European Union: NIS 2 Directive – Enhanced Common Level Cybersecurity Across The EU

Background

The NIS Directive was the first piece of EU-wide legislation on cybersecurity, and aimed to achieve a high common level of cybersecurity across the EU.

NIS 2 Directive¹ has expanded its scope by effectively requiring more entities and sectors to take measures and is therefore widely relevant most of the technology sector.

It aims to strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce stricter enforcement requirements, including harmonised EU sanctions.

The NIS 2 Directive was published in the Official Journal of the European Union on 27 December 2022 and EU Member States have 21 months (by 17 October 2024) from the entry into force to transpose the provisions of the Directive into their national law.

Those measures shall apply from 18 October 2024, at which point the Cybersecurity Directive ((EU) 2016/1148) ("NIS 1 Directive") will be repealed and replaced.

Scope

The NIS 2 Directive broadens the scope of the NIS 1 Directive and applies to all entities (public or private) that provide services or carry out activities in the EU which are either an "essential" or an "important" entity in a defined list of sectors. These entities are further divided into:

• sectors of high criticality, such as energy, health, financial market infrastructures; and
• other critical sectors, such as postal, courier services, digital providers and the production and distribution of chemicals.

The NIS 2 Directive includes exemptions related to size limits, so that small and micro businesses are excluded in several cases and the possibility for member states to exempt specific organisations involved in national security, public security, defence, or law enforcement.

The three categories of digital service providers (DSPs) previously covered under the NIS 1 Directive remain covered under the NIS 2 Directive:

• cloud service computing providers are covered as part of the digital infrastructure sector;
• online marketplaces and search engines are covered as digital providers;
• a wider range of technology providers are now also covered including social network platforms, data centre providers and managed service providers.

Additional measures required

The NIS 2 Directive requires essential and important entities to implement additional cybersecurity risk-management measures proportionate to the cybersecurity risk, such as:

• risk analysis and information security policies;
• business continuity, such as backup management and disaster recovery;
• crisis management and incident handling; and
• supply chain security, including security concerning the relationships between each entity and its direct service providers, to ensure basic 'cyber hygiene' practices and cybersecurity training.

Additional responsibility of management

The cybersecurity responsibilities for management of important and essential entities are increased by the NIS 2 Directive. Management is required to approve the additional security measures required (as detailed above) and to monitor their implementation. Management can be held liable if the organisation does not comply with the requirements set out in the NIS2 Directive (or implementing legislation).

Reporting

Essential and important entities must notify, without undue delay, the computer security incident response team ("CSIRT") or, where applicable, the competent authorities, of any incident having a significant impact on the provision of their services. The entities must first send an early notification to the CSIRT or the competent authority without delay and no later than 24 hours after becoming aware of the event. Without delay, but in any case within 72 hours of having detected the significant event, an incident notification should be submitted. The incident notification must include an initial assessment of the severity and impact, and where possible, it should specify the indicators. In addition, a final report must be submitted within one month of the submission of the incident notification.

Supervision

Under the NIS2 Directive, different rules apply to essential entities in the event of a cybersecurity breach:

• Essential entities: are subject to fines of EUR 10 million or 2% of the total annual global turnover of the entity, whichever higher. They may also be subject to strict audits (including on-site inspections and off-site supervision), regular and targeted security audits carried out by the relevant authority, and ad hoc audits when justified by a significant event or a fundamental breach of the provisions of the NIS 2 Directive
• Important entities: are subject to a maximum fine of EUR 7 million or 1.4% of the total annual global turnover of the entity in the previous financial year, whichever higher. Investigations are only carried out ex-post if the supervisory authority receives evidence or information that an important entity is suspected of non-compliance with the NIS 2 Directive.

Registration

Certain organisations (including DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, providers of online marketplaces, online search engines and social media platforms) will be required to provide information about themselves to the competent authority for the European Union Agency for Cybersecurity ("ENISA") to establish a register of these entities.

Strengthened European cooperation

The NIS 2 Directive establishes the EU-CyCLONe for the regular sharing of information between member states and EU bodies and for the coordinated management of large-scale cyber security incidents. Those include the incidents that significantly affect at least two EU member states or exceed the response capacity of one member state.

Find the NIS 2 Directive here.

Footnote

1. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 ("NIS 2 Directive")

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.