The European Parliamentary Research Service describes the Network and Information Security (NIS) Directive as the first EU-wide cybersecurity legislation, establishing standardized cybersecurity requirements for entities across the EU. However, this directive suffered from difficulties in implementation and failed to create a uniform and satisfactory level of cybersecurity across member states. In response to these defects and an increase in number and severity of cyber threats, the European Commission proposed a new directive, NIS2. NIS2 expands the categories of entities which fall within its purview, imposes enhanced obligations on said entities, and establishes a stricter enforcement regime than its predecessor. The NIS2 directive came into force on January 16, 2023, and EU Member States have until October 18, 2024, to implement it in their local laws.
Scope of the NIS2
The NIS2 Directive’s scope of application is primarily determined by the size of an entity and the sector in which it operates. NIS2 then divides covered entities into two tiers: ‘essential’ and ‘important’ entities. The directive details the specific nature of these tiers, including descriptions of the sectors affected, in Articles 2 and 3.
The compliance requirements for both ‘essential’ and ‘important’ entities (outlined in Articles 21-23) are not substantially different; rather, the distinction lies in the nature of compliance monitoring and the scale of the administrative fines which may be imposed for non-compliance. Some notable differences are summarized below:
|
|
Essential Entities |
Important Entities |
|
Monitoring |
Proactive monitoring methods, including random checks. (Article 32) |
Reactive monitoring methods, compliance checks only performed after incident or with reasonable suspicion. (Article 33) |
|
Non-compliance Fines |
Maximum of 10m EUR or 2% of the preceding financial year’s total worldwide annual turnover of the undertaking to which the essential entity belongs, whichever is higher. (Article 34(4)) |
Maximum of 7m EUR or 1.4% of the preceding financial year’s total worldwide annual turnover of the undertaking to which the important entity belongs, whichever is higher. (Article 34(5)) |
Obligations Imposed by NIS2
NIS2 imposes two primary obligations: risk management measures and incident reporting. Article 21 of NIS2 establishes that essential and important entities must implement “appropriate and proportionate technical, operational, and organizational measures” to manage risks to their network and information systems. These measures must at minimum include:
- Risk analysis and information system security policies
- A plan for incident handling security incidents
- Business continuity and crisis management planning, such as up-to-date backups
- Attention to supply chain security, including the relationships between the entity and its direct suppliers or service providers
- Security measures in information systems procurement, development and maintenance, including vulnerability handling and reporting policies
- Training in cybersecurity and basic cyber hygiene
- Procedures for appropriate use of cryptography and encryption
- Human resources security, including policies for data access control
- Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications, and secure internal emergency communication, where appropriate
- Procedures for evaluating the effectiveness of these and other cybersecurity measures
NIS2 establishes a 3-stage approach for reporting cybersecurity incidents to a competent supervisory authority, summarized below:
|
Type |
Timeframe |
Content |
|
Early Warning |
<24 hours after becoming aware of incident |
Description of incident, and any suspicion that it was caused by illegal/malicious acts, or might have a cross-border impact. |
|
Incident Notification |
<72 hours after becoming aware of incident |
Updates to prior information, and an assessment of the incident including its severity, impact, and any indicators of compromise. |
|
Final Report |
<1 month after submission of incident notification |
Detailed description of the incident, including severity and impact, the type of threat or root cause, the mitigation measures applied, and (where applicable) its cross-border impact. |
Competent supervisory authorities may also require entities subject to NIS2 to inform the public about a significant cyber threat or security incident, especially when public awareness is necessary to prevent said threat or address the incident.
Penalties for Violations
In addition to the administrative fines, NIS2 grants member states discretion to employ a broad range of penalties for noncompliance, provided said penalties are “effective, proportionate and dissuasive” (Opening (130-133)). Notably, Article 20 of NIS2 stipulates that senior management bodies assume responsibility for compliance, and that they may be held directly and personally liable for violations. Penalties levied against senior management might range from fines to a temporary ban on exercising their managerial functions, to criminal penalties.
Preparation for NIS2
NIS2’s extended scope relative to NIS means that several entities will be subject to significant cybersecurity standards for the first time. The European Commission’s impact assessment estimates that entities subject to the NIS framework for the first time may need to increase their cybersecurity spending by up to 22%, or 12% for those already subject to the NIS Directive. While the impact assessment suggests that this would be offset by the reduced cost of avoided security incidents, this is not insignificant, nor is it easily introduced in a last-minute rush. With the deadline under a year away, entities operating in the EU should promptly examine whether they fall within its scope, evaluate their present cybersecurity measures, and form a concrete plan of how to amend them for compliance.
The impact of this directive is unlikely to be restricted to the EU as many entities, including those in the affected sectors, operate internationally. Because it may be challenging for a multinational entity to impose conflicting information security measures in each of its geographically disparate branches, some entities will likely prefer to adopt many of the measures NIS2 demands across the board. Given the possibility of direct personal liability, senior management at these entities will likely also err on the side of caution when faced with grey area issues, such as reporting standards for breaches that have unclear geographic origin and impact. This could have knock-on effects even for US entities which do not operate in the EU: several state laws demand “appropriate” or “reasonable” cybersecurity procedures, and increasingly broad adoption of measures stipulated by NIS2 could influence how that is interpreted. This may not be a bad thing—it could lead to a higher overall degree of cybersecurity readiness than the US’ current patchwork of state laws currently demands—but it will require attention.