Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, including in cross-border exchanges. That development has led to an expansion of the cyber threat landscape, bringing about new challenges, which require adapted, coordinated and innovative responses in all Member States.
The number, magnitude, sophistication, frequency and impact of incidents are increasing, and present a major threat to the functioning of network and information systems. As a result, incidents can impede the pursuit of economic activities in the internal market, generate financial loss, undermine user confidence and cause major damage to the Union’s economy and society. Cybersecurity preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market. Moreover, cybersecurity is a key enabler for many critical sectors to successfully embrace the digital transformation and to fully grasp the economic, social and sustainable benefits of digitalisation.
It is difficult to find a better expression of the crucial role that network and information systems have to play in the continued socio-economic prosperity of the EU, and the challenges that presents, than that contained in Recital 3 of the Directive on measures for a high common level of cybersecurity across the Union ("NIS 2 Directive"). Against that backdrop, it should come as no surprise that putting in place measures to ensure the ongoing efficacy and resilience of those systems forms a key part of the EU's digital strategy.
On 28 November 2022, the Council of the European Union formally adopted the NIS 2 Directive, which is designed to do just that. It was published in the Official Journal of the European Union on 27 December 2022, and entered into force on 16 January 2023.
Member States now have 21 months – i.e. until 17 October 2024 – to transpose the Directive into national legislation. The majority of obligations imposed on organisations will come into force when the implementing legislation becomes effective in the relevant Member State.
The aim of the NIS 2 Directive is to enhance the overall level of cybersecurity in the EU. In so doing, it will replace and repeal the existing Network and Information Systems Directive (EU) 2016/1148 ("NIS 1 Directive"), which, whilst generally considered successful, was recognised to have some practical limitations. For more information on the NIS 1 Directive, please see our previous briefing note here.
This article considers the key features of the NIS 2 Directive, and outlines what organisations need to start doing now to ensure that they are compliant when the Directive comes into force in each relevant Member State. It is worth stressing upfront that compliance with all of the requirements in the NIS 2 Directive will be a time-consuming and costly exercise, and will require a considerable amount of organisational buy-in at all levels (not least because management themselves have strict obligations under the Directive). As such, delaying engaging with these requirements is not recommended, especially for those organisations who were not previously subject to the NIS 1 Directive and for whom much of this covers new ground.
For more information on the new NIS 2 Directive, including whether your organisation will be subject and, if so, the steps that you and your organisation will need to take in order to become compliant, please contact one of the authors of this article or your regular Fieldfisher contact.
1. Overview of key changes
The NIS 2 Directive reflects a considerable broadening of scope versus the NIS 1 Directive, as follows:
- it brings a large number of new industry sectors (and therefore, new types of entities) within scope of the obligations – including e.g. wastewater, waste management, space, postal and courier services, chemicals, food, manufacturing and public administration;
- it imposes direct obligations on management in respect of an organisation's compliance with the NIS 2 Directive, and onerous penalties where those are not complied with;
- it details cyber risk management measures that all covered organisations are required to put in place;
- it acknowledges the importance of security at all levels in supply chains and supplier relationships;
- it clarifies and strengthens incident reporting requirements;
- it provides supervisory authorities with a greater ability to supervise companies; and
- it increases the sanctions for non-compliance.
Whilst the NIS 2 Directive imposes a range of obligations on both Member States and organisations, in this article we focus on the obligations imposed on organisations, and specifically consider the level of compliance uplift that will be required for organisations who were not previously subject to the NIS 1 Directive.
2. Key steps
Identify whether your organisation is caught (and if so, whether you are an essential or important entity)
Companies must determine whether they will be caught by the NIS 2 Directive and, if so, whether they are likely to be deemed important or essential entities. This is important, as different requirements attach to each of those categories of entities.
Map out the requirements that will apply to your organisation
Organisations that are subject to the Directive will need to review the obligations contained in the NIS 2 Directive – in particular in relation to cyber risk management and incident reporting – and consider what changes need to be made to existing practices. Organisations will need to be mindful that different requirements may apply within different Member States, and also that the requirements in the NIS 2 Directive may be supplemented by requirements in other sector-specific regulation.
Conduct an audit of your existing processes to identify the gaps that will need to be plugged
Many sophisticated organisations (and especially those that were already subject to the NIS 1 Directive) will already have processes in place to ensure cyber resilience. However, these may not adhere to the strict new requirements under the NIS 2 Directive. As such, organisations should conduct a gap analysis between what is currently in place and what is now required, to properly understand the scope of change required.
Budget for the time and financial costs of implementing necessary changes
Organisations should expect significant costs associated with complying with the new requirements. According to the EU, companies which were already subject to the NIS 1 Directive should expect an increase of up to 12% in their ICT spend for the years immediately following the implementation of the NIS 2 Directive. For companies which were not subject to the NIS 1 Directive, the estimate is 22%.
Review contractual arrangements with your supply chain
The NIS 2 Directive requires organisations to consider the cyber resilience not only of their organisation, but also of their suppliers. To prepare for these requirements, entities should start thinking now about the changes they may need to make to their existing supply / customer contracts, and to amendments that may be desirable to their template suite to ensure appropriate protections are in place for future engagements.
Train, train and train!
Compliance with the requirements in the NIS 2 Directive will require staff at all levels in organisations to be cyber-aware, from management down. Now is the time, if not already, to start training your staff on their obligations.
3. A broadened scope
3.1 More industry sectors and subsectors will be caught
Subject to certain limited exceptions, the NIS 2 Directive applies to all entities which: (i) provide their services or carry out their activities in the EU; (ii) meet or exceed the thresholds to qualify as medium-sized enterprise (i.e. that employ more than 50 employees and have an annual turnover and/or annual balance sheet total exceeding EUR 10 million); and (iii) operate in one of the sectors listed in the Annexes of the Directive (see below).
The NIS 2 Directive covers all of the sectors previously caught under NIS 1, but also applies to entities operating in a number of additional sectors, such as: food production, processing and distribution; manufacturing; postal and courier services; chemicals; waste water and waste management; space; research; ICT service management; and public administration. These sectors are set out in the Annexes of the Directive.
Within each of these broad industry sectors, the NIS 2 Directive specifies the relevant subsectors which are within scope. Whilst some of these subsectors were previously caught within the scope of the NIS 1 Directive, others are entirely new (e.g. in the energy sector, the district heating and cooling and hydrogen subsectors have been added). For more detail on the sectors and subsectors that are within scope of the NIS 2 Directive, please refer to Annexes 1 and 2 of the NIS 2 Directive.
This has resulted in a considerable increase in the remit of the Directive. Indeed, an early estimate by the Belgian Centre for Cybersecurity (CCB) suggested that there would be a twenty to fortyfold increase of entities in scope under NIS 2 versus under NIS 1.
3.2 Different obligations for "Essential Entities" and "Important Entities"
Within the entities falling under its scope, the NIS 2 Directive distinguishes between "essential entities" and "important entities" – which distinction reflects the extent to which those entities are critical as regards their sector or the type of service they provide, as well as their size. This distinction is important, as different regimes under the Directive apply to "essential entities" and "important entities" (see below).
Unfortunately in some cases it is not that easy to identify whether a particular organisation will constitute and essential or an important entity – not least because defining essential entities is in some instances left to individual Member States (albeit that they must follow criteria set out in the NIS 2 Directive in making their determination). An assessment will need to be undertaken on a case by case basis to assess whether your organisation is an essential or an important entity.
3.3 Which Member State law will apply to you?
As mentioned above, it is now over to the EU Member States to implement the NIS 2 Directive into their local laws. Given the potential for some variance in the means of implementation, not to mention the differing judicial approaches in different Member States, understanding which Member State laws will apply to your organisation will be important.
Generally speaking, entities will fall under the jurisdiction of the Member State(s) where they have an establishment. This means that organisations with establishments in multiple Member States will have to abide by the laws implemented in each of those jurisdictions. Given that the NIS 2 Directive affords Member States the scope to enact more stringent cyber security obligations into their national laws than those contained in the Directive (provided that such provisions are consistent with minimum level of compliance required under the Directive), for multinational organisations in particular this has the potential to require a significant compliance exercise to ensure compliance with multiple, potentially slightly different, frameworks.
The NIS 2 Directive sets out a staged approach to determine in which Member State an organisation's main establishment lies:
- in first instance, the main establishment should be considered to be the in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken (often the place where the entity's central administration is located);
- if such a Member State cannot be determined, or if such decisions are not taken in the EU, the main establishment should be considered to be in the Member State where cybersecurity operations are carried out; and
- if such a Member State cannot be determined, the main establishment should be considered to be in the Member State where the entity has the establishment with the highest number of employees in the EU.
Where the services are carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings.
Importantly, however, for certain digital service providers (e.g. DNS service providers, TLD name registries, cloud computing providers, data center providers, content delivery network providers, online marketplaces, online search engines, or social networking service platforms) a one-stop-shop regime has been introduced. This means that an entity operating in those sectors will only be subject to the rules of the country where their main establishment is located. In addition, providers of public electronic communications networks or providers of publicly available electronic communications services should be considered to fall under the jurisdiction of the Member State in which they provide their services.
In order to facilitate this one-stop shop mechanism, such organisations will be required to provide information about themselves to the competent Member State authority in order for ENISA to establish a register of these entities.
Organisations that are not established in the EU but that offer services within it must designate a representative in one of the Member States where the organisation has an establishment. Such an organisation shall be considered to fall under the jurisdiction of the Member State where the representative is established. In the absence of a designated representative within the European Union, any EU Member State in which the entity provides services may take enforcement action against the entity for non-compliance with its obligations under the NIS 2 Directive.
4. Management responsibility under the NIS 2 Directive
Under the NIS 2 Directive, management bodies of essential and important entities are required to explicitly approve and oversee the implementation of the risk management measures required under the Directive (see below). In addition, members of those management bodies will have to undertake cybersecurity training, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
In imposing direct obligations on management, the NIS 2 Directive elevates the issue of cyber resilience out of the technology departments and into the C-Suite. To the extent it was not already on management's radar, the cyber preparedness of entities caught by the Directive is now firmly within their remit.
To ensure that management take their responsibilities seriously, under the NIS 2 Directive they may be held personally liable if their organisation does not comply with their obligations. In addition, for essential entities, competent authorities can in some circumstances even impose a temporary prohibition of the exercise of managerial functions by any natural person discharging managerial responsibilities at chief executive officer or legal representative level.
5. Expanded cybersecurity risk management measures
The principal tool by which the NIS 2 Directive aims to increase the level of security maintained by essential and important entities is by imposing additional cybersecurity risk management measures on those organisations. Entities that were already subject to the NIS 1 Directive, or to other sector-specific regulations, may already have some of these in place – however for entities operating in the newly added sectors, much of this will be new.
All organisations (i.e. both essential and important entities) will be subject to the same cybersecurity risk management requirements and incident reporting obligations under the NIS 2 Directive. However, as with much European legislation, the NIS 2 Directive imports a proportionality test, such that the way in which these obligations are met will differ according to an entity’s risk exposure, importance and size.
All entities must conduct a risk analysis on both the potential and impact of incidents. Based on this, they must implement appropriate technical and organisational measures commensurate to the identified risk posed to the relevant information system, and taking into account inter alia: the relevant entity's exposure to such risk and the potential detrimental effects of an incident, the state-of-the-art, the costs of implementation, and where relevant, the existence of European and international standards.
Accordingly, organisations are required to implement at least the following key measures: risk analysis and information system security policies; incident handling protocols; business continuity plans; supply chain and network security measures; cybersecurity testing; auditing procedures; cybersecurity training; HR security, access control policies and asset management; and, where appropriate, the use of multi-factor authentication and encryption.
By 17 October 2024, the EU Commission will adopt implementing acts which further harmonise and specify the technical and methodological requirements for various entities that often operate cross-border (e.g. DNS service providers, cloud computing service providers, data centre service providers, content delivery network providers, providers of online marketplaces, of online search engines and of social networking services platforms, and trust service providers). In addition, it may also lay down such implementing acts in relation to other essential and important entities, as it deems necessary.
6.Supply chain diligence
As anyone who works in this space will be aware, security generally (and information security specifically) is only as good as the weakest link in the chain. It is no good locking all of your doors and turning the alarm on if you have given one of your suppliers the key (and they lose it). In acknowledgment of the fact that increasing the levels of cybersecurity resilience relies on good cyber preparedness and resilience throughout the supply chain, under the NIS 2 Directive, essential and important entities are also required to assess the security of the suppliers and service providers in their direct supply chain.
More specifically, organisations must assess the vulnerabilities specific to each direct supplier and service provider as well as the overall quality of products and cybersecurity of their suppliers and service providers. On this basis, they must flow down their security standards on their suppliers and service providers, taking into account both technical and non-technical risk factors. Practically speaking, entities will have to perform third party security assessments and incorporate appropriate security requirements in their third-party contracts.
To prepare for these requirements, regulated entities should start thinking now about the changes they may need to make to their existing supply / customer contracts, and to amendments that may be desirable to their template suite to ensure appropriate protections are in place for future engagements. In our experience, identifying, negotiating and settling such changes is a time consuming exercise – and one which should commence sooner rather than later.
7. Incident reporting
The reporting of information security incidents will be front of mind for many organisations, ever since the GDPR imposed strict obligations to report breaches within tight timeframes.
Under the NIS 1 Directive, organisations are required to notify, without undue delay, any incident having a ‘substantial impact’ on the provision of the essential services they provide. Such notification should include information enabling the relevant competent authority or the Computer Security Incident Response Team to determine any cross-border impact of the incident.
The incident reporting obligations under NIS 2 have been streamlined, with more precise obligations regarding the reporting process, the contents of the notifications, and the timeline within which incidents must be reported.
Under the NIS 2 Directive, organisations are required to notify any incident (i.e. an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems) that has a significant impact on the provision of their services. An incident is considered significant if it:
- has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned; or
- has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
The approach to the reporting of significant incidents is three-staged:
- within 24 hours (note – not only business hours) after first becoming aware of an incident, affected companies have to submit a so-called 'early warning' – i.e. an initial report containing some basic information about the incident (e.g. whether the incident is suspected of being caused unlawfully or maliciously and whether it is likely to have a cross-border impact);
- within 72 hours after first becoming aware of the incident, organisations should update the early warning with a more comprehensive incident notification; and
- a final detailed report should be submitted no later than one month after the incident notification.
The NIS 2 Directive establishes a minimum list of administrative sanctions that apply when an entity breaches its cybersecurity risk management or reporting obligations. These sanctions include issuing warnings and imposing binding instructions, a temporary suspension of an authentication or certification to conduct certain activities, a temporary prohibition to exercise certain managerial functions at CEO or legal representative level, an order to implement the recommendations of a security audit, an order to inform users of a significant cyber threat, etc. From a reputational perspective, it is also worth noting that the NIS 2 Directive allows Member States to demand that organisations who violate the Directive make a public announcement that not only acknowledges the violation of NIS 2 but also identifies the person(s) responsible for the violation.
To ensure an ability to comply with these tight requirements, organisations should start to review their internal incident response plans and incident management procedures, and should consider whether they have sufficient resources and contingency in place to meet the stipulated timeframes.
8. How will the NIS 2 Directive be enforced?
8.1 Accountability and supervision
The level of supervision under the NIS 2 Directive will depend on whether your organisation is an essential entity or an important entity.
Essential entities will be subject to an elaborate ex ante and ex post supervisory regime, whereby they are required to document measures taken to comply with cyber-security risk management measures systematically. This ex ante supervision may consist of strict audits, including on-site inspections and off-site supervision; regular and targeted security audits carried out by the relevant supervisory authority; and ad hoc audits when justified by a significant event or a fundamental breach of the provisions of the NIS2 Directive.
Important entities on the other hand are only subject to an ex post supervisory regime: i.e. supervisory authorities will only conduct investigations into these entities if there are indications (evidence or information) that they have infringed their obligations under the Directive.
In addition, essential entities can be hit with an administrative fine of up to the higher amount of € 10 million or 2 % of the total worldwide turnover of the undertaking for breaching their cybersecurity risk management measures and/ or cybersecurity incident reporting obligations.
For important entities, the maximum fine for such breaches is the higher of € 7 million or 1.4 % the global annual turnover.
Furthermore, the Directive introduces the possibility for company management to be held accountable for compliance with cybersecurity risk-management measures.
9. The wider legislative landscape
Finally, it is also important to note that the obligations contained within the NIS 2 Directive need to be read alongside other similar obligations that may apply to organisations operating in specific sectors. For example:
- the incident reporting obligations contained within the GDPR (where the incident encompasses personal information);
- certain essential entities will also be subject to the newly introduced Directive on the Resilience of Critical Entities (CER Directive), which entered into force at the same time as the NIS 2 Directive. The aim of the CER Directive is to ensure that critical entities are able to prevent, resist, absorb and recover from non-digital disruptive incidents, such as incidents caused by natural hazards, accidents, terrorism, insider threats, or public health emergencies;
- certain financial institutions must also follow the rules for the protection, detection, containment, recovery and repair of information security incidents contained in the recently implemented Digital Operational Resilience Act (DORA). NIS 2 provides that any overlap with DORA will be addressed by DORA being considered as lex specialis (i.e. a more specific law that will override the more general NIS2 provisions); and
- the proposed EU Cyber Resilience Act, which imposes cybersecurity requirements and incident reporting obligations on manufacturers, distributors and importers of connected hardware and software. This will complement the objectives of NIS 2 through the impact of its vulnerability disclosure and handling requirements on secure supply chain relationships where connected hardware or software forms part of the network and information systems of essential and important entities.
This article does not consider those other, overlapping requirements any further. However, we would of course be happy to discuss each of those and any other relevant regulatory frameworks with you on a case by case basis, as part of assisting with preparing an overall resilience plan.
Sign up to our email digest