The EU's NIS2 Directive

The EU’s NIS2 Directive

13 Min Read

What’s this all about?

NIS2 is about cybersecurity.

The NIS2 Directive entered into force on 16 January 2023. The deadline for Member States to transpose this into national law was 17 October 2024. NIS2 measures came into effect and started applying to businesses on 18 October 2024.

The first implementing regulation under NIS2 was also adopted on 17 October 2024. It lays down rules regarding certain technical and methodological requirements regarding certain service providers, and will be published in the Official Journal in due course.

This Directive means more responsibilities for both governments and businesses. It is also important to keep in mind that this Directive uses a minimum harmonisation approach, so while Member States are required to transpose it into national law, Member States are also able to set higher standards for cybersecurity.

What is the NIS2 Directive?

NIS2 stands for the Network and Information Security 2 Directive. NIS2’s full name is Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148.

The first NIS Directive (NIS1) was introduced in 2016 and transposed into national law in 2018. It was the first EU law on cybersecurity and aimed to increase cyber resilience in Member States. Unfortunately, the implementation was largely considered inconsistent and too varied between Member States.

In response, NIS2 seeks to rectify the main areas of inconsistency and provide more specific and defined requirements and applications, while also expanding the scope of the Directive, strengthening cybersecurity measures, and introducing responsibilities for senior management.

What organisations does NIS2 apply to?

The basic aim of the NIS regime is to protect critical national infrastructure from cyber-attacks. In part to reflect the impact of technology on our lives, NIS2 expands on the services covered.

Broadly, NIS2 applies to businesses and organisations (both public and private) that the EU categorises as satisfying the conditions for being essential or important.

  • Medium size or larger enterprises operating in sectors of high criticality or other critical sectors. Medium size enterprises employ 50 or more employees or have an annual turnover of over €10 million.
  • Entities of any size that provide PECNs (public electronic communications networks), PECSs (publicly available electronic communications services), trust services, and top-level domain name (tld) registries and domain name services that meet the national risk assessment.
  • Entities of any size that that are identified as critical entities under the Critical Entities Resilience Directive.
  • Entities of any size in a high criticality / other critical sector when they are the sole provider in a Member State of a service which is essential for the maintenance of critical society or economic activities, or where the disruption of the entity’s service could have a significant impact on public safety or public health.
  • Public administration entity of any size of high criticality / other critical sectors.

While not mandated by the Directive, Member States are allowed to extend the scope of this Directive to public administration entities at a local level, and to educational institutions.

As you will see below, the scope and application of NIS2 is complex, with different obligations required of different categories of in-scope entities, and organisations may benefit from specialist advice on how NIS2 applies to their business.

What are sectors of high criticality or other critical sectors?

Full details are listed in Annex I and II of the Directive. An overview of the industries is listed below:

Annex I

  • Energy (including electricity, oil and gas)
  • Transport (air, water, road, and rail)
  • Banking
  • Financial Markets infrastructure
  • Health
  • Drinking water
  • Waste water
  • Digital infrastructure
  • ICT service management
  • Public administration
  • Space

Annex II

  • Postal and courier services
  • Waste management
  • Chemicals
  • Food (production, processing and distribution)
  • Manufacturing
  • Digital providers
  • Research

What does it mean to be an essential or an important entity?

The idea behind separating organisations in this way is that essential entities will be more disruptive to the economy and to society if their services fail. Essential and important entities have the same cybersecurity management and reporting requirements but different supervisory and penalty regimes. All entities in scope that are not essential, are considered important.

Essential Entities:

  • Are of the type listed in Annex I (see list above); and are large entities, i.e.: employ 250 persons or more, or have an annual turnover of over €50 million, or have an annual balance sheet of more than €43 million; or
  • qualified trust service providers and top-level domain name registries as well as DNS service providers, regardless size; or
  • entities of any size that that are identified as critical entities under the Critical Entities Resilience Directive; or
  • providers of public electronic communications networks or of publicly available electronic communications services which are medium sized; or
  • public administration entities of a central government as defined by a Member State in accordance with national law; or
  • otherwise identified as essential by a Member State.

Do I have to register with someone in advance if my business is in the NIS regime?

Yes, it is likely that you will have to do so. Member states may require all in-scope entities to register themselves by 17 April 2025 and every two years thereafter. Guidelines from the European Commission on Article 3(4) states that Member States should be able to establish national mechanisms for entities to register themselves.

Digital infrastructure organisations (e.g.: tld name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, search engines, social networking platforms, and online marketplace providers) shall submit information to the competent authority by 17 January 2025, for the ENISA registry of entities:

  • name,
  • relevant sector, subsector and type of entity,
  • address of main establishment and other legal establishments, or address of its representative,
  • up to date contact details,
  • Member States where services are provided, and
  • IP ranges.

Should I keep training records when I do NIS training?

Yes. There are training obligations under NIS2. For example, under Article 20, members of the management body shall follow training to gain sufficient knowledge and skills to enable them to identify risks.  As such, it is always good practice to keep records of the relevant training undertaken.

How soon should I report an incident?

Essential and Important entities must notify any incident with significant impact on their services to a competent authority or CSIRT (Computer Security Incident Response Team) without undue delay.

NIS2 provides multi-stage, tiered reporting deadlines:

  1. Within 24 hours of becoming aware of the incident: early warning
  2. Within 72 hours of becoming aware, an incident notification which includes an update on the early warning and an assessment of the incident
  3. Upon a request from a CSIRT or competent authority, an intermediate report with relevant status updates
  4. Within 1 month of the incident notification, a final, detailed report.

Who regulates NIS2?

At a national level, Members States must select one or more designated competent authorities with supervisory and enforcement powers.

Member States are requited to designate a SPOC (single point of contact) to act as liaison for cross-border cooperation with competent authorities of other Member States, the Commission, and ENISA (the European Union Agency for Cybersecurity). A competent authority can also be a SPOC as well.

Member States are also required to designate one or more CSIRTs, which are responsible for issues including but not limited to incident handling, peer reviews, co-ordination of vulnerability disclosures, and collecting and analysing forensic data.

As mentioned above, governments also have obligations under NIS2.

Each Member State must adopt a national cyber security strategy, notify it to the European Commission within three months of its adoption, and review it every five years. This strategy must also include a list of prescribed policies, including but not limited to cybersecurity in the supply chain, management of vulnerabilities, and cyber resilience for SMEs.

At the EU Level, NIS2 re-establishes the Cooperation Group, which will be responsible for amongst other things, carrying out co-ordinated risk assessments.  

What are the potential penalties?

Essential entities

Supervisory powers of competent authorities include:

  • The power to perform on and off-site inspections, including random checks,
  • Regular and targeted audits, as well as ad hoc audits,
  • Security scans and security audits,
  • Requests for information and access to data and documents,

Penalties can include:

  • Warnings and binding instructions regarding non-compliance, time limits and reporting requirements for implementing corrective measures,
  • Ordering cease and desists of infringing conducts,
  • Ordering entities to inform service recipients (both natural and legal persons) of significant cyber threats and of possible protective or remedial measures,
  • Ordering entities to make certain aspects of infringements public,
  • Setting deadlines for remedial actions and temporarily request suspension of a certification or authorisation (this does not apply to public administrations),
  • Administrative fines of €10 million or 2% of total worldwide annual turnover of the undertaking to which the entity belongs, whichever amount is higher.

Important Entities

Enforcement powers here are limited to ex-post supervisory measures only, and there is a lower maximum limit on administrative fines:

  • Administrative fines of €7 million, or 1.4% of total worldwide annual turnover of the undertaking to which the entity belongs, whichever is higher.

Could anyone be personally liable?

Yes. In fact, this is one of the most significant changes introduced in NIS2 compared to NIS1. Under NIS2, Member State authorities have the power to hold natural persons liable for breach of their duties to ensure compliance with NIS2, these natural persons being senior members of staff and members of management bodies. In certain circumstances, the competent authority could request the imposition of a temporary ban against a person at CEO or legal representative level in discharging managerial responsibilities.

Does NIS2 have extra-territorial reach?

Yes. This Directive has extra territorial scope. A wide range of technology providers (wider than those in NIS1) such as cloud service computing providers, online market places, managed service providers and social network platforms, are subject to some NIS2 requirements if they provide services to a Member State, even if they are not established in a Member State.

Regarding ENISA registered entities (see the question on “Do I have to register with someone in advance if my business is in the NIS regime?”), if the entity is not established in the UK but offer services within the EU, they need to designate a representative in the EU. Without a designated EU representative, any Member State within which the entity provides services will be able to take legal action against the entity for non-compliance.

What about the UK?

The UK had transposed NIS1 into national law via the NIS Regulations. However, following Brexit, the UK is not required to do the same with NIS2. Currently there are still some concerns that too much divergence between the two systems can be unnecessarily complicated for many organisations. Some UK entities with customers in the EU are subject to NIS2, and managing compliance with multiple cybersecurity regulatory regimes will be burdensome.

The UK government will be separately updating its cybersecurity legislation. A public consultation on proposed measures to improve cyber resilience was launched in January 2022, and the outcome of that published in November 2022. More recently the Kings Speech from July 2024 announced the new Cyber Security and Resilience Bill to modernise the existing UK regime. Our current view is that the EU’s approach entails a wider scope and more onerous obligations compared to the UK’s more flexible approach, however the current UK proposals are still rather high level, and we await more details.

What are the recommended next steps?

Some practical tips to keep in mind:

  1. Work out the services you offer & likely NIS2 impact
  2. Look at your processes & procedures: most organisations now have a data breach reporting procedure to meet GDPR reporting deadlines. NIS2 reporting obligations have tighter time limits, be wider in nature, and be to different regulators. Make sure that your procedures reflect this. While doing this review, you may also want to review any additional reporting requirements e.g.: those under DORA, or the EU AI Act.
  3. Train your people (this is mandatory for members of the management body)
  4. Look at your response team
  5. Rehearse incidents: our experience shows us that organisations which regularly rehearse cybersecurity incidents handle them more effectively
  6. Look at & amend supplier contracts
  7. Look at TOMs
  8. Tell the board & audit committee about any increased liability, make sure you have people on the board who understand NIS2 and cybersecurity risk more generally
  9. Update your risk register
  10. Consider the impact of personal liability provisions

How can Punter Southall Law help?

For most organisations, the first step would be to build a bespoke Action Plan with key action points. We have extensive experience in helping clients establish or update their cybersecurity strategies.

Punter Southall Law can help you with:

  • Conducting compliance gap analyses, especially as you may have certain frameworks set up under NIS1.
  • Drafting internal policies and procedures in consideration of other cybersecurity and ICT related regulations, such as DORA.
  • Assisting and advising you on appointing any authorised representative as needed, and where they should be established.
  • Training employees on new responsibilities.
  • Board level briefings.
  • Supporting you should a cyberattack or incident occur and helping you with crisis management.

As seen above, the scope and application of NIS2 is complex.

We can assist in you on issues such as:  

  • If you supply ICT services, how your key clients might be affected and what services you can offer.
  • Your NIS2 obligations when decision making powers are based outside of the EU.
  • Your NIS2 obligations when you offer different services in different member states.
  • Whether any specific jurisdictional rules apply to you when you offer services in the digital sector.

Visit Governance & Compliance to learn more about our services, or Contact Us to arrange a consultation.

Jonathan Armstrong Lawyer

Jonathan Armstrong

Partner

Jonathan is an experienced lawyer based in London with a concentration on compliance & technology.  He is also a Professor at Fordham Law School teaching a new post-graduate course on international compliance.

Jonathan’s professional practice includes advising multinational companies on risk and compliance across Europe.  Jonathan gives legal and compliance advice to household name corporations on:

  • Prevention (e.g. putting in place policies and procedures);
  • Training (including state of the art video learning); and
  • Cure (such as internal investigations and dealing with regulatory authorities).

Jonathan has handled legal matters in more than 60 countries covering a wide range of compliance issues.  He made one of the first GDPR data breach reports on behalf of a lawyer who had compromised sensitive personal data and he has been particularly active in advising clients on their response to GDPR.  He has conducted a wide range of investigations of various shapes and sizes (some as a result of whistleblowers), worked on data breaches (including major ransomware attacks), a request to appear before a UK Parliamentary enquiry, UK Bribery Act 2010, slavery, ESG & supply chain issues, helped businesses move sales online or enter new markets and managed ethics & compliance code implementation.  Clients include Fortune 250 organisations & household names in manufacturing, technology, healthcare, luxury goods, automotive, construction & financial services.  Jonathan is also regarded as an acknowledged expert in AI and he currently serves on the New York State Bar Association’s AI Task Force looking at the impact of AI on law and regulation.  Jonathan also sits on the Law Society AI Group.

Jonathan is a co-author of LexisNexis’ definitive work on technology law, “Managing Risk: Technology & Communications”.  He is a frequent broadcaster for the BBC and appeared on BBC News 24 as the studio guest on the Walport Review.  He is also a regular contributor to the Everything Compliance & Life with GDPR podcasts.  In addition to being a lawyer, Jonathan is a Fellow of The Chartered Institute of Marketing.  He has spoken at conferences in the US, Japan, Canada, China, Brazil, Singapore, Vietnam, Mexico, the Middle East & across Europe.

Jonathan qualified as a lawyer in the UK in 1991 and has focused on technology and risk and governance matters for more than 25 years.  He is regarded as a leading expert in compliance matters.  Jonathan has been selected as one of the Thomson Reuters stand-out lawyers for 2024 – an honour bestowed on him every year since the survey began.  In April 2017 Thomson Reuters listed Jonathan as the 6th most influential figure in risk, compliance and fintech in the UK.  In 2016 Jonathan was ranked as the 14th most influential figure in data security worldwide by Onalytica.  In 2019 Jonathan was the recipient of a Security Serious Unsung Heroes Award for his work in Information Security.  Jonathan is listed as a Super Lawyer and has been listed in Legal Experts from 2002 to date. 

Jonathan is the former trustee of a children’s music charity and the longstanding Co-Chair of the New York State Bar Association’s Rapid Response Taskforce which has led the response to world events in a number of countries including Afghanistan, France, Pakistan, Poland & Ukraine.

Some of Jonathan’s recent projects (including projects he worked on prior to joining Punter Southall) are:

  • Helping a global healthcare organisation with its data strategy.  The work included data breach similuations and assessments for its global response team.
  • Helping a leading tech hardware, software and services business on its data protection strategy.
  • Leading an AI risk awareness session with one of the world’s largest tech businesses.
  • Looking at AI and connected vehicle related risk with a major vehicle manufacturer.
  • Helping a leading global fashion brand with compliance issues for their European operations.
  • Helping a global energy company on their compliance issues in Europe including dealing with a number of data security issues.
  • Working with one of the world’s largest chemical companies on their data protection program. The work involved managing a global program of audit, risk reduction and training to improve global-privacy, data-protection and data-security compliance.
  • Advising a French multinational on the launch of a new technology offering in 37 countries and coordinating the local advice in each.
  • Advising a well-known retailer on product safety and reputation issues.
  • Advising an international energy company in implementing whistleblower helplines across Europe.
  • Advising a number of Fortune 100 corporations on strategies and programs to comply with the UK Bribery Act 2010.
  • Advising of Financial Services Business on their cyber security strategy.  This included preparing a data breach plan and assistance in connection with a data breach response simulation.
  • Advising a U.S.-based engineering company on its entry into the United Kingdom, including compliance issues across the enterprise. Areas covered in our representation include structure, health and safety, employment, immigration and contract templates.
  • Assisting an industry body on submissions to the European Commission (the executive function of the EU) and UK government on next-generation technology laws. Jonathan’s submissions included detailed analysis of existing law and proposals on data privacy, cookies, behavioural advertising, information security, cloud computing, e-commerce, distance selling and social media.
  • Helping a leading pharmaceutical company formulate its social media strategy.
  • Served as counsel to a UK listed retailer and fashion group, in its acquisition of one of the world’s leading lingerie retailers.
  • Advising a leading U.S. retailer on its proposed entry into Europe, including advice on likely issues in eight countries.
  • Working with a leading UK retailer on its proposed expansion into the United States, including advice on online selling, advertising strategy and marketing.
  • Dealing with data export issues with respect to ediscovery in ongoing court and arbitration proceedings.
  • Advising a dual-listed entity on an FCPA investigation in Europe.
  • Acting for a U.S.-listed pharmaceutical company in connection with a fraud investigation of its Europe subsidiaries.
  • Acting for a well-known sporting-goods manufacturer on setting up its mobile commerce offerings in Europe.
  • Comprehensive data protection/privacy projects for a number of significant U.S. corporations, including advice on Safe Harbor Privacy Shield and DPF.
  • Risk analysis for an innovative software application.
  • Assisting a major U.S. corporation on its response to one of the first reported data breaches.
  • Work on the launch of an innovative new online game for an established board game manufacturer in more than 15 countries.
  • Advice on the setting up of Peoplesoft and other online HR programs in Europe, including data protection and Works Council issues.
  • Advising a leading fashion retailer in its blogging strategy.
  • Advising one of the world’s largest media companies on its data-retention strategy.
  • Advising a multinational software company on the marketing, development and positioning of its products in Europe.

Related Insights