Cybercrime is an increasingly pressing problem for societies at large, with digital transformation, remote working and geopolitical issues bringing about increased cyber threats and attacks. In 2016 the European Parliament adopted the Network and Information Security Directive (NISD), the first EU-wide legislation on cybersecurity, and the revised legislation, NIS2, has just been published.
NISD required the implementation of certain risk management and reporting obligations on operators of essential services (OES), which included entities maintaining critical energy, health and transport infrastructure (among other sectors), and digital services providers (DSP) (certain providers of online marketplaces, online search engines and cloud computing services). However, implementation was inconsistent across Member States, and in practice few incidents were reported. In 2020, the European Commission proposed to introduce a new and updated version of the directive, which was published on 27 December 2022 and entered into force on 16 January 2023 (“NIS2“). The new directive seeks to address perceived flaws in the previous version, protect essential and important organisations and infrastructure from cyber threats and attacks, and achieve a high level of common security across the EU. National implementation of NIS2 must take place by 17 October 2024.
The Commission explained that the new version of the directive will ‘facilitate secure, robust and appropriate information sharing’, which in turn will help organisations defend their information systems against threats such as phishing, malware and unauthorised access. Further, it is hoped that the updated directive will strengthen security requirements, address the security of supply chains, streamline reporting obligations and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU (although it should be noted that NIS2 is, again, a directive and not a regulation).
What’s different about NIS2?
1. Expanded Scope
NIS2 applies to a broader scope of sectors and services than those caught under the original directive. Where the NISD applied primarily to OES and DSP, NIS2 removes this distinction and instead introduces the broader concept of ‘essential’ and ‘important’ entities. It also expands the types of organisations that fall within these categories.
Essential entities are those which are essential for societal and economic activities, for example, organisations in the energy, transport, financial and health sectors, and important entities include those in the manufacturing, food production and research sectors. NIS2 adds waste and waste management services, manufacturers of certain critical products (for example, pharmaceuticals, medical devices and chemicals), postal and courier services and digital services (for example, social networking platforms and data centre services) to its scope. In-scope organisations will have to comply with more stringent obligations and address their technical and organisational structure and capabilities in respect of risk management and information system security policies, incident handling (prevention, detection and response to incidents), security in network and information systems, supply chain security, encryption and crisis management, to name a few.
2. Amended incident reporting obligations
Under NISD, organisations were simply required to notify the relevant supervisory authority “without undue delay” upon becoming aware of certain incidents or cyber threats. Anecdotally, not many incidents were reported under NISD. Under NIS2, the notification requirement has been broken down into phases, with an initial notification to the relevant competent authority required within 24 hours of becoming aware of ‘significant’ incidents (i.e. incidents which have a significant impact on the provision of services or could have resulted in such impact). In addition, a final report will need to be prepared by the organisation no later than one month after the initial notification. In practice, for some incidents, the initial notification is likely to be very light indeed and a final report within a month may be difficult.
NIS2 also details precise specifications on the procedure, content and timeframe for reporting a security incident, which should provide welcome clarity.
3. Obligations placed on management boards
Under NIS2, Member States are able to impose fines for breach of cybersecurity risk management and reporting obligations of up to 10 million EUR or 2% of the total global annual turnover of an organisation (whichever is higher). A key change in approach under NIS2 is that the management board of non-compliant organisations can also be held personally liable for failing to ensure compliance with the obligations laid down in the legislation, with fines and a temporary ban from discharging managerial functions noted as potential consequences. There has long been a concern in some quarters that boards and senior management have not understood or sufficiently grappled with cyber risk, although in our experience the last 2-3 years has seen a significant change for the better.
Making senior management accountable for compliance should drive behaviour and lead to enhanced security governance (although whether this happens in practice remains to be seen — imposing personal liability at senior level has not always led to the desired behaviours in other areas, and there is already a significant skills and knowledge gap in cyber more broadly). As such, management boards will have to take a more active role in the supervision and implementation of the measures detailed in the legislation. The new regime is also likely to lead to requests for expanded D&O coverage for certain positions.
4. Supply Chain Security
One of the key changes under NIS2 is the new EU-wide coordinated risk assessment of supply chains which goes further than that under NISD. NIS2 requires entities to implement cyber risk management measures, including security risk mitigation requirements and third party supplier / service due diligence. Third party and supply chain has been a significant source of cyber risk over the last few years, with a number of major global cyber incidents operating via the supply chain. However, effectively auditing third party cyber risk is challenging. Many audits are paper exercises, and while concepts such as software bills of materials can assist, there is much to be done to develop effective cyber supply chain risk assessment and audit processes.
NIS2 is just one part of a range of recent and upcoming EU legislation which is intended to increase the overall cyber defence and resilience of the EU and businesses which operate in it. The Cybersecurity Act has recently been passed, and the proposed Cyber Resilience Act is currently going through Member State comments. In the UK, there are proposals to replace NIS as implemented under English law with a UK NIS2 and recent changes to requirements for telecoms security. There is substantial change coming to cyber legislation across Europe as a whole. While there are attempts at clarity as to how various legislation will inter-relate and inter-operate, whether this is achieved in practice remains to be seen. What is clear is that the cyber compliance matrix is going to become even more complex. Identifying which legislation applies to different product and business lines, how to achieve compliance with different legislation, mapping out how to respond to incidents and potential regulatory reporting obligations is going to become an even more important part of good cyber hygiene and readiness for businesses.
(Co-authored with Halima Dikko – Trainee, London)