In response to the increasing number of cyberattacks and the acceleration of digital transformation across sectors, the European Union has revised and improved its Network and Information Security (NIS) Directive.
The NIS2 Directive (NIS2), which took effect in January 2023, will now cover a greater scope and target more industries. The deadline for member states to transpose the NIS2 Directive into applicable national law is 17 October 2024. This is a crucial deadline for businesses, as failure to comply with the NIS2 Directive can have severe repercussions, including financial penalties and reputational damage.
- The EU’s NIS2 Directive aims to largely contribute to a safer digital economy in the European Union and offer enhanced resilience against cyberattacks amongst compliant organisations.
- The NIS2 Directive now incorporates a larger range of sectors and provides guidance for the creation of a compliance roadmap amongst organisations.
The NIS2 Directive contains new and amended business obligations to raise the standard of cybersecurity among EU member states. The directive tightens supervisory measures, streamlines reporting requirements, increases the intensity of imposed security standards, focuses on exchange and collaboration, addresses supply chain security, and introduces enforcement requirements with harmonised sanctions across all member states.
Scope
The NIS2 Directive introduces uniform obligations for organisations operating across eighteen critical sectors. The sectors are divided into two groups:
- “highly critical sectors,” including transport (air, rail, water, road), banking, financial market infrastructure, energy, healthcare (including medical devices), drinking water, wastewater, digital infrastructure, information and communication technology (ICT), public administration, and space; and
- “critical sectors,” including digital providers, manufacturing, postal and courier services, waste management, chemical processing, food, and research.
The NIS2 Directive will apply if an organisation provides services or carries out activities in any EU member state, regardless of whether the organisation is based in the European Union.
Organisations can be labelled as “essential” or “important” under NIS2. The label depends upon the scale of the company and whether it is considered a critical or highly critical area. Large organisations (250 or more employees or €50 million or more revenue in revenue) or medium organisations (fifty or more employees or €10 million or more in revenue) will be considered within the scope of NIS2. There are a few exceptions, where organisations of any size can be deemed as essential, including qualified trust service providers, top-level domain name registries, and DNS service providers. This means some organisations are automatically deemed “essential” if a service interruption would have a major negative impact on society or if they are the only national provider. How enforcement will take place depends on the category in which an organization falls.
Compliance Monitoring and Risk Management
Compliance monitoring is a key distinction between essential and important entities. Proactive oversight will be applied to essential entities, which will mainly include organisations from highly critical sectors. This will result in the active monitoring of compliance. In important entities, the organisation will face supervision after an incident has occurred. If insufficient action has been taken and the NIS2 requirements have not been met, important entities can face the same sanctions as essential entities.
Under the NIS2 Directive, every NIS2-eligible organisation—essential or important—must uphold the duty of care in securing network and information systems. The directive includes a set of minimum requirements for the types of measures that providers must follow. This includes creating and updating policies on risk analysis and information system security, focusing on crisis management, and maintaining operations in the case of a significant cyber incident. It will also involve ensuring supply chain security, utilising cryptography and encryption and creating policies and procedures for determining the effectiveness of risk management methods.
Incident Reporting
The directive provides for a new timeline for reporting incidents.
- Early-stage report. Incidents should be reported to the competent supervisory authority within twenty-four hours of becoming aware of the incident. The report should state whether the incident was caused by an unlawful or malicious act or could have a cross-border impact. Within twenty-four hours of the submission, the reporting entity shall receive a response with initial feedback and guidance on possible mitigation measures or technical support may be provided from the supervisory authority.
- Notification. Within seventy-two hours of becoming aware of the incident, the reporting entity must issue a notice which must include an initial assessment of the severity and the impact of the incident. Any indicators of compromise should also be included at this stage.
- Final report. Within one month of the incident notification, a final report is required. It must contain a detailed incident description, the likely cause of the incident, applied and ongoing mitigation measures, and details of any cross-border impact. The requirement to provide a final report aims to improve future risk management and incident handling.
Penalties
A mandatory list of sanctions is included in the directive. These include information requests and access to data, security audits, security scans, and on-site inspections. EU member states may each determine the extent of the action taken. Additionally, administrative fines may be imposed, depending on the circumstances of the case. For essential entities, this includes fines of up to €10 million or at least 2 percent of the total annual global turnover, whichever is higher. For important entities, this includes fines of up to €7 million or at least 1.4 percent of the total annual global turnover, whichever is higher.