The NIS2 will provide the framework for cybersecurity risk management measures and reporting obligations in specified sectors, such as energy, transport, health, and digital infrastructure. Furthermore, the NIS2 seeks to harmonise cybersecurity requirements and the implementation of cybersecurity measures in each member state. To this end, the directive establishes minimum rules for the regulatory environment and mechanisms for effective cooperation between the competent authorities in the member states. NIS2 also extends the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to safeguard implementation. Compared to the previous NIS Directive, the new rules of NIS2 officially establish the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe), which will provide for coordinated management of large-scale cyber security incidents and crises.
Key points of the NIS2 Directive
- Extended personal scope of the NIS2 Directive
- The provisions of the NIS2 applies to all entities that provide services or carry out activities in the EU matching the description of either an “essential” or an “important” entity in a defined list of sectors. (The previous directive distinguished between "essential service providers" and "digital service providers"). These entities are pided into sectors of high criticality (e.g. energy, health, financial market infrastructures) and other critical sectors (e.g. postal, courier services, digital providers and the production and distribution of chemicals). Important exemptions include size limits, which mean that small and micro businesses are excluded in several cases; and the possibility for member states to exempt specific organisations involved in national security, public security, defence, or law enforcement.
- Reporting obligations
- If significant events arise, organisations must notify the computer security incident response team (CSIRT) or, where applicable, the competent authorities. The affected entity must first send an early notification to the CSIRT or the authority without delay and no later than 24 hours after becoming aware of the event. Without delay, but in any case within 72 hours of having detected the significant event, an incident notification should be submitted, which must include an initial assessment, containing severity and impact, and where possible, it should specify the indicators. In addition, the NIS2 Directive requires that a final report be submitted within one month of the submission of the incident notification.
- Requiring additional risk management and cybersecurity measures
- Both essential and important entities should implement additional cybersecurity risk-management measures commensurate with the cybersecurity risk, such as risk analysis and information security policies, business continuity (e.g. backup management and disaster recovery) and crisis management, supply chain security (including security concerning the relationships between each entity and its direct suppliers or service providers), ensuring basic 'cyber hygiene' practices and cybersecurity training.
- The additional responsibility of management
- The new Directive increases the cybersecurity responsibilities for management of important and essential entities by requiring them to approve the security measures referred to in the above paragraph and to oversee their implementation. Management may be held liable if the organisation does not comply with cybersecurity requirements set out in the NIS2 Directive (or in the national legislation implementing it).
- Stricter supervision rules
- Under the NIS2 Directive, different rules apply to essential entities in the event of a cybersecurity breach. Under the provisions governing essential entities, entities are subject to fines of EUR 10 million or, if higher, 2% of the total annual global turnover. Important entities are subject to a maximum administrative fine of EUR 7 million or, if higher, 1.4% of the total annual global turnover of the undertaking in the previous financial year. Essential entities may also be subject to strict audits, including on-site inspections and off-site supervision; regular and targeted security audits carried out by the authority; and ad hoc audits when justified by a significant event or a fundamental breach of the provisions of the NIS2 Directive. In the case of important entities, however, investigations are only carried out ex-post if the supervisory authority receives evidence, indications, or information that an important entity is suspected of non-compliance with the NIS2 Directive.
- Registration obligations
- Some organisations (including DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, providers of online marketplaces, online search engines and social media platforms) will be required to provide certain information about themselves to the competent member state authority in order for the European Union Agency for Cybersecurity (ENISA) to establish a register of these entities.
- Strengthened European cooperation
- The NIS2 also establishes the EU-CyCLONe for the coordinated management of large-scale cyber security incidents (i.e. those that significantly affect at least two EU member states or exceed the response capacity of one member state) at the EU level and the regular sharing of information between member states and EU bodies.
The NIS2 Directive was published on 27 December 2022 and will enter into force on 16 January 2023. EU member states have until 17 October 2024 to adopt and publish the provisions necessary to comply with the Directive until 17 October 2024.
For more information on the new NIS2 Directive, contact your CMS client partner and local CMS experts.
Article co-athored by Daniella Huszár