NIS2 Directive published – New cybersecurity obligations for many companies

The NIS2 Directive has just been published on the Official Gazette of the European Union, introducing a host of new cybersecurity obligations for a wide range of companies in an effort to ramp up defenses against potential cyber attacks.

Building on the foundations of the NIS1 Directive, which currently requires companies within its scope to implement adequate and proportionate measures for managing cyber risks and minimizing the impact of any security incidents, the NIS2 Directive aims to clarify and strengthen these obligations, and expand the number of companies required to comply.

Here’s a closer look at the key measures introduced by the NIS2 Directive.

1.  Broad scope for the approved NIS2 Directive

The main change introduced by the NIS2 Directive is its scope.  In addition to applying to the sectors initially covered by the NIS1 Directive (e.g., the energy sector, telecommunications, transportation, banking and financial markets, health care, etc.), the new regulatory provisions are also applicable to a range of companies not previously included, such as those providing, among others,

• digital services, such as cloud computing platforms, data centers, content delivery network providers, electronic communication services, and electronic communication network services;
• healthcare services, such as-among others-pharmaceutical companies, medical device manufacturers, and healthcare providers; and even
• food production, processing, and distribution services, including large-scale retail companies.

The new rules also introduce guidance on the size of companies.  Thus, companies in the sectors mentioned above that are medium and large in size fall within the scope of the NIS2 Directive, but small, and micro enterprises could also be included if they operate in key sectors for society and, regardless of size, providers of, among others, electronic communication services and electronic communication networks.

However, the elements of discretion that were left to individual states in the NIS2 Directive in determining category membership have been limited.  Companies must submit information to the states to assess membership in the scope of recipients of obligations under the NIS2 Directive.  A distinction is made between “essential” companies providing services considered essential and “important” companies if they are brought within the scope of the directive, even if they do not offer an essential service.

2.  More detailed and stringent cybersecurity obligations with the NIS2 Directive

The NIS2 Directive requires Member States to ensure that companies within its scope must “take appropriate and proportionate technical, operational and organizational measures to manage the security risks to the network and information systems these entities use for their operations or for the provision of their services and to prevent or minimize the impact of incidents on the recipients of their services and other services.”

According to the Directive, these technical, operational, and organizational measures must include at least the following:

1. policies on risk analysis and information systems security;
2. incident management systems;
3. business continuity systems, such as backup management and disaster recovery, and crisis management;
4. supply chain security management measures;
5. security in the acquisition, development, and maintenance of networks and information systems, including vulnerability management and disclosure;
6. policies and procedures for evaluating the effectiveness of cybersecurity risk management measures;
7. basic cyber hygiene practices [i.e., basic rules for ensuring cybersecurity] and cybersecurity training;
8. policies and procedures regarding the use of encryption and, where appropriate, cryptographic encryption;
9. measures on human resource security, access control policies, and asset management; and
10. the use of multi-factor authentication [i.e., multi-factor authentication] or continuous authentication solutions; secure voice, video, and text communications; and secure emergency communications systems within the entity, where appropriate.

So there is a general principle of adequacy of measures to be taken.  Still, the Member States must further specify obligations, and the directive already provides a somewhat detailed list of minimum measures.

In addition, the directive stipulates that the analysis of the adequacy of security measures should also take into account the measures taken by the suppliers of the companies covered by the NIS2 Directive.  This issue is already significant at present for companies that are suppliers to companies within the national security perimeter because cybersecurity obligations indirectly extend to them as well.

In any case, within 21 months of the entry into force of the Directive [i.e., by the implementation deadline], the European Commission must define the technical and methodological requirements applicable to the measures to be taken by providers of cloud computing services, data centers, online market places, search engines, and social networks, among others.

3.  Reporting requirements for cyber attacks under the NIS2 Directive

The NIS1 Directive had already introduced stringent notification obligations to the relevant authorities stringent notification obligations to the relevant authorities in the case of cyber incidents impacting service continuity and delivery.  The NIS2 Directive stipulates an obligation to notify the CSIRT and the competent authorities, without delay, of any incident that may have a significant impact on service provision.  In addition, it stipulates that – when appropriate – notification must also take place for the benefit of the service impacted by the cyber attack, including indicating the measures those recipients can take to respond to the attack.

The notification term is further specified by the directive, which refers to 24 hours after knowledge for sending an “early warning” that must be followed by notification of a detailed analysis of the incident within 72 hours after knowledge.

These terms align with the recent reform of the Italian cyber security legislation.

4.  The authority to which providers of essential services are subject

The NIS2 Directive provides for the application of the principle of establishment.  Thus, companies are subject to the jurisdiction of the authorities of the Member State in which they are established.  However, there are exceptions applicable, among others, in the case of providers of

• communications and electronic network services that are subject to the jurisdiction of the country where the recipients of their services are located; and
• certain online services that are subject to the jurisdiction of the EU country where their main establishment is located.

The NIS2 Directive provides minimum investigative powers for local authorities to assess the adequacy of measures taken by companies providing essential services.

If a company fails to comply with its obligations under the NIS2 Directive, member states must ensure that such companies take, without delay, all appropriate and proportionate corrective action.

However, the directive already provides, among others,

• the obligation for Member States to establish the possibility of suspending the company’s business activities and imposing specific prohibitions; and
• the application of fines of up to € 10 million or 2 percent of the previous year’s global turnover in the case of essential companies, and fines of up to € 7 million or 1.7 percent of global turnover in the case of important companies.

If a cyber incident has also resulted in a data breach under the GDPR from which a sanction under the European Privacy Regulation has resulted, the administrative sanctions under the directive do not apply.  Indeed, it is important to remember that the NIS2 Directive applies even in the case of incidents that did not result in a data breach.

5.  Timeframe for the implementation of the NIS2 Directive

The NIS2 Directive has now been published on the Official Gazette of the European Union and Member States have time up to October 17, 2024 and the implementing rules will become effective from October 18, 2024.  At that point, the rules will become binding on businesses, and the implementing rules of NIS1 will be repealed or, more likely, amended to comply with the new regulatory framework.

There still seems to be a long way to go.  However, given the level of detail involved in the obligations under the NIS2 Directive and the timeline for implementing the measures under the directive, companies need to adopt internal safeguards now, both technical and organizational, to protect themselves from possible cyber attacks as well as to be ready for the stringent requirements that the NIS2 Directive will impose on the relevant sectors.

In this context, it is relevant how assessing the adequacy of measures is not solely an assessment of technical suitability.  On the contrary, the directive lists several organizational measures and requires a legal assessment, even concerning technical measures.

The NIS2 Directive is part of a regulatory framework both at the local level with Italy’s national security perimeter legislation and the equivalent in other jurisdictions and, at the international level, with, among others, the NIS Directive, the European DORA Regulation, also just passed, and the Cyber Resilience Act introduces cybersecurity obligations far beyond the privacy compliance perimeter.  DLA Piper has conducted a comprehensive mapping of reporting obligations under both privacy and cybersecurity regulations applicable to any data to assist companies in the event of a cyberattack in identifying their obligations.

On a similar topic, the following articles may be of interest, “DORA Regulation published: how the cybersecurity of banks changes” and “What liability of directors for a cyber-attack against the company?“.