NIS2 directive – what does it mean for you?

The EU’s Network and Information Security Directive (NIS2) is finally set to come into law, meaning organisations across the union (and beyond if they operate in the EU) will need to grapple with new obligations around cybersecurity and understand what it means for them.

Aiming to address some deficiencies in the original NIS that came into force in 2018, the new directive intends to strengthen cybersecurity across essential and important sectors, including healthcare, energy, transportation, and digital infrastructure.

EU member states have until 17th October 2024 to put NIS2 into law. It is, therefore, crucial for organisations affected by the directive to fully understand the new requirements and be prepared to comply with them.

Who does it apply to?

NIS2 applies to two broad categories of organisations operating in the EU:

1. Essential entities – those that provide critical services, namely energy, transport, banking, healthcare, digital infrastructure and public administration.
2. Important entities – those that, while not necessarily critical, play a large role in society and the economy such as waste management, digital service providers, food services etc.

It is also worth noting that the directive targets medium and large-sized companies operating in these sectors (the threshold for being considered ‘medium-sized’ is relatively low, applying to companies with a minimum headcount of 50) and excluding small or ‘micro’ entities unless they play a critical role in the supply chain.

For some organisations, it is straightforward whether the law applies to them or not. However, for many there is a degree of ambiguity around whether they are subject to NIS2 requirements – certainly, the directive does leave room for interpretation, with grey areas and opportunities for local variances in terms of what member states consider ‘essential’ or ‘important’.

In our experience at Reliance Cyber, some of our clients have chosen to adhere to NIS2 despite the lack of clarity around whether the directive applies to them. This decision can be driven by a number of factors, including;

• concerns over whether regulators might apply NIS2 to them in future even though it doesn’t necessarily seem to be applicable
• pressure from customers particularly where competitors have chosen to attest to NIS2 compliance
• or even the ease of demonstrating NIS2 compliance given it can be neatly mapped into other security standards and frameworks such as ISO 27001.

If the new directive applies, what do you need to do?

Organisations subject to NIS2 have an obligation to implement some comprehensive technical and organisational cybersecurity controls, notably:

• adopting a risk management framework;
• introducing a process for incident management;
• reporting significant cyber incidents within 24 hours, provide detailed updates within 72 hours, and submit a final incident report within one month;
• cooperating with regulators in the event of a breach;
• ensuring company-wide use of encryption technology and multi-factor authentication;
• having maintaining policies for identifying and evaluating vulnerabilities;
• putting in place procedures for evaluating the effectiveness of security measures – namely, an audit program but also some element of metrics;
• maintaining continuity and recovery plans to respond to emergencies;
• ensuring supply chain security; and,
• conducting regular training for staff.

Failure to meet these obligations can result in significant financial penalties and other enforcement actions.

How will this be enforced?

The big remaining question is how regulators will look to enforce the requirements of NIS2. Regulatory authorities will be given some significant powers as a result of the directive, including:

• The right to conduct inspections;
• The ability to issue fines (Competent authorities can impose administrative fines, the maximum fine for essential entities is €10 million or 2% of their worldwide annual turnover, whichever is greater and or important entities, the maximum fine is €7 million or 1.4% of their worldwide annual turnover, whichever is greater.)
• The power to suspend authorisations or certifications;
• The right to make infringements public;
• The ability to issue injunctions to stop ‘infringing behaviour’; and,
• The power to hold management liable, even down to holding C-Suite members personally accountable in cases of gross negligence following an incident.

However, how these powers will actually be applied by member states is far from certain. It is worth noting that NIS2 is a “directive”, a legislative act that sets out a goal that EU countries must achieve. Critically, it is up to the individual countries to devise their own laws on how to reach these goals.

The consequence of this is that member states have an element of discretion about how to apply the contents of the directive in national law. This is very evident in the EU General Data Protection Regulation (GDPR) where, though all member states are working to the same common goal, there are differences around age of consent, requirements to appoint a Data Privacy Officer, employee data, imposition of fines, data transfer rules, rules around special category data, journalistic and academic exceptions and legal basis for processing.

Many of these differences are relatively subtle and critically do not undermine the overall objective of the GDPR- despite their existence-though organisations do need to take careful notice of them to avoid falling foul of regulators. Given NIS2 is more nascent, it will consequently take some time (and considerable analysis) to understand exactly how local regulators will enforce the directive.

This is an area to monitor closely, as we will only gain full understanding of how individual regulators within the EU will implement NIS2 once further guidance is released and enforcement actions begin.