The NIS Directive (EU 2016/1148) was the first piece of EU-wide legislation on cybersecurity.

Now it’s expanded revision, the NIS2 Directive (NIS2D), has finally been adopted and from publication in the Official Journal, Member States will have 21 months to transpose it into national law. It is therefore expected to enter into force sometime in 2024.

But what differs in NIS2D and how does it affect organisations?

Background

The NIS2D is a response to the ever-growing cyber-attack landscape within the EU and worldwide. It aims to ensure a high, common level of cybersecurity across the EU. The NIS2D updates and expands the scope of the pre-existing framework (the NIS Directive) to include medium and large businesses from more critical sectors (e.g. manufacturing of critical products (including medical device manufacturers), postal and courier services, public administration, digital services). The NIS2D will also put cybersecurity and breach reporting obligations on operators of essential services and digital service providers (e.g. online marketplaces, search engines and cloud services).

Key Changes

• Broader Scope: it will apply to a broader scope of sectors and entities (excluding micro and small enterprises). The following sectors will be under the scope of the NIS2D:

o Essential Entities: energy; transport; banking; financial markets infrastructure; health; drinking water and wastewater; digital infrastructure; public administration; space.

o Important Entities: postal and courier services; waste management; the manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing; digital providers (such as providers of online marketplaces, online search engines and social networking services platforms).

• Management body oversight and accountability: it will impose direct obligations on “management bodies” concerning implementation and supervision of their organisation’s compliance with the legislation, leading to potential fines and temporary suspensions from discharging managerial functions including at C-Suite level. Notably, NIS2D specifically provides that C-Suite must follow “specific trainings, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity”. It also grants wide supervisory powers of access and audit to the competent authority for entities that fall under the scope of NIS2D.
• Cyber Risk management measures: it requires entities subject to NIS2D to implement cyber risk management measures that are “appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services.” NIS2D lists the measures which should be taken by entities, such as security policies, incident handling, business continuity and crisis management, supply chain security, policies and procedures to test effectiveness of cyber risk management procedures and the use of cryptography and encryption.
• Amended incident reporting requirements: NIS2D imposes notification obligations in phases, including an initial notification within 24 hours of becoming aware of any incidents having a significant impact on the provision of the company’s services or any significant cyber threat that those entities identify that could have potentially resulted in a significant incident (previously the NIS Directive only required without “undue delay”) followed by “intermediate” and “final” reporting obligations. It is unclear at this point who the competent authority in Ireland will be for such notifications, but it will likely be CSIRT-IE.
• Fines and penalties: Member States are granted discretion to set out effective, proportionate and dissuasive penalties for breaches of NIS2D, as well as administrative fines for certain breaches of up to EUR 10M or 2% of total worldwide turnover (whichever is higher).
• GDPR and NIS2D: where the competent authority under NIS2D becomes aware of an infringement by an entity of its obligations under Article 18 (risk management measures) or Article 20 (reporting obligations) of NIS2D which entails a personal data breach, the competent authority shall notify the Data Protection Commissioner within a reasonable time.

Actions for C-Suite and Next Steps

• At this stage, organisations should consider the scope of NIS2D and whether their businesses fall within that scope. Notably organisations that fall within the scope of the NIS2D must notify the European Union Agency for Cybersecurity (ENISA) within 12 months of the entry into force of NIS2D, of their name and main established and up to date contact details.
• If an organisation concludes that it is within the scope of NIS2D, it  will need to conduct a fulsome review of its technical and organisational measures to ensure compliance with NIS2D.
• Organisations should also ensure they have proper breach reporting measures in place to ensure they can comply with the short notification window if and when a breach occurs.
• In addition, in-scope organisations should keep an eye on how NIS2D is implemented in the key EU jurisdictions where they operate to see if there are any derogations from the Directive.
• C-Suite should ensure they have the requisite training as required under NIS2D.