On 16 January 2023, the Directive on measures for a high common level of cybersecurity across the Union (“NIS2”) entered into force.
NIS2 replaces the Directive on Security of Network and Information Systems (“NIS Directive”) and introduces a number of changes, including bringing more sectors and services under the scope of the NIS rules and introducing an updated (and more stringent) regime of security obligations and incident notice requirements.
Summary of key changes
- Extended scope – Under the previous NIS Directive, the obligations that applied to an entity depended on its qualification as an ‘operator of essential services’ (“OES”) or ‘digital service provider’ (“DSP”). NIS2 replaces this categorisation with ‘essential’ entities and ‘important’ entities – based on the sector and size of the operators. NIS2 significantly expands the sectors and type of entities falling under its scope. Essential and important entities include, for example, providers of public electronic communications networks and services, data centre services, cloud computing service providers, wastewater and waste management, manufacturing of critical products, food producers and distributors, social networking services platforms, postal and courier services and public administration entities, as well as additional entities in the healthcare sector, including, for example, research and development of medicine and the manufacture of pharmaceutical products. In contrast to the previous regime, both essential and important entities are subject to the same set of obligations.
- Cybersecurity risk management – As with the previous NIS Directive, entities that fall under the scope of NIS2 have to take appropriate and proportionate technical and organisational measures to manage cybersecurity risks and prevent and minimise the impact of potential incidents. In addition, NIS2 includes a list of security measures that entities must, as a minimum, implement. These include incident handling and crisis management, vulnerability handling and disclosure, policies and procedures to assess the effectiveness of cybersecurity risk management measures, basic computer hygiene practices and cybersecurity training, the effective use of cryptography, and human resource security, access control policies and asset management. Management bodies of essential and important entities will have to approve these cybersecurity risk management measures, supervise their implementation and be liable for non-compliance by the entity. To that end, management will need to follow specific and regular cybersecurity trainings.
- Risk and incident management and cooperation – Whereas under the NIS Directive, only DSP’s had to notify incidents “with a substantial impact“, under NIS2, both essential and important entities have to notify the competent authorities or the Computer Security Incident Response Teams (CSIRT) of incidents “having a significant impact on the provision of their services”. To comply with these notification obligations, essential and important entities must submit to the CSIRT or the competent authority:
- without undue delay, and in any event within 24 hours of becoming aware of the significant incident, an early warning, indicating whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;
- without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification with an initial assessment of the significant incident, including its severity and impact, as well as the indicators of compromise; and
- no later than one month after the submission of the incident notification, a final report, including a detailed description of the incident and including its severity and impact, the type of threat or root cause that is likely to have triggered the incident, applied and ongoing mitigation measures and where applicable, the cross-border impact of the incident.
Whereas the NIS Directive allowed the competent authority or CSIRT in certain instances to inform the public of an incident, NIS2 contains an obligation for the essential or important entity to notify, without undue delay, the recipients of their services of significant incidents that are “likely to adversely affect the provision of those services”. Member States may also require essential and important entities to use particular ICT products, ICT services and ICT processes that are certified under European cybersecurity certification schemes (adopted pursuant to the EU Cybersecurity Act of 2019).
- Enforcement – NIS2 establishes a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations. These sanctions include binding instructions, order to implement the recommendations of a security audit, order to bring security measures in line with NIS2 requirements, and administrative fines. In relation to administrative fines, NIS2 distinguishes between essential and important entities, requiring Member States to provide authorities the ability to impose the following administrative fines:
- For essential entities, of at least up to €10 million or 2% of the worldwide annual turnover.
- For important entities, of at least up to €7 million or 1.4% of the worldwide annual turnover.
NIS2 also introduces provisions on the liability of natural persons holding senior management positions in the in-scope entities.
Generally, essential and important entities will fall under the jurisdiction of the Member State in which they are established, or, in the case of providers of public electronic communications networks or services, the jurisdiction of the Member State where they provide the services. Certain types of entities, including cloud computing services providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, online search engines and social networking platforms, are under the jurisdiction of the Member State in which they have their main establishment. If not established in the European Union, these entities must appoint an EU representative in a Member State where the services are offered.
Member States have 21 months to transpose NIS2 into national law.
Organisations should start preparing for Member State implementation of NIS2 and assess whether any services or activities will now be subject to the obligations set out in NIS2. In-scope entities should conduct a thorough assessment of the new security, risk management and incident response requirements to identify potential compliance gaps. This may include ensuring that new security controls and incident response obligations are flowed down through supply chains.
For further information, please get in touch with your usual DLA Piper contact.