Network and Information Security: a dive into the new EU NIS 2 Directive

Written By Nicoletta Kouvara

In an era when it is no longer a question of ‘if’ a cyber-attack will occur but a question of ‘when’, it has become increasingly important for businesses to be proactive, rather than reactive when it comes to cybersecurity.

The Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the European Union, known as the NIS 2 Directive, has been introduced with the aim of strengthening cybersecurity in the European Union (EU), obliging businesses to prioritise the prevention, detection, monitoring and mitigation of network security breaches in an active manner. The NIS 2 Directive will replace the NIS Directive (EU) 2016/1148 (the NIS1), widening the pool of entities falling into its scope and capturing various essential and important entities. EU Member States must transpose the NIS 2 Directive into national law by 17 October 2024.

Which entities are caught by the NIS 2 Directive

Subject to certain exceptions, to fall within the scope of the NIS 2 Directive an entity must:

  1. be classified as an “essential” or “important” entity operating in a “critical” or “very critical” sector, a list of which can be found in Annex I and Annex II of the NIS 2 Directive and briefly illustrated in the graphic below; and

  2. qualify as a medium-sized enterprise (i.e. have more than 50 employees and an annual turnover greater than €10 million) or exceed such ceilings; and

  3. provide its services or carry out its activities within the EU, irrespective of its place of establishment.

Small and micro-enterprises (i.e. having fewer than 50 employees an annual turnover of less than €7 million (or a balance sheet total of less than €5 million) are not caught by these obligations, unless they have a key role in society, the economy or for particular sectors or types of service falling within the scope of the NIS 2 Directive.

Whether an entity is an “essential” or “important” entity depends on its size and whether it falls under a critical or a very critical sector. Important entities may be medium-sized enterprises with fewer than 250 employees and an annual turnover of up to €50 million (or balance sheet total of up to €43 million) operating in critical sectors whereas essential entities may be large enterprises exceeding the ceilings for medium-sized enterprises and operating in very critical sectors.

However, some entities are automatically caught by the NIS 2 Directive, regardless of their size, if they have key roles in society, such as public communications networks and services, trust service providers, and top-level domain name and domain name registration service providers. While both important and essential entities must comply with the same security measures, essential entities will be under proactive supervision by competent authorities, whereas important entities will only be monitored after an incident of non-compliance is reported.

Entities established outside the EU that fall within the scope of the NIS 2 Directive

It should be noted that if entities which are not established within the EU and fall within the scope of application of the NIS 2 Directive, they shall designate a representative in the EU, allowing competent authorise to address them directly. The representative shall be established in one of the EU Member States where the services are offered.

Among the entities falling under this regulatory requirement are DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms.

The sectors regulated are illustrated below:

Obligations

At the core of the NIS 2 Directive is the obligation for all in-scope entities, essential or important, to take appropriate and proportionate operational and organisational measures to manage cybersecurity risks, taking into account various factors, such as, the likelihood of incidents and their severity as well as their societal and economic impact.

The NIS 2 Directive adopts an “all-hazards approach” designed to protect network and information systems and their physical environment, which shall include at least the following:

  1. policies on risk analysis and information system security;

  2. incident handling;

  3. business continuity, such as backup management and disaster recovery, and crisis management;

  4. supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

  5. security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

  6. policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

  7. basic cyber hygiene practices and cybersecurity training;

  8. policies and procedures regarding the use of cryptography and, where appropriate, encryption;

  9.  human resources security, access control policies and asset management; and

  10. the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

Further, the NIS 2 Directive introduces new strict reporting obligations, mandating the notification to competent authorities within specified timelines of any significant incidents. Significant incidents are those that have caused or are capable of causing severe operational disruption of the services or financial loss for the entity concerned and they have affected or are capable of affecting other natural or legal persons by causing considerable material or non-material damage.

Notification timeline

  • Early warning: within 24 hours of becoming aware of a significant incident, entities are obliged to report to competent authorities. This is an early warning indicating whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.

  • Incident notification: within 72 hours of becoming aware of the significant incident, entities must proceed with an incident notification to the competent authority, updating the information given during the early warning and indicating an initial assessment of the significant incident including its severity, impact and indicators of compromise.

  • Final report: within one month after the submission of the incident notification, entities shall provide a final and detailed report to the competent authority.

  • Progress report for ongoing incidents: in the event that the significant incident is ongoing at the time of submission of the final report, affected entities shall provide a progress report at that time and a final report within one month of their handling of the significant incident.

Enforcement, administrative fines and liability

The NIS 2 Directive notes that competent authorities will have the power, to carry out on-site inspections, off-site supervision, random checks, security audits, security scans, request entities to provide certain information, access to data and evidence, issue warnings, adopt binding instructions, designate monitoring officers and many more.

High administrative fines may be imposed to those that do not comply with the NIS 2 Directive. Competent authorities will take into consideration various factors when imposing such fines, such as, the seriousness of the infringement, repeated violations, the duration of the infringement, previous infringements etc. Fines for essential entities can be up to €10 million or 2% of their total worldwide, whichever is higher, and for important entities up to €7 million or 1.4% of their annual worldwide turnover, whichever is higher.

It is noteworthy that management bodies of such entities, which are responsible for approving the cybersecurity risk-management measures taken by those entities and are required to undergo training, as well as the representatives designated by certain entities not established within the EU can be held personally liable for infringements of the NIS 2 Directive.

Steps to consider to ensure compliance

  • First and foremost, identify whether your organisation falls within the scope of the NIS 2 Directive;

  • Consider if your current cybersecurity processes, policies and procedures need to be amended to cover the requirements introduced;

  • Review your agreements with your sub-contractors to ensure supply chain security; and

  • Train the management body and the employees in your organisation of their upcoming obligations.

More information

For further information about the NIS 2 Directive and how it can affect your business, please contact Aptus Legal by clicking here or send an email to info@aptuslegal.com.

Nicoletta Kouvara
Previous

Legal updates on Data Privacy: an outline of the European Court of Justice notable GDPR rulings of 2023 and rulings to look out for in 2024
Next

PSD3 & PSR: advancing the payments market in Europe