NIS2 - an upgrade of EU cybersecurity?

Kris Somers, CIPP/E, CIPM

27 December 2022 saw the publication in the Official Journal of the EU of Directive 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS 2). The NIS 2 Directive enters into force on 16 January 2023 and effectively repeals and replaces its 2016 predecessor as of 18 October 2024. By that date, the EU Member States are to have transposed its provisions into national law.

Faced with the exponential increase of cybersecurity threats in both the private and public sector over the past decade,?NIS?2?requires?the?Member States to?adopt national cybersecurity strategies, sets out rules and obligations on cybersecurity information sharing and?generally aims to?provide?more?legal certainty and coherence by clarifying the?relationship between NIS 2 and?the fast proliferating?sector specific cyber?security legislation.

How does NIS 2 differ from its predecessor, the 2016 NIS Directive? It is fair to say the new Directive constitutes both an update and an upgrade.

First of all, NIS 2 no longer maintains the distinction made by its predecessor between?operators of essential services?and?digital service providers. It replaces that outdated categorization with a new watershed that distinguishes between?essential entities?and?important entities. In doing so, NIS 2 significantly enlarges the material scope of the original NIS Directive: it?covers medium and large entities from?more sectors, based on their criticality for the economy and?society.?Whether?an organization qualifies as an 'essential’?or?'important’?entity depends inter alia on the sector in which?they are active and on their size. In that regard, essential sectors notably cover the energy, transport, financial,?health, drinking water, digital infrastructure sectors andpublic administrations.'Important sectors' include the?postal and courier services, waste?management,manufacturing, chemicals and food sectors.

EU Member States will have to lay down?cybersecurity risk management and reporting obligations?for?qualifying?entities.

As to risk management, NIS 2 expects both essential and important entities to up their game by introducing (if they have not done so already) effective incident response and crisis management, cybersecurity testing, encryption, and vulnerability handling and disclosure. An element of proportionality is reflected by the consideration that the exact nature of the measures to be taken should take into account the actual exposure of the entity to cybersecurity risks and the potential detrimental effects of an incident. Importantly, not unlike the treatment of technical and organizational measures pursuant to GDPR, cost considerations and state of the art (including standardization) are factored in.

Moreover, while?important entities?are only subject to an ex post supervisory regime (i.e., supervisory authorities will only supervise these entities if there are indications that they infringe NIS 2),?essential entities are subject to both ex ante and ex post supervision (specifically, they are required to document measures taken to comply with cyber security risk management measures and may be subject to audits on that basis).?

In case a cybersecurity incident occurs, affected companies have 24 hours after first becoming aware of an incident to submit an initial report. Within 72 hours of becoming aware of the incident, they can update the submitted information with an incident notification. A final report should then be submitted no later than one month after the incident notification. Member states are encouraged to set up a single point of notification of security incidents. It is to be hoped that a synergy will be created with the reporting obligations relating to personal data breaches in this respect, with a possible dual role to be played by the data protection authorities.??As cybersecurity extends beyond the effects of an actual incident, NIS 2 also promotes reporting of cyber threats that have not (yet) materialized and so called?near misses.

NIS 2 includes a wide array of administrative sanctions that apply when an eligible entity breaches its cybersecurity risk management or reporting obligations. These include imposing binding instructions, a temporary suspension of an authentication or certification to conduct certain activities, a temporary prohibition to exercise certain managerial functions at CEO or legal representative level, an order to implement the recommendations of a security audit, etc. In addition, essential entities may be subjected to an administrative fine of up to the higher amount of 10 million euro or 2% of the total worldwide turnover of the undertaking. For important entities the maximum fine is the higher of 7 million euro or 1.4% of the global annual turnover. Last but not least, NIS 2 introduces the possibility for company management to be held accountable for compliance with cybersecurity risk management measures.

All in all, NIS 2 strengthens the resolve of the EU to establish effective cybersecurity as a cornerstone of its Digital Single Market strategy.

NIS 2 is not the only legislative initiative in this area: also a Cyber Resilience Act and specific legislation for cybersecurity in the financial sector are in the works. Moreover, also the interplay of NIS 2 with other core tennets of Europe’s Digital Decade (including GDPR, but also the recently adopted DMA and DSA and the forthcoming AI Act) will require further close scrutiny.