The European Union's Upgraded NIS2 Cybersecurity Framework
The European Union, with its commitment to digital governance and cyber protection, has recently updated its foundational cybersecurity framework, repealing the previous Network and Information Systems Directive (“NIS”) with the NIS2 Directive. Take a dive into the notable changes, implications, and suggested actions for businesses that fall under its scope.
Background
The NIS2 Directive came into force on 16 January 2023, providing a 21-month window for member states to incorporate its provisions into their national laws. The deadline for implementation is 17 October 2024. This move by the EU is prompted by the increasing frequency of cyber threats and the aim to create a consistent cybersecurity landscape across the Union.
Key Differences Between NIS and NIS2
Scope of Applicability: NIS2 is broader, now covering sectors like telecommunications, social media platforms, the food sector, public administration, and more. Importantly, subcontractors with access to vital infrastructure are also within its range, acknowledging the upstream effects these providers can have.
Size Consideration: The Directive targets medium-to-large-sized entities, specifically those with over 50 employees and an annual turnover exceeding €10 million.
Enhanced Cybersecurity Measures: NIS2 mandates stricter risk management protocols, encompassing risk analysis, information security, business continuity, crisis management, supply chain security, and the utilization of encryption techniques.
Incident Reporting: Entities must notify authorities of potential threats within 24 hours of awareness and provide subsequent updates within the following 72 hours, which is more specific than the previous "without undue delay" language in the NIS Directive. Essential and significant entities are mandated to promptly alert the appropriate competent authorities or a CSIRT from the Member States regarding:
Any incident that considerably affects their service provision. This encompasses incidents leading to, or with the potential to lead to, major operational interruptions or significant financial damages.
Any notable cyber threat detected that might have escalated into a significant incident.
Financial Implications: Fines for non-compliance can surge up to €10 million or 2% of the total global turnover – mirroring the penalty structure of the GDPR.
EU-CyCLONe: The establishment of the European Cyber Crises Liaison Organisation Network promises enhanced coordination during large-scale cybersecurity incidents.
Implications for Businesses
Direct Impact on Operators of Essential Services (OES): The NIS2 Directive primarily affects operators under the current NIS Directive. This includes credit institutions, electricity and transportation undertakings, healthcare providers, drinking water suppliers, and more. It applies to specific "important" and "essential" entities (regardless of their size) under certain situations, including:
Entities delivering specific public electronic communication networks or public electronic communication services.
Top-tier domain name registries and providers of domain name system services.
Entities whose service disruptions could influence public safety, security, or health.
Entities whose service interruptions could lead to systemic risks, especially in sectors where such disruptions might result in cross-border effects.
Increased Coverage: The Directive now encompasses a wide range of sectors, from social media platforms and data center services to wastewater management, food processing, space-based services infrastructure, pharmaceutical manufacturing, and postal services.
Supply Chain Implications: While not directly under NIS2, suppliers and service providers to in-scope entities should anticipate due diligence evaluations as per the new regulations. The net effect of the supply chain security diligence obligations is that organizations providing network and/or information systems security services to customers in the expanded sectors covered by NIS should be prepared for increased questioning from in-scope NIS2 customers concerning their cybersecurity practices and information security policies. Such questioning may relate to individual solutions, but also general cybersecurity and information security risk management practices implemented by those suppliers.
Management Accountability: The Directive places a greater onus on “Management bodies” to undertake cybersecurity training, ensure robust cybersecurity risk management measures, and assume responsibility for any non-compliance - potentially leading to fines and temporary ban from discharging managerial functions, including at the senior management C-Suite level. NIS2 allows Member States to impose additional bans and, for the sake of public image, mandates offending parties to publicly disclose not only the breach of NIS2 but also the individuals accountable for it. Furthermore, while NIS2 gives Member States the liberty to establish their own penalty regulations within their local legislative frameworks, these penalties must be effective, balanced, and deterring. The NIS2's accompanying Recitals explicitly state the possibility of criminal consequences for violations. Hence, entities under the NIS2's purview must closely monitor the national regulations of Member States that transpose NIS2, particularly the embedded penalty structures, both criminal and civil.
Enhanced Risk Management and Reporting Obligations: Companies must be proactive in implementing cybersecurity policies, assessing supplier cyber practices, and adhering to phased incident reporting requirements.
Financial Ramifications: Non-compliance can be expensive, with potential fines scaling up to €10M or 2% of the annual global turnover – whichever is higher. This is in addition to the wide discretion NIS2 affords Member States to implement their own national rules on penalties for infringement of the proposed legislation.
Next Steps for Organizations
Entities should first evaluate whether they fall within NIS2’s scope, either directly or as an associated service provider. Upon confirmation, businesses must then strategize on organizational, financial, and technical measures to ensure compliance. In addition, in-scope organizations should keep an eye on how NIS2 is implemented in the key EU jurisdictions where they operate.
From a cost perspective, the European Commission expects organizations to face a maximum increase of 22% on security spending in the first few years post-NIS2 implementation (a maximum increase of 12% is estimated for organizations that are already under the scope of the current NIS Directive).
Organizations offering information and network security products and/or services should also be prepared for due diligence from in-scope NIS2 organizations. Therefore, those out-of-scope organizations should ensure that effective, documented processes are in place to manage security risks associated with their product/service offering in anticipation of any such due diligence.
The deadline is rapidly approaching. If you haven’t already started, get busy. It is likely to be adopted and formally transposed into all EU Member State national laws around the end of 2024 (at the earliest).
