Add a bookmark to get started

Abstract white building
8 October 20246 minute read

The NIS2 Directive – Will it affect insurance companies?

What is the NIS2 Directive?

On 14 December 2022, the European Parliament and Council finally adopted the NIS2 Directive. The NIS2 Directive aims at ensuring greater uniformity in the level of cybersecurity in the EU and is the evolution of the previous Directive (EU) 2016/1148 (the NIS1 Directive), which was incorporated into Italian law without substantial changes by Legislative Decree No. 65/2018.

Along with the Digital Operational Resilience Act (DORA), the NIS2 Directive represents a groundbreaking regulation in the cybersecurity framework. It imposes considerable obligations on the entities falling within its scope, seeking to enhance the overall cybersecurity posture of specific industries while facilitating greater regulatory clarity and compliance efficiency.

The transposition of the NIS2 Directive by each EU member state is scheduled for completion by 17 October 2024. But so far only a few EU member states have enacted national measures to implement the NIS2 Directive. In Italy, the Parliament has delegated the implementation of the NIS2 Directive to the Italian government through the European Delegation Law No. 15/2024. As of today, there are no updates on the adoption of the legislative decree that is supposed to transpose the NIS2 Directive before the deadline. But the NIS2 Directive already outlines numerous obligations that companies should consider.

 

Who does the NIS2 Directive apply to?

Entities, whether public or private, should consider three criteria assess whether they fall within the scope of application of the NIS2 Directive:

  • Sectorial requirement: Whether the entity provides its services or engages in activities in one or more of the economic sectors set out by the annexes to the Directive.
  • Dimensional requirement: Whether the entity qualifies as a medium-sized or large enterprise pursuant to article 2 of the Annex to Recommendation 2003/361/EC.
  • Territorial requirement: Whether the entity provides its services or engages in activities in the EU.

These criteria should be understood as cumulative with respect to medium-sized and large companies, except for specific cases where the applicability of the NIS2 Directive is triggered regardless of the company size (for instance for public administrations or when the disruption of the service provided by the relevant entity could have a significant impact on public safety, public security or public health).

With specific reference to the sectorial requirement, the NIS2 Directive distinguishes between entities in "sector of high criticality" including:

  • energy
  • transportation (by air, water, rail and road)
  • banking and financial markets (in particular, financial markets’ infrastructures)
  • health
  • drinking water and wastewater
  • digital infrastructure
  • ICT service management (in a B2B context)
  • public administrations
  • the space sector

and "other critical sectors" including:

  • postal and courier services
  • waste management
  • chemical manufacturing and distribution
  • food production, processing and distribution (ie food businesses engaged in wholesale distribution and industrial production and processing)
  • manufacturing (with specific reference to medical devices, computers, and electronic products)
  • digital service providers (with specific reference to providers of online marketplaces, online search engines and social network platforms)
  • research

The broad scope of the NIS2 Directive significantly increases the number of entities subject to its cybersecurity obligations compared to previous laws.

 

What obligations does the NIS2 Directive introduce?

The NIS2 Directive introduces specific requirements in terms of technical, operational and organizational measures. Although entities have to balance these measures depending on the activities they actually carry out and their cybersecurity exposure, there are minimum measures that have to be implemented.

 

Governance obligations

Entities have to adopt an internal governance structure capable of responding to cyber threats. In this context, management bodies are responsible for approving and overseeing the implementation of cybersecurity risk-management measures, making them directly accountable for any infringements. This approach emphasizes that management bodies have to be not only informed about cybersecurity issues, but they play a crucial role in ensuring the company's overall security, so they need specific training.

 

Cybersecurity risk-management measures

Entities also have to implement internal policies to both guarantee and demonstrate their capacity to withstand cyber threats.

Key policies include:

  • policies on risk analysis and information system security
  • incident handling policies
  • business continuity plans, such as backup management and disaster recovery, and crisis management
  • supply chain security provisions
  • policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  • policies and procedures regarding the use of cryptography and, where appropriate, encryption

 

Reporting obligations

Finally, entities have to assess their incident handling mechanisms to ensure they meet the stringent requirements set out by the NIS2 Directive. Although the NIS1 Directive already introduced notification requirements for IT incidents affecting service continuity and delivery, the NIS2 Directive requires entities to notify the Computer Security Incident Response Team (CSIRT) and competent authorities without delay of any incident that may have a significant impact on service delivery. Additionally, entities must notify service recipients, when appropriate, indicating measures they can take in response to attacks.

The Directive specifies a 24-hour deadline for sending an "early warning" after knowledge of the incident, followed by a detailed analysis notification within 72 hours.

 

The impact of the NIS2 Directive on the insurance sector

The stringent requirements outlined in the NIS2 Directive, which might be further reinforced by the local implementation in certain EU member states, don't directly apply to insurance companies (which are already affected by the DORA implementation).

But these requirements offer a clearer picture in terms of cybersecurity risk profile concerning cyber policies. In fact, a stronger cybersecurity framework – aligned with the compliance obligations introduced by the most recent legislation – might mean entities are less exposed to significant claims, becoming more insurable against cyber threats.

While adopting a more secure cyber structure doesn't eliminate the risk of cyber-attacks, it addresses the increased frequency of such attacks, particularly in the sectors highlighted by the NIS2 Directive.

If the relevant entities are more exposed to cyber threats, the introduction of new regulatory provisions can mitigate these risks, enhancing the insurability of the affected companies.

While 17 October may appear to be in the distant future, it is fast approaching. Therefore, companies have to adopt a NIS2 compliance strategy. Insurance companies should also prepare to assess the new cyber structures of the relevant companies applying for (or renewing) cyber policies.

Print