The Network and Information Security Directive 2 (NIS2) is the European Union’s updated cybersecurity legislation, developed to strengthen cybersecurity across the EU with a focus on critical infrastructure and essential services. NIS2 replaces the previous NIS Directive, introduced in 2016, and modernises the legal framework to keep pace with increased digitisation and evolving cybersecurity threats. This directive represents the EU’s most comprehensive cybersecurity legislation, partly through strengthening the security posture of European software development but also by introducing stronger reporting requirements and penalties for failing to comply.

The objective of the NIS2 Directive is to set out measures to achieve a high common level of cybersecurity across the EU. It expands the scope of cybersecurity requirements to include both “essential” and “important” entities in various sectors, including energy, transport, banking, health, digital infrastructure, and others. The NIS2 Directive introduces size-based thresholds for its applicability and imposes substantial fines for non-compliance.

Who Does NIS2 Apply To?

The NIS2 Directive applies to a public or private entity that (1) falls within any of the industry sectors listed in Annex I (Sectors of High Criticality) or Annex II (Other Critical Sectors) of the Directive, (2) provides a service within the European Union, and (3) is at least a medium-sized enterprise within the meaning of the European Commission Recommendation 2003/361/EC of May 6, 2003 concerning the definition of micro, small and medium-sized enterprises.

If an entity is subject to the NIS2 Directive, it will have differing responsibilities depending on whether it is classified as an “essential” entity or an “important” entity. Essential entities are subject to a comprehensive ex ante and ex post supervisory regime, while important entities are subject to a light, ex post only, supervisory regime.

It is important to note that entities with subsidiaries may need to take into account the number of employees and annual turnover of their subsidiaries for the purposes of assessing medium or large enterprise criteria.

Moreover, some entities automatically fall under the purview of the NIS2 Directive, regardless of their number of employees or annual revenue, because of the potential for significant adverse impacts on European citizens resulting from disruptions to these businesses. They include:

• Providers of essential services in sectors such as electricity, gas, water, health, transport, and digital infrastructure.
• Providers of digital services like online marketplaces, search engines, and cloud computing platforms.
• Entities that operate critical infrastructure, such as nuclear power plants, electricity grids, and transportation systems.

As all Member States are required to transpose the NIS2 Directive into their national legislation by October 17, 2024, it is crucial for businesses to ensure that the Member State has not broadened the scope of the NIS2 Directive to apply to additional companies.

In addition, entities that are not established in the EU but provide their services within the EU must designate a representative (similar to the requirements of the GDPR, Digital Services Act, etc.). The Member State in which the representative is established will be deemed to be the Member State in which the entity is subject to jurisdiction. In the absence of a representative, any Member State in which the entity provides its services may take direct action against the entity if it violates the NIS2 Directive.

Key Measures for Compliance

Entities falling within the scope of the NIS2 Directive will be required to implement at least the following key measures:

• Cybersecurity Risk Management: Conduct a thorough risk assessment of their network and information systems, identifying and analyzing potential vulnerabilities. They must implement appropriate security measures to mitigate these risks.
• Incident Reporting: Establish systems for promptly detecting, reporting, and responding to cyber incidents. This includes reporting significant incidents to the competent authority within 24 hours of awareness and submitting a formal incident notification within 72 hours.
• Security Measures: Implement appropriate technical and organizational security measures to protect their network and information systems. These measures should include, but are not limited to, access control, data encryption, intrusion detection, and incident response plans.
• Cybersecurity Training: Ensure that relevant personnel receive appropriate cybersecurity training to understand their roles and responsibilities in implementing and maintaining cybersecurity measures.

Management bodies are tasked with approving the cybersecurity risk management measures adopted by their entities and overseeing their implementation, and are responsible for failures to comply with the above measures. In addition, management bodies are required to undergo cybersecurity training—or face significant liability, discussed below.

Leveraging International Standards

While the NIS2 Directive does not set forth specific standards for cybersecurity in the context of implementing risk management measures, it does encourage Member States to adopt European and international standards and technical specifications to ensure a harmonized implementation. For instance, Belgium, with Luxembourg likely to follow, has referenced ISO 27001 certification in its laws enacting the NIS2 Directive, offering entities with this certification a presumption of compliance. Beyond ISO standards, international frameworks like NIST or CMMC could also be instrumental for US-based entities aiming to ensure compliance with the NIS2 Directive.

Reporting Requirements

Essential and important entities must promptly inform the national competent authority of any significant incident (i.e., a serious event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems). Additionally, they are required to notify the users of their services about significant incidents that could impact service delivery. For example, in the event of a significant cyber incident, a chemical manufacturer is required to notify both the relevant authority and its suppliers and customers, offering them any possible measures or remedies they can take in response to the threat.

The initial reporting of the incident must occur within 24 hours of awareness, followed by an official incident notification within 72 hours. Interim and final reports should be submitted to the competent authority within one month of the formal notification.

Registration with Competent Authorities

Essential and important entities, as well as entities providing domain name registration services, will have until January 17, 2025, to register with the competent authority. Essential entities are required to disclose their cybersecurity measures (ex ante) to the competent authorities, while important entities are only required to register.  The competent authorities may, at any time, require the important entity to provide evidence of compliance.

It is important to note that Member States may provide for a higher level of cybersecurity when implementing the NIS2 Directive into national law, so companies need to be careful and review the laws applicable in the countries where they provide services.

Enforcement and Penalties

Each Member State will need to appoint a competent national authority whose role encompasses overseeing the directive’s enforcement, ensuring that entities comply with their cybersecurity obligations, and facilitating a coordinated response to cybersecurity incidents. This oversight is crucial for maintaining a high level of cybersecurity across the nation and for protecting the integrity of essential and important services.

The enforcement measures range from issuing simple warnings to mandating remediation actions or requiring the public disclosure of violations of law.

Entities that fail to meet their cybersecurity risk management or incident reporting requirements may face administrative fines. For important entities, fines can reach up to 7 million euros or 1.4 percent of their total global annual turnover. Essential entities could be fined up to 10 million euros or 2 percent of their total global annual turnover.

Concerning the accountability of management bodies, any individual responsible for an entity, or acting as its representative, bears personal liability for failing to comply with the NIS2 Directive by requirements—highlighting the significance of personal responsibility in cases of non-compliance. Some Member States, in the process of integrating NIS2, have established provisions that allow for the temporary suspension of individuals in managerial roles, such as managing directors or representatives, from executing their managerial duties within the entity if they fail to comply with directives from the competent authority.

Preparing for the Future of Cybersecurity

Today’s business requires increased vigilance regarding cybersecurity, stemming from the rise of diverse threat actors, such as competitors, ideologues (hacktivists), terrorists, cybercriminals, and nation-state actors, each presenting a considerable threat to the security and integrity of the business.

It is essential for entities to determine whether they are subject to the NIS2 Directive, and if so, to assess their cybersecurity responsibilities under the directive which should include, among other things, performing a thorough gap analysis of their existing security measures. Such an analysis is pivotal for the entity to adopt and enhance the necessary protocols to meet compliance with the NIS2 Directive by October 18, 2024. Although investing in cybersecurity may not be insignificant, it is important to note that the cost of these investments will likely be far less than the financial and reputational damage incurred from a cyber incident.

Entities must shift their mindset from questioning if a cyber incident will occur to preparing for when it inevitably happens.

Shifting from Compliance to a Proactive Cybersecurity Strategy

The NIS2 Directive, like many regulations before it, offers a minimum standard for cybersecurity. Companies that seek to truly protect their businesses must go beyond compliance and adopt a proactive approach to cybersecurity. This includes:

• Investing in Technology: Implementing advanced security tools like endpoint detection and response (EDR), intrusion detection systems (IDS), and security information and event management (SIEM) can help identify and respond to threats more effectively.
• Building a Strong Security Culture: Educating employees about cybersecurity threats and best practices, fostering a culture of security awareness, and encouraging them to report suspicious activities can significantly enhance an organization’s overall security posture.
• Partnering with Experts: Engaging experienced cybersecurity professionals can provide valuable insights into industry best practices, help organizations assess their security risks, and develop tailored security strategies.

Conclusion

The NIS2 Directive represents a significant step forward in the EU’s efforts to create a more secure digital environment. By adhering to the new regulations, companies can protect themselves against evolving cyber threats and contribute to a safer digital landscape for all. However, true security requires a proactive approach, going beyond compliance and building a comprehensive cybersecurity strategy that safeguards business operations and customer data.

The deadline for NIS2 compliance is rapidly approaching. Businesses need to start taking action now to ensure they are fully prepared.