The NIS 2 Directive (Directive 2022/2555) on measures for a high common level of cyber security across the EU has now entered into force.
Member states must now incorporate the provisions into their national law by October 2024.
NIS 2 will replace its predecessor – NIS (Directive 2016/1148), which was the first cross-sector cyber security law in the EU.
NIS 2 has been necessary because the speed at which network and information systems have developed into a central feature of everyday life has led to greater interconnectedness, including in cross-border exchanges and, with this, has come an expansion of the cyber threat landscape. The number, magnitude, sophistication, frequency and impact of incidents are increasing, and can impede the pursuit of economic activities in the internal market, generating financial loss, undermining user confidence and causing major damage to the Union’s economy and society. Cyber security preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market; “adapted, coordinated and innovative responses” are required in all member states, says the EU. NIS was not implemented consistently across member states with, for example, some services being categorised as “essential” in some countries but not in others.
Moreover, the EU considers change is necessary for growth. Cyber security is a key enabler for many critical sectors to successfully embrace digital transformation and to fully grasp the economic, social and sustainable benefits of digitalisation.
The UK has confirmed that it will update the Security of Network & Information Systems Regulations 2018 (NIS Regulations) as they apply to the UK, following the EU’s adoption of NIS 2. The UK has a leadership role in cyber security across the world. It is ranked second in the ITU Global Cyber Security Index, in part due to the work of the National Cyber Security Centre, which has been lauded globally for responding to incidents quickly and putting previously classified information into the hands of industry so that companies can defend themselves more effectively. Countries like Canada and Australian have chosen to follow suit and adopt the NCSC model.
To harmonise cyber security requirements and implementation of cyber security measures in different member states the revised directive sets out minimum rules for a regulatory framework and lays down mechanisms for effective co-operation among relevant authorities in each member state. It updates the list of sectors and activities subject to cyber security obligations and provides for remedies and sanctions to ensure enforcement.
The new directive has been aligned with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER) to provide legal clarity and ensure coherence between NIS 2 and these.
NIS 2 will apply to public administrations at central and regional level. However, the text clarifies that the directive will not apply to entities carrying out activities such as defence, national security, public security and law enforcement, nor will it apply to the judiciary, parliament and central banks.
Key changes between NIS and NIS 2 are as follows:
- NIS 2 catches a greater number of sectors that are critical for the economy and society. Annex 1 sets out sectors of high criticality and Annex II set out other critical sectors (see table).
- The directive introduces a size-cap rule as a general rule for identification of regulated entities, meaning that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.
- NIS 2 introduces governance and accountability obligations for management bodies in relation to cyber security. Member states have to ensure that the management bodies of essential and important entities approve the cyber security risk management measures taken by those entities in Article 21 (see below), oversee their implementation and can be held liable for infringements by the entities of that Article. This is consistent with the global trend to hold individuals to account for cyber security.
- NIS 2 contains a list of basic technical and organisational measures in Article 21 which must be applied. These include incident handling, business continuity and crisis management measures as well as technical measures such as multi-factor authentication and cryptography, including encryption where appropriate.
- NIS 2 broadens the extraterritorial effect already in place under NIS.
- There is an increased emphasis on security of supply chains and supplier relationships.
- NIS 2 also streamlines the reporting obligations in order to avoid causing over-reporting and creating an excessive burden on the entities covered. However, incidents having a significant impact on in-scope services will have to be reported to the relevant supervisory authorities within 24 hours at the latest – with an intermediate report following upon the request of the supervisory authority and a final report no later than one month after the initial notification. An incident is significant if it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned or has affected or is capable of affecting other natural or legal persons by causing material or non-material damage.
Directors and senior managers within businesses caught by NIS 2 should start preparing to meet the new requirements now. They will be expected to have a comprehensive suite of systems and controls in place to protect their operations. They won’t be able to reduce risk to zero but should be prepared to explain why decisions as to what to prioritise were made. It will also be important to ensure that they have full crisis response plans in place, know where to find them and practise them. Front loading some of the analysis helps reduce both the decision-making processing during any crisis and liability.