NIS2 (Network and Information Systems Directive)

Part of the EU’s Cybersecurity Strategy, NIS2 repeals and replaces the original NIS Directive which entered into force in 2016 (with Member State implementation by 9 May 2018). Much like its predecessor, it establishes measures for a common level of cybersecurity for critical services and infrastructure across the EU. Member States have until 17 October 2024 to transpose the Directive into national law.

What are the main elements of NIS2?

Recognising the ever-growing threat which cyber-crime poses for the economic and societal stability of the Union, NIS2 aims to harmonise cyber-resilience through the following obligations:

• Effective cybersecurity management - Ensuring appropriate and proportionate cybersecurity risk management measures are in place following an “all-hazards” approach which is proportionate to risk, entity size, the likelihood of a security incident and the severity of economic/social impact were it to happen.
• Supply chain diligence – as part of assessing its own cybersecurity measures, an in-scope organisation must now assess and assure the cybersecurity practices of its supply chain including how cybersecurity obligations are driven by contractual mechanisms.
• Three-stage reporting obligations upon the occurrence of a “significant incident” - the first report required will be an early warning within 24 hours of first awareness followed by a second, more comprehensive notification within 72 hours, and a more detailed report within one month of the initial notification.
• Executive approval and oversight – management bodies must both approve and oversee the implementation of its cybersecurity risk management measures and undertake training. They will be personally liable to any fines which might result from a breach. NIS2 also gives supervisory authorities the power to suspend relevant management functions pending implementation of measures to address any breach.
• Enhanced supervision and enforcement – these can be grouped into powers of audit and inspection, enforcement and temporary suspension of management obligations/ relevant security certifications. Competent Authorities can fine up to EUR10 million/ 2% of total global annual turnover for Essential Entities, and EUR7 million/ 1% for Important Entities.

Who is in scope for NIS2?

There are three criteria determining whether or not an organisation is in scope for NIS2:

1. Entity is a sector listed in Annexes I (Sectors of High Criticality) or II (Other Critical Sectors) (see image below)
2. Entity meets or exceeds the definition of Medium Sized Enterprise or is otherwise in scope regardless of size
3. Entity provides services or carries out activities in the EU

The following table sets out the sector groupings in Annexes I and II.

Essential and Important entities

NIS2 draws a distinction between “Essential” and “Important” entities. As a rule of thumb, organisations falling into one of the entities listed in Annex I will tend to be designated Essential entities and those falling into Annex II will generally be Important entities, however this will depend in part on size of the organisation and the ultimate discretion of Member States to designate an Annex I/II organisation as Essential or Important.

The main distinction will be the extent of enforcement activity to which an in-scope organisation will be subject to. Enforcement will be applied proactively to Essential entities who will also be subject to higher fines. By contrast, enforcement will be reactive with respect to Important entities, generally only kicking in where there has been a breach of NIS2 or a significant incident reported.

For more information regarding NIS2 and how it will affect your business, please contact your usual DLA Piper advisor.