New EU Cybersecurity Directive – NIS2
The new NIS2 Directive will raise the bar for cybersecurity in the EU. The deadline for transposition by Member States is 17 October 2024. Affected organisations should assess their obligations under the new regime and develop a compliance plan to avoid potential sanctions. Our Privacy & Data Security team considers key changes introduced by NIS2.
With the threat of cybersecurity attacks on the rise, including those targeting critical industries and essential infrastructure, the new Network and Information Systems Directive (NIS2) will raise the bar for cybersecurity in the EU. NIS2 must be transposed by Member States on 17 October 2024. It places obligations on Member States and individual organisations in critical sectors. Affected organisations will need to assess their obligations and develop a compliance plan to avoid potential sanctions. These sanctions include administrative fines and personal liability for those in senior management positions regarding certain obligations.
NIS2 essentially functions as an update to the previous NIS Directive (NIS1) which was implemented in 2016. The updates include broadening the scope of cybersecurity regulations to include new industries, organisations and sectors that were not previously captured by NIS1. These include medical devices, pharma, R&D of medicinal products and wholesale food businesses.
The goal of NIS2 is to further enhance the work started by NIS1 to build a high common level of cybersecurity across the EU. The key points of NIS2 include:
- Increased scope: NIS2 casts a wider net than NIS1 encompassing not just critical infrastructure sectors like energy and transportation, but also important sectors like:
- Online marketplaces
- Food production, and
- Certain manufacturers.
Entities regulated under NIS2 are categorised as ‘Essential’ or ‘Important’ depending on factors such as size, industry sector and criticality.
- Notification obligations: NIS2 imposes phased notification obligations for cybersecurity incidents which have a ‘significant impact’ on the provision of an organisation’s services. These notifications must be made to the relevant competent authority or the Computer Security Incident Response Team (CSIRT).
- Cybersecurity risk management measures: Essential and important entities will need to take appropriate and proportional technical, operational, and organisational security measures. These measures aim to manage the risks posed to the systems underpinning their services and to prevent or minimise the impact of incidents on their and others’ services. NIS2 includes a non-exhaustive list of 10 key measures including supply chain security, and human resources security.
- Supervision: The NIS1 concepts of “operators of essential services” and “digital service providers” will be replaced by “Essential” and “Important” entities under NIS2 - in basic terms, these are entities in sectors which are essential for the economy and society. Essential entities will face increased supervision including regular audits, inspections, and information requests from authorities. Important entities will face checks triggered by incidents, related company issues, or random checks.
- Fines and enforcement: NIS2 provides national authorities with a minimum list of enforcement powers for non-compliance. It mandates increased fines and penalties in the event of failure to comply with NIS2:
- Essential entities could face administrative fines of up to €10 million or 2% of total annual worldwide annual turnover, whichever is higher. However, individual EU countries may set the maximums even higher.
- Important entities could face administrative fines up to €7 million, or 1.4% total annual worldwide turnover, whichever is higher.
- Leadership accountability: Senior management can be held liable for failing to have cybersecurity risk management measures in place. These measures will be provided for in national legislation.
Next steps
NIS2 affects more industry sectors, has stricter reporting and supervisory requirements, and carries heavier fines for non-compliance than NIS1. With Member States required to transpose NIS2 by 17 October 2024, organisations should now take steps to consider whether NIS2 applies and, if so, how they plan to prepare for these increased cybersecurity rules.
For more information and expert advice, contact a member of our Privacy & Data Security team.
People also ask
What is NIS2? |
The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. NIS2 essentially functions as an update to the previous NIS Directive (NIS1) which was implemented in 2016. The updates include broadening the scope of cybersecurity regulations to include new industries and organisations that were not previously captured by NIS1. |
What organisations are affected by NIS2? |
NIS2 casts a wider net than NIS1 encompassing not just critical infrastructure providers like energy and transportation, but also important sectors like online marketplaces, food production, and certain manufacturers. Entities regulated under NIS2 are categorised as ‘Essential’ or ‘Important’ depending on factors such as size, industry sector and criticality. |
When does NIS2 come into force? |
The deadline for EU Member States to transpose NIS2 into their national laws is 17 October 2024. This means each Member State needs to adapt their own legal systems to reflect the requirements of NIS2. After this date, businesses within those Member States will be subject to national enforcement of NIS2. |
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Share this: