The EU’s NIS2 Directive

What’s this all about?

NIS2 is about cybersecurity.

The NIS2 Directive entered into force on 16 January 2023. The deadline for Member States to transpose this into national law is 17 October 2024. NIS2 measures will apply to businesses from 19 October 2024.

This Directive means more responsibilities for both governments and businesses.

What is the NIS2 Directive?

NIS2 stands for the Network and Information Security 2 Directive. NIS2’s full name is Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148.

The first NIS Directive (NIS1) was introduced in 2016 and transposed into national law in 2018. It was the first EU law on cybersecurity and aimed to increase cyber resilience in Member States. Unfortunately, the implementation was largely considered inconsistent and too varied between Member States.

In response, NIS2 seeks to rectify the main areas of inconsistency and provide more specific and defined requirements and applications, while also expanding the scope of the Directive, strengthening cybersecurity measures, and introducing responsibilities for senior management.

What organisations does NIS2 apply to?

The basic aim of the NIS regime is to protect critical national infrastructure from cyber-attacks. In part to reflect the impact of technology on our lives, NIS2 expands on the services covered.

Broadly, NIS2 applies to businesses and organisations (both public and private) that the EU categorises as satisfying the conditions for being essential or important.

• Medium size or larger enterprises operating in sectors of high criticality or other critical sectors. Medium size enterprises employ 50 or more employees or have an annual turnover of over €10 million.
• Entities of any size that provide PECNs (public electronic communications networks), PECSs (publicly available electronic communications services), trust services, and top-level domain name (tld) registries and domain name services that meet the national risk assessment.
• Entities of any size that that are identified as critical entities under the Critical Entities Resilience Directive.
• Entities of any size in a high criticality / other critical sector when they are the sole provider in a Member State of a service which is essential for the maintenance of critical society or economic activities, or where the disruption of the entity’s service could have a significant impact on public safety or public health.
• Public administration entity of any size of high criticality / other critical sectors.

While not mandated by the Directive, Member States are allowed to extend the scope of this Directive to public administration entities at a local level, and to educational institutions.

As you will see below, the scope and application of NIS2 is complex, with different obligations required of different categories of in-scope entities, and organisations may benefit from specialist advice.

What are sectors of high criticality or other critical sectors?

Full details are listed in Annex I and II of the Directive. An overview of the industries is listed below:

Annex I

• Energy (including electricity, oil and gas)
• Transport (air, water, road, and rail)
• Banking
• Financial Markets infrastructure
• Health
• Drinking water
• Waste water
• Digital infrastructure
• ICT service management
• Public administration
• Space

Annex II

• Postal and courier services
• Waste management
• Chemicals
• Food (production, processing and distribution)
• Manufacturing
• Digital providers
• Research

What does it mean to be an essential or an important entity?

The idea behind separating organisations in this way is that essential entities will be more disruptive to the economy and to society if their services fail. Essential and important entities have the same cybersecurity management and reporting requirements but different supervisory and penalty regimes. All entities in scope that are not essential, are considered important.

Essential Entities:

• Are of the type listed in Annex I (see list above); and are large entities, i.e.: employ 250 persons or more, or have an annual turnover of over €50 million, or have an annual balance sheet of more than €43 million; or
• qualified trust service providers and top-level domain name registries as well as DNS service providers, regardless size; or
• entities of any size that that are identified as critical entities under the Critical Entities Resilience Directive; or
• providers of public electronic communications networks or of publicly available electronic communications services which are medium sized; or
• public administration entities of a central government as defined by a Member State in accordance with national law; or
• otherwise identified as essential by a Member State.

How soon should I report an incident?

Essential and Important entities must notify any incident with significant impact on their services to a competent authority or CSIRT (Computer Security Incident Response Team) without undue delay.

NIS2 provides multi-stage, tiered reporting deadlines:

1. Within 24 hours of becoming aware of the incident: early warning
2. Within 72 hours of becoming aware, an incident notification which includes an update on the early warning and an assessment of the incident
3. Upon a request from a CSIRT or competent authority, and intermediate report on relevant status updates
4. Within 1 month of the incident notification, a final, detailed report.

Who regulates NIS2?

At national level, Members states must give one or more designated competent authorities supervisory and enforcement powers.

Member states will also designate a SPOC (single point of contact) to act as liaison for the cross border cooperations with competent authorities of other Member States, the Commission, and ENISA (is the European Union Agency for Network and Information Security). A competent authority can also be a SPOC as well.

Member states will also designate one or more CSIRTs (Compute Security Incident Response Teams), which will be responsible for issues including but not limited to incident handling, peer reviews, co-ordination of vulnerability disclosures, and collecting and analysing forensic data.

As mentioned above, governments also have obligations under NIS2.

Each member state must adopt a national cyber security strategy, notify it to the Commission within three months of its adoption, and review it every five years. This strategy must also include a list of prescribed policies, including but not limited to cybersecurity in the supply chain, management of vulnerabilities, and cyber resilience for SMEs.

At EU Level, NIS2 re-establishes the Cooperation Group, which will be responsible for amongst other things, carrying out co-ordinated risk assessments.  

What are the potential penalties?

Essential entities

Supervisory powers of competent authorities include:

• The power to perform on and off-site inspections, including random checks,
• Regular and targeted audits, as well as ad hoc audits,
• Security scans and security audits,
• Requests for information and access to data and documents,

Penalties can include:

• Warnings and binding instructions regarding non-compliance, time limits and reporting requirements for implementing corrective measures,
• Ordering cease and desists of infringing conducts,
• Ordering entities to inform service recipients (both natural and legal persons) of significant cyber threats and of possible protective or remedial measures,
• Order entities to make certain aspects of infringements public,
• Set deadlines for remedial actions and temporarily request suspension of a certification or authorisation (this does not apply to public administrations),
• Administrative fines of 10 million or 2% of total worldwide annual turnover of undertaking to which the entity belongs, whichever amount if higher.

Important Entities

Enforcement powers here are limited to ex-post supervisory measures only, and there is a lower maximum limit on administrative fines:

• Administrative fines of 7 million, or 1.4% of total worldwide annual turnover of the undertaking to which the entity belongs, whichever is higher.

Could anyone be personally liable?

Yes. In fact, this is one of the most significant changes introduced in NIS2 compared to NIS 1. Member State authorities will have the power to hold natural persons liable for breach of their duties to ensure compliance with NIS2, these natural persons being senior members of staff and members of management bodies. In certain circumstances, the competent authority could request the imposition of a temporary ban against a person at CEO or legal representative level in discharging managerial responsibilities.

Does NIS2 have extra-territorial reach?

Yes. This Directive has extra territorial scope. A wide range of technology providers (wider than those in NIS1) such as cloud service computing providers, online market places, managed service providers and social network platforms, will be subject to some NIS2 requirements if they provide services to a member state, even if they are not established in a member state.

What about the UK?

The UK had transposed NIS1 into national law via the NIS Regulations. However, following Brexit, the UK is not required to do the same with NIS2. Currently there are still some concerns that too much divergence between the two systems can be unnecessarily complicated for many organisations, especially considering the above. Certain UK entities with customers in the EU will be subject to NIS2, and managing compliance with multiple cybersecurity regulatory regimes will be burdensome.

The UK government will be separately updating its cybersecurity legislation. A public consultation on proposed measures to improve cyber resilience was launched in January 2022, and the outcome of that published in November 2022. More recently the Kings Speech from July 2024 announced the new Cyber Security and Resilience Bill to modernise the existing UK regime. The current impressions are that the EU’s approach entails a wider scope and more onerous obligations compared to the UK’s more flexible approach, however the current UK proposals are still rather high level, and we await more details.

What are the recommended next steps?

Some practical tips to keep in mind:

1. Work out the services you offer & likely NIS2 impact
2. Look at your processes & procedures: most organisations now have a data breach reporting procedure to meet GDPR reporting deadlines. NIS2 reporting obligations have tighter time limits, be wider in nature, and be to different regulators. Make sure that your procedures reflect this. While doing this review, you may also want to review any additional reporting requirements e.g.: those under DORA, or the EU AI Act.
3. Train your people (this is mandatory for members of the management body)
4. Look at your response team
5. Rehearse incidents: our experience shows us that organisations which regularly rehearse cybersecurity incidents handle them more effectively
6. Look at & amend supplier contracts
7. Look at TOMs
8. Tell the board & audit committee about any increased liability, make sure you have people on the board who understand NIS2 and cybersecurity risk more generally
9. Update your risk register
10. Consider the impact of personal liability provisions