing of critical products, postal and courier services and public administration entities. Also, the healthcare sector is covered more broadly to include, for example, research and development of medicine and the manufacture of pharmaceutical products.The following sectors are considered highly critical in terms of the NIS2 Directive, where all medium and large-sized companies are included in the scope:

1. Energy, in particular electricity, district heating and cooling, oil, gas, and hydrogen;
2. Transport by air, rail, water and road;
3. Banking / credit institutions;
4. Financial market infrastructures;
5. Healthcare, including healthcare providers, EU reference laboratories, R&D activities of medicinal products, entities manufacturing basic pharmaceutical products and preparations, as well as entities manufacturing medical devices considered to be critical during a public health emergency;
6. Suppliers and distributors of drinking water;
7. Entities collecting, disposing of or treating urban, domestic or industrial waste water;
8. Digital infrastructure providers, such as internet exchange point providers, DNS service providers, TLD name registries, as well as a wide variety of IT service providers (cloud, data centres, content delivery networks, trust, public electronic communications networks, and providers of publicly available electronic communications services);
9. B2B ICT managed service providers and managed security providers;
10. Public administration entities of central governments; and
11. Operators of ground-based infrastructure that is owned, managed and operated by Member States or by private parties.

Other critical sectors include:

1. Postal and courier services;
2. Entities engaged in waste management;
3. Undertakings carrying out the manufacture, production and distribution of certain chemicals;
4. Food businesses that are engaged in wholesale distribution and industrial production and processing;
5. Entities manufacturing certain
   1. medical devices and in vitro diagnostic medical devices;
   2. computer, electronic and optical products;
   3. electrical equipment;
   4. machinery and equipment n.e.c.;
   5. motor vehicles, trailers and semi-trailers;
   6. other transport equipment;
6. Providers of online marketplaces, online search engines and social networking services platforms; and
7. Research organizations.

Member States have some discretion in identifying smaller entities that are also to be considered within the scope of their updated national legal frameworks because of their high security risk profile.

New obligations for entities in scope

Under the first NIS Directive, companies had to take appropriate and proportionate technical, operational and organizational measures to manage their cybersecurity risks, in view of preventing and minimizing the impact of potential incidents. Whilst this principle is kept in the NIS2 Directive, the new framework clearly takes a risk management approach and imposes more concrete, detailed security obligations upon entities that are within its scope.

In particular, the NIS2 Directive provides a minimum list of required security measures, including:

• incident reporting towards competent authorities, the content of these reports and related timelines, this in view of facilitating the EU-wide exchange of information and cooperation on crisis management;
• supply chain security;
• vulnerability handling and disclosure;
• the use of cryptography and, where appropriate, encryption;
• policies and procedures to assess the effectiveness of cybersecurity risk management measures; as well as
• cybersecurity hygiene and training.



 
•  

In relation to incident reporting, affected entities must submit an early warning to the CSIRT or competent national authority within 24 hours from when they first become aware of an incident, and can ask them for guidance or operational advice on the implementation of possible mitigation measures. The early warning should be followed by an incident notification within 72 hours of becoming aware of such incident and a final report no later than one month later.

Oversight and enforcement

To strengthen the supervision on the compliance of the entities within scope of NIS2, the NIS2 Directive provides for a list of supervisory means through which competent authorities may supervise essential and important entities, such as carrying out regular and targeted audits, performing on-site and off-site checks, request information and access to documents or evidence.

Generally speaking, compliance oversight will be organized at a national level, where national authorities will supervise essential and important entities that are established in their Member State. If such an entity is established in more than one Member State, multiple national authorities will have jurisdiction. In such case, these authorities will be required to cooperate, provide mutual assistance to each other and, as the case may be, carry out supervisory actions in a coordinated way. Exceptions apply, however, for providers of public electronic communications networks or publicly available electronic communications services, public administration entities, as well as certain digital infrastructure providers and B2B ICT service providers.

The NIS2 Directive introduces provides more stringent and far-reaching supervisory powers to national authorities, which can take a wide variety of enforcement actions, such as issuing binding instructions, orders to implement the recommendations of security audits, or orders to bring security measures in line with the Directive’s requirements, and imposing administrative fines.

With respect to the latter, the NIS2 Directive distinguishes between:

• essential entities, where fines can amount to a maximum of at least €10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher; and
• important entities, these maximum amounts are lowered to at least € 7,000,000 or at least 1,4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

When imposing fines, national authorities should of course consider the particular circumstances of each case, such as the nature, gravity and duration of the infringement, the damage caused or losses incurred, as well as the intentional or negligent character of the infringement.

In view of ensuring real accountability for cybersecurity measures taken by entities within its scope, the NIS2 Directive also introduces liability provisions for natural persons holding senior management positions.

Other initiatives

As the focus of the EU is clearly shifting towards more responsibility and accountability of companies in in relevant sectors, it is essential that they adjust / update / upgrade their compliance programs in view of meeting the requirements of the NIS2 Directive by the October 17, 2024 deadline.

As the NIS2 Directive is only one of the cornerstones of the EU’s plans to increase its security efforts, these programs must also consider other general or sector-specific initiatives taken at the European level, such as:

• the Digital Operational Resilience Act (DORA), which aims to strengthen the IT security of financial institutions such as banks, insurance companies and investment firms by ensuring that they can continue to operate resiliently in the event of serious operational disruptions;
• the new CER Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities; and
• The EU Cybersecurity Act (Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013).

Therefore, it is essential for entities in scope of NIS2 to take a holistic approach towards cybersecurity and operational resilience, bearing in mind the key legislative principles on the one hand, and provide for sufficient flexibility on the other hand to accommodate for new requirements and initiatives.