The new version of the Network and Information Systems Directive (NIS2 Directive, "NIS2") came into force on January 16, 2023. The new rules are likely to apply as of October 2024 (see the next steps section below).
Who Should Read This Legal Update
This Legal Update is relevant for Operators of Essential Services falling under the scope of the current Network and Information Systems Directive ("NIS Directive"), such as credit institutions, financial market infrastructures such as operators of trade venues, electricity and transportation undertakings, healthcare providers including hospitals and private clinics, drinking water suppliers and distributors.
This article will also interest companies that may be considered an essential or important entity under NIS2, which will broaden the number of sectors that are currently covered under the NIS Directive. For instance, in addition to the above, NIS2 will also cover certain digital services such as social media platforms and data center services, wastewater and management, food including production, processing and distribution, space including operators of ground-based infrastructure that support the provision of space-based services, manufacturing of basic pharmaceuticals and critical medical devices, postal and courier services.
Direct suppliers or service providers to entities that are in-scope of NIS2 (e.g. data storage, managed security services) might find interesting to read that, while they may not be directly being subject to NIS2, they should be prepared to undergo due diligence from in-scope NIS2 organizations, according to the new rules.
Key developments arising from NIS2 include:
- Expanded scope: NIS2 will apply to a wider pool of sectors and entities than currently covered by the NIS Directive, as indicated above.
- Management Liability for Cybersecurity Risk Management: “Management bodies” (in the NIS2 wording)of in-scope entities – including the Board and senior management C-Suite level – must follow cybersecurity training, assess and approve the cybersecurity risk management measures taken by those entities, supervise implementation and be accountable for non-compliance by the entities with their obligations under NIS2.
- Cybersecurity risk management measures: NIS2 outlines key measures that in-scope entities must take to manage risks posed to the security of those entities' network and information systems when providing their service (e.g., implementing policies, procedures and security measures).
- Supply chain diligence: In-scope entities are required to assess the cybersecurity practices of their relevant suppliers and service providers to mitigate security risks in their supplier / service provider supply chain.
- Amended incident response requirements: NIS2 imposes notification obligations in phases, including an initial notification within 24 hours of becoming aware of certain incidents or cyber threats, as well as “intermediate” and “final” reporting obligations.
- Amended fines and penalties: Member States may set out administrative fines of up to EUR 10M or 2% of the total worldwide turnover of an entity for the preceding financial year (whichever is higher) for breaches of NIS2 obligations by in-scope entities.
For a more detailed analysis of the points above, please refer to our legal update from October 2022.
Member States must adopt and publish the measures necessary to comply with NIS2 by 17 October 2024, and apply such measures from 18 October 2024. The NIS Directive will then be replaced by NIS2. Additionally, the EU Commission is to adopt implementing acts setting forth the technical and methodological requirements of the measures to be taken by essential and important entities by 17 October 2024.
At this stage, organizations should:
- Consider whether they fall within the scope of NIS2, directly or indirectly (relevant suppliers or service providers);
- If so, consider if any organizational, financial and technical steps that will be needed to prepare for compliance; and
- Monitor how NIS2 is implemented in the EU jurisdictions where they operate.
As a next step, in-scope entities are advised to prepare a roadmap for implementation of compliance measures for risk management (including at Board level) and vendor due diligence. Relevant vendors of in-scope entities will need to ensure that effective, documented processes are in place to manage security risks associated with their products and services.