ARTICLE
18 December 2024

Beyond Borders: What Non-EU Companies Need To Know About The New NIS2 Cybersecurity Directive

The NIS2 Directive (Network and Information Security Directive 2) is the European Union's updated legislation aimed at strengthening cybersecurity across essential and important sectors in EU member states.
Nigeria Technology

Introduction

The NIS2 Directive (Network and Information Security Directive 2) is the European Union's updated legislation aimed at strengthening cybersecurity across essential and important sectors in EU member states. It expands the original NIS Directive introduced in 2016 and addresses new and evolving cyber threats. NIS2 introduces stricter cybersecurity requirements, extends its scope to cover more sectors, and increases accountability for organizations and their leadership. While NIS2 is an EU legislation, non-EU businesses with operations in Europe, or those partnering with EU-based companies, need to be aware of its implications.

NIS2 represents a significant regulatory shift aimed at building a more resilient and secure digital landscape within the EU. Non-EU organizations with operations, customers, or partners within Europe need to be aware of NIS2 to maintain compliance, avoid penalties, and secure their partnerships and operations in Europe. This article outlines key considerations for non-EU countries and businesses to ensure compliance and maintain operations within EU member states.

Expanded Scope and Coverage

NIS2 expands upon the original NIS Directive by covering a broader spectrum of sectors deemed critical for society and the economy. The directive now encompasses both essential sectors (those vital to infrastructure and safety) and important sectors that are critical to the EU's economic resilience. This implies that if a non-EU organization operates within or provides services to any of these sectors in Europe, they may fall under NIS2's requirements, regardless of their base of operations. Some sectors added under NIS2 include:

  • Energy: Expands beyond electricity to include oil, gas, and district heating.
  • Transport: Covers air, rail, water, and road transport systems.
  • Banking and Financial Market Infrastructure: Strengthens requirements for financial institutions and payment services.
  • Healthcare: Adds pharmaceutical manufacturers, hospitals, and other health-related services.
  • Public Administration: Applies to both central and regional government bodies.
  • Digital Infrastructure: Includes data centers, cloud services, content delivery networks, and other critical digital services.

While the original NIS Directive focused on essential services, NIS2 introduces a dual categorization, distinguishing between essential entities (those that impact national security and public safety) and important entities (those whose disruption would significantly impact the economy). Important sectors include waste management, food production, space, and postal services, broadening the directive's reach and encouraging security improvements in sectors that underpin modern life but may not have been previously regulated.

The digital and ICT (Information and Communication Technology) sectors now face stricter oversight under NIS2. This includes providers of cloud computing services, data center services, social networking platforms, and online marketplaces. The directive's provisions impact both the providers and the customers of digital services, requiring better security for cloud-based and platform-based applications that many businesses rely on.

The NIS2 Directive applies to organizations based outside the EU that provide essential or important services within EU member states, regardless of their home country's location. Non-EU companies operating in NIS2-regulated sectors in Europe or those with significant digital business in the EU must meet NIS2 standards, making compliance a priority for businesses with an international presence.

NIS2 places an emphasis on supply chain security, acknowledging that cybersecurity incidents in partner companies can impact entire networks. This means that companies subject to NIS2 must ensure that third-party suppliers and service providers comply with rigorous security standards, especially those providing critical inputs or services. Companies outside the EU may need to enhance their cybersecurity practices to maintain partnerships with EU businesses.

Increased Compliance Requirements

The NIS2 Directive introduces significantly enhanced compliance requirements for organizations within its expanded scope. This stricter framework is designed to improve cybersecurity resilience across essential and important sectors, ensuring robust risk management, incident response, and governance. NIS2 mandates organizations to establish comprehensive cybersecurity risk management measures, making cybersecurity a proactive, ongoing priority rather than a reactive response. Under this requirement, organizations must perform the following:

  • Identify and assess potential risks: Continuously monitor for vulnerabilities across systems, software, and processes.
  • Implement security controls: Establish a range of protective measures, such as firewalls, intrusion detection systems, and network segmentation.
  • Regularly update risk assessments: Perform regular evaluations and updates to address emerging threats and vulnerabilities, reflecting the dynamic nature of cybersecurity risks.

Organizations must integrate cybersecurity into the core of their risk management practices, ensuring that they can identify and address threats before they materialize. In addition, the NIS2 Directive significantly tightens the requirements around incident detection, reporting, and response, emphasizing swift and detailed communication with relevant authorities. Key compliance requirements in this area include:

  • Early incident notification: Organizations must report significant cybersecurity incidents within 24 hours of detection to their national authority. This notification should provide an initial assessment of the impact, with updates as more information becomes available.
  • Detailed reporting: Within 72 hours of the incident, organizations must submit a full report outlining the cause, scope, and impact of the breach, as well as mitigation measures taken.
  • Response and recovery plans: Organizations must have established protocols for responding to and recovering from incidents, including containment, remediation, and root-cause analysis.

New Governance and Accountability Standards

The NIS2 Directive brings a new level of governance and accountability to cybersecurity, establishing it as a core responsibility of leadership, particularly board members and executives. The directive aims to ensure that cybersecurity is managed strategically at the highest level of organizations, recognizing that leadership accountability is essential for maintaining resilient cybersecurity practices.

NIS2 makes cybersecurity a direct responsibility of boards and executive teams, placing it alongside other strategic priorities. This change reflects a shift from viewing cybersecurity as just an operational or technical issue to recognizing it as a fundamental part of business continuity and resilience. Key requirements include:

  • Regular oversight of cybersecurity risk: Boards are now expected to oversee and understand cybersecurity risks, ensuring that appropriate measures are in place.
  • Setting the tone for cybersecurity: Executives must actively foster a culture of cybersecurity awareness and emphasize its importance across the organization.
  • Prioritizing cybersecurity investment: Boards are accountable for allocating sufficient resources to cybersecurity, ensuring that the organization's defences are robust and scalable as threats evolve.

This level of involvement ensures that cybersecurity considerations are aligned with broader business strategies and priorities.

NIS2 establishes personal accountability for senior executives, making them responsible for failures to implement effective cybersecurity practices. This accountability is designed to enforce responsibility and encourage active participation in cybersecurity management, particularly at the highest levels. Key points include:

  • Potential personal liability: Executives could face personal consequences if the organization fails to meet NIS2 compliance requirements, especially in cases where negligence in cybersecurity governance is identified.
  • Greater role clarity: Executives must define and understand their specific responsibilities in cybersecurity management, ensuring that everyone in leadership is aware of their roles and the expectations set by NIS2.

This personal accountability serves as a deterrent to negligence, underscoring the importance of cybersecurity as a priority at the executive level.

NIS2 introduces a training requirement for board members and executive staff to ensure they are adequately informed about cybersecurity risks, regulations, and best practices. This training helps leaders make informed decisions about cybersecurity strategies and investments. Key aspects include:

  • Cybersecurity awareness training: Board members are required to complete training that covers current cybersecurity risks, regulatory obligations, and best practices.
  • Continuous learning: As cybersecurity threats and best practices evolve, board members must stay updated to maintain an informed perspective on cybersecurity matters.

This requirement helps bridge the knowledge gap that often exists between technical teams and executive leadership, enabling boards to engage more meaningfully in cybersecurity governance.

Financial and legal implications

The NIS2 Directive introduces stringent financial and legal implications to ensure compliance and promote cybersecurity resilience across organizations that provide essential and important services within the EU. By enforcing significant penalties and liabilities, NIS2 places cybersecurity on par with other critical areas of regulatory compliance

One of the most impactful changes in NIS2 is the significant increase in financial penalties for non-compliance. The directive specifies tiered fines based on the organization's classification and the severity of the non-compliance. Key aspects of these financial penalties include:

  • Severe financial penalties: Organizations face fines of up to €10 million or 2% of their global annual turnover, whichever is higher, for non-compliance or cybersecurity failures that lead to a significant incident.
  • Risk-based fines: Penalties can vary based on the nature and risk level of the organization's operations, with essential sectors potentially facing higher fines than important sectors due to the potential impact of disruptions.
  • Immediate cost implications: Even organizations not facing incidents must allocate more resources to cybersecurity measures and compliance initiatives to avoid penalties, leading to increased operational costs for compliance, risk management, incident reporting, and employee training.

The risk of substantial fines incentivizes organizations to take proactive measures to prevent cybersecurity incidents and ensure compliance with NIS2 standards.

NIS2 also introduces a new level of legal accountability for executives and board members regarding cybersecurity management. Executives are expected to prioritize cybersecurity governance and may face personal liability in cases of negligence. This accountability encourages a proactive approach to cybersecurity at the highest levels of the organization, aligning leadership with regulatory requirements. The key legal implications include:

  • Personal accountability: Executives and board members are held accountable for cybersecurity failures, especially if due diligence is not demonstrated in risk management, incident response, or supply chain security.
  • Negligence liability: In cases where incidents or breaches are linked to insufficient cybersecurity oversight, executives could face legal repercussions, including potential civil and criminal liabilities, particularly if negligence led to data breaches or critical infrastructure disruption.
  • Proactive training and involvement: To reduce the risk of legal liability, executives must engage in cybersecurity training, stay informed on regulatory obligations, and actively participate in setting and enforcing security policies. This involvement minimizes the risk of facing charges of negligence.

Conclusion: Key Takeaways on NIS2 for Non-EU Businesses

The NIS2 Directive significantly reshapes cybersecurity standards, requiring non-EU businesses with EU operations or partnerships to take immediate action. The expanded scope of NIS2 now covers a wider array of sectors, pushing organizations in essential and important services to adopt robust cybersecurity practices. Non-EU companies in sectors like energy, healthcare, digital infrastructure, and public administration must meet these heightened standards to continue operating in the EU.

Increased compliance requirements emphasize proactive risk management, incident response, and stringent supply chain security. Non-EU companies must be ready to assess and mitigate vulnerabilities across their operations, maintain detailed incident response plans, and ensure cybersecurity measures are in place at every level of their supply chains.

NIS2 also brings governance and accountability to the forefront by holding executives and board members legally responsible for cybersecurity oversight. Leaders must now actively prioritize cybersecurity, setting the tone for a security-conscious organization while dedicating adequate resources to protect against cyber threats.

Lastly, NIS2 introduces substantial financial and legal risks for non-compliance. With fines as high as €10 million or 2% of global revenue, non-EU businesses are incentivized to strengthen cybersecurity practices to avoid penalties and potential liability for executives.

For non-EU companies, compliance with NIS2 is critical not just for meeting regulatory standards but also for securing partnerships, maintaining customer trust, and ensuring the continuity of operations in the EU. Embracing the requirements of NIS2 will help organizations build a more resilient cybersecurity framework aligned with European standards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More