The national implementation of the new EU Directive on measures for a high common level of cybersecurity for specific sectors across the Union (NIS2) is in progress. The NIS2 Directive extends the cybersecurity framework to cover more sectors, taking into account evolving cybersecurity threats (see our comprehensive overview of key aspects of the NIS2 Directive). While we have already delved into the key aspects for businesses to consider on NIS2 in a previous blog post, this one focuses on the practical challenges that companies may face when implementing NIS2 requirements, how to overcome these and how to get prepared in cases of crisis.
Transposition of NIS2 into national law in the EU Member States is required until 17 October 2024. So far, only the Belgian, Croatian and Hungarian implementation acts have been adopted (read our overview on the Belgian law). Other EU Member States, most recently Germany, have only published draft legislation. Like other laws introduced under the EU’s Digital Strategy, the NIS2 Directive has extra-territorial reach and provides for high, GDPR-like fines (up to the higher of EUR 10 million or 2% of annual group turnover) coupled with short data breach notification deadlines. With this in mind, companies are well-advised to review whether NIS2 will be relevant to them and kick off compliance projects as appropriate.
Scope of the NIS2 regulation
NIS2 applies to companies that provide services or carry out activities in specific sectors within the EU. Depending on the sector and the size, companies are classified as ‘essential entities’ or ‘important entities’, leading to different enforcement and potential fines.
With regard to the sectors, a distinction must be made between whether the company operates in sectors that are considered as highly critical such as energy, transport, banking, water, financial market infrastructures, health, digital infrastructure, ICT service management (business-to-business), public administration and space or in other critical sectors such as (among others) production, processing and distribution of food, the manufacturing, production and distribution of chemicals, various other manufacturing and digital providers.
In addition, certain thresholds in terms of number of employees (50 or more) and annual turnover or annual balance sheet total (more than EUR 10 million) must be met. However, in certain cases these thresholds may be irrelevant. In addition, based on the wording of the Annex to Recommendation 2003/361/EC regulators may argue that data of the parent company or another group entity must be added.
Main obligations under NIS2
Companies that fall within the scope of NIS2 must comply with the following key elements:
- Cybersecurity requirements such as taking appropriate and proportionate technical, operational and organisational measures to manage security risks;
- Management body obligations (eg management bodies must (i) approve the cybersecurity risk-management measures taken, (ii) oversee their implementation, and (iii) can be held liable for infringements);
- Three-phase reporting obligations for significant incidents (24 hours early warning; 72 hours incident reporting; one month final report);
- Communication of significant cyber threats to potentially affected recipients of the services without undue delay;
- Carry out regular security audits by an independent body or a competent authority.
Practical challenges when implementing NIS2 and how to overcome these
Companies that potentially fall within the scope of NIS2 face several implementation challenges that can be addressed through a structured approach. Those challenges include:
- Assessing whether individual group entities provide services or carry out activities in a relevant sector: This can be complex, not only because of the amount of entities and business models that must potentially be assessed in larger multinational groups, but also because the sub-sectors listed in the Annexes I and II of NIS2 are sometimes not sufficiently specified.
- In addition, gold-plating by EU Member States may result in additional compliance efforts for companies (ie deviations in scope and specific requirements may require an individual assessment for each Member State).
- Where national NIS2 implementation laws require audits of security measures by third parties, the approach to auditing may differ depending on the providers operating in each Member State.
Given that – depending on local Member State implementations – many of the NIS2 obligations must be implemented either this year or beginning of next year, companies potentially falling within the scope of NIS2 should assess:
- which of their group entities provide services and carry out activities that could be relevant under NIS2;
- clarify registration obligations and deadlines under national laws in the EU Member States;
- whether existing governance and security measures must be hardened to fulfil the stringent NIS2 requirements (and any additional national requirements); and
- the extent policies, roles and responsibilities need to be adjusted, and whether documentation to evidence appropriate and proportionate technical, operational and organisational measures needs to be produced.