In 2016, the European Parliament and European Council agreed on the NIS Directive as the first piece of EU-wide legislation on cybersecurity. After its first review in 2020, a new legislative proposal was presented, which led to the adoption of its successor at the end of 2022 – the so-called ‘NIS2’ Directive.
The NIS2 Directive aims to repeal and modernise the existing NIS framework (‘NIS1’) and extent it to cover further sectors, taking into account the evolving cybersecurity threat landscape since the adoption of NIS1. In the following, we will examine how the NIS2 Directive further strengthens the security requirements for entities in its scope, introduces reformed reporting and communication obligations as well as more stringent enforcement requirements.
Scope of regulated entities
NIS2 has a broader scope than NIS1 and will apply to more entities. In particular, NIS2 obligations are addressed to ‘essential entities’ and ‘important entities’ that provide services or carry out activities within the EU. Essential entities operate in highly critical sectors such as energy, transport, banking, water, financial market infrastructures, health, digital infrastructure, ICT service management (business-to-business), public administration and space. Important entities act in other critical sectors such as (among others) production, processing and distribution of food, manufacturing, production and distribution of chemicals, various other manufacturing and digital providers.
In most cases entities employing fewer than 50 people and whose annual turnover and/or annual balance sheet total does not exceed €10m are exempt from NIS2. However, some entities in various sectors fall under NIS2 regardless of their size. For instance, if they provide public electronic communications networks or top-level domain name registries.
Cybersecurity requirements and management body obligations
Regulated entities must implement appropriate cybersecurity risk-management measures to prevent the impact of incidents on recipients of their activities. These measures must:
follow an all-hazards approach for which NIS2 provides a list of minimum measures which encompass, among other things, various policies, procedures and third-party due diligence;
take into account the state-of-the-art, relevant standards, cost of implementation and risks; and
be based on an assessment of proportionality, which must consider elements such as the entity’s degree of exposure, the entity’s size, the probability of incidents and their severity.
Furthermore, the management body of an entity must approve the cybersecurity risk management measures taken and oversee their implementation. Members of management bodies are required to complete cybersecurity risk training to ensure that they make their decisions on an informed basis. If regulated entities do not comply, management bodies can be held liable for corresponding infringements under applicable national law.
Reporting significant incidents
NIS2 will require in-scope entities to report to the computer security incident response team (‘CSIRT’) or another competent authority of the relevant Member State when a ‘significant incident’ occurs. A ‘significant incident’ is understood as an incident which:
- has caused or may cause substantial operational disruption or financial loss for the entity; or
- has affected or may affect other natural or legal persons by causing them considerable material or non-material damage.
Regulated entities must report such incidents in three stages:
- an early warning, within 24 hours of becoming aware of the incident;
- an incident notification, within 72 hours of becoming aware of the incident; and
- a final report, within one month after the incident notification.
Communication of significant cyber threats
If a significant incident leads or might lead to a ‘significant cyber threat’, entities must – in addition to their other reporting obligations – communicate aspects of such a threat to potentially affected recipients of their services without undue delay. This means that they must inform relevant recipients of any measures or remedies that they can take in response to the cyber threat, and, where appropriate, about the specific threat itself.
Breaches of obligations regarding cybersecurity requirements, reporting significant incidents or communication of significant cyber threats are subject to severe GDPR-style fines set by national law. The maximum fine must be at least the higher of:
- €10m or 2 % of the total worldwide annual turnover for essential entities.
- €7m or 1.4 % of the total worldwide annual turnover for important entities.
Periodic penalty payments may also be imposed to compel an entity to cease an infringement.
Where infringements of the NIS2 Directive entail a personal data breach, the data protection authorities (DPAs) under the GDPR and competent authorities under NIS2 are required to cooperate. The competent authorities must therefore inform DPAs of such scenarios and may not impose a fine if the entity has already been fined by a DPA for the same conduct.
Status of national implementation
Since EU Directives must be enacted into national law by Member States before they are effective, the Member States are now required to transpose NIS2 into national law and the obligations must be effective from 18 October 2024.
Member States may adopt further sector-specific legal acts addressing cybersecurity risk-management measures and reporting obligations that take due account of the need for a comprehensive and consistent cybersecurity framework. Hence, it remains to be seen how implementation of NIS2 will unfold and whether there will be significant differences across the EU.