The European Union’s Second Network and Information Systems Directive (“NIS2”) entered into force on 16 January 2023, and replaces the NIS 1 Directive. NIS2 aims to “improve the resilience and incident response capacities of both the public and private sector and the EU as a whole”. In addition to the EU’s NIS2 update, the UK has also recently expanded its Network and Information Systems Regulations, and further details can be found in our blog here. The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.
NIS2 focuses on efforts to prevent, respond and mitigate potential cyber-attacks. NIS2 applies to a wide range of sectors, which have been expanded from NIS1. Certain sectors are deemed to be of ‘high criticality’, including banking and financial markets, digital infrastructure/B2B ICT, drinking water, sewage, energy, health provision/ labs/R&D/pharma manufacturing/medical devices critical to a public health emergency (such as the recent Covid pandemic), public administration, space, and transport. A further list of ‘other critical sectors’ includes postal and courier services, waste management, chemicals, food production/processing/distribution, the manufacturing of medical devices and diagnostic devices among other types of equipment, digital service providers and research organisations. Organisations operating in the defence, national security, public security, and law enforcement industries are expressly excluded.
NIS2 harmonizes the identification of regulated entities across the EU member states by introducing a new size-cap rule, meaning that NIS2 applies to any medium- and large-organisations operating within the regulated sectors. Organisations providing public electronic communications networks, trust service providers and domain name registration services fall within the scope of NIS2 regardless of the size of the organisation.
Article 21 obliges organisations to take appropriate and proportionate measures to manage the risks posed to the security of their network and information systems, and prevent or minimise the impact of incidents on their customers and on other services. The level of security must be appropriate to the risk posed, taking account of (i) the exposure to risks, (ii) the entity’s size, (iii) the likelihood of occurrence of incidents and their severity (including their societal and economic impact) based on an “all-hazards approach” aimed at protecting the organisation’s network and information systems and their physical environments from incidents.
Essential measures include, at a minimum, the following measures:
(a) policies on risk analysis and information system security;
(b) incident handling;
(c) business continuity, such as backup management and disaster recovery, and crisis management;
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
(g) basic cyber hygiene practices and cybersecurity training;
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) human resources security, access control policies and asset management;
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
The European Commission will publish further technical and methodological specifications for appropriate measures in specific sectors (including providers of online marketplaces, search engines, and social networking services) by 17 October 2024.
Article 22 requires organisations to notify its CSIRT of any incident that has a significant impact on the provision of its services. An early warning must be submitted without undue delay and in any event within 24 hours of becoming aware of the significant incident. This should be followed by an incident notification, setting out an initial assessment of the incident, without undue delay and within 72 hours. In some circumstances, customers must also be notified of significant incidents that are likely to adversely affect the provision of their services, and be informed of any measures they may take in response.
NIS2 Reporting, ENISA and EU Member States
Most recently, the European Union Agency for Cybersecurity (“ENISA”) published a report, Developing National Vulnerabilities Programmes (“CVD”). The report includes information on existing CVD programmes, in light of the NIS2 objective of implementing a coordinated EU CVD across the EU member states as well addressing other proposed EU legislation, such as the proposed Cyber Resilience Act. NIS2 requires member states to develop a CVD policy by 17 October 2024, and ENISA will work with the NIS Cooperation Group to develop CVD guidelines.
In addition, NIS2 includes a framework for cooperation between member state authorities in relation to coordinating management of significant cross-border cybersecurity incidents and crises by establishing the European Cyber Crises Liaison Organization Network (EU CyCLONe).
Sting in the NIS2 tail
NIS2 applies both to organisations located in the EU as well as organisations that are based outside the EU but that offer services within the EU. For organisations outside the EU, they must appoint a representative in one of the EU Member States where services are offered. Organisations with presence in multiple EU member states, the location of their main establishment will determine which member state jurisdiction they fall under. Where organisations subject to NIS2 breach member state implementing legislation of NIS2 (due to be enacted by 17 October 2024), by failing to enact the security measures or not reporting a national CSIRT authority, an essential organisation could be fined a maximum €10m Euro or 2% of the global annual turnover and important entities a maximum €7m Euro or 1.4% of the global annual turnover. Breaches of NIS2 also expose senior managers to personal liability.
NIS2 must be transposed into EU member state national law by 17 October 2024. Member States must also establish a list of essential and important entities by 17 April 2025. ENISA must create and maintain a register of entities subject to NIS2 based on the lists created by the member states. There is a lot of administrative work that needs to be undertaken by ENISA, the NIS Cooperation Group, member state CSIRTs, the EU-CyCLONe in addition to legislative processes of the member states. This gives organisations subject to NIS2 time to assess whether they at least have in place the minimum security measures listed in Article 21 in place on an ‘all hazards’ basis. Organisations should assess whether to appoint a representative or whether they have a main establishment in the EU, which may be difficult to do for large federated organisations with multiple EU locations.