Cybersecurity continues to be an incredibly important topic for our society. Cyber-attacks and cyber incidents can cause great damage to businesses and organisations. They can hinder economic activity, undermine user confidence and, as a result, cause serious damage to the Union's economy. For this reason, the European Commission considers cybersecurity essential for the proper functioning of the internal market.
In view of the increasing digitalisation and the steady rise of cyber incidents, the EU legislator adopted the Network and Information Security Directive (NIS 1) in 2016. NIS 1 aimed to establish a high common level of cybersecurity in order to improve the functioning of the internal market. To this end, NIS 1 focuses, among other things, on improving cybersecurity (preventive) and cyber resilience (reactive).
Following the entering into force of NIS 1, the EU legislator continued to work on the evaluation and revision of this Directive throughout the years. The transposition of the NIS 1 proved to be a challenge for various Member States. The European Commission concluded that there was a lacking common understanding of the main threats and challenges, as well as an inconsistent resilience across Member States.
NIS 2 represents an important step in the EU's digital strategy. By expanding the scope, tightening security requirement and extending enforcement powers, the EU is showing that cybersecurity is a high priority.
This has now lead to the Directive on measures for a high common level of cybersecurity across the EU (NIS 2), which was adopted on 14 December 2022.
NIS 2 introduces significant changes when compared to NIS 1. It requires Member States to adopt new provisions that will impose stricter cybersecurity obligations on more organisations and contains stricter supervisory and enforcement measures.
In this long read, we discuss the main differences between NIS 1 and NIS 2 and the implications thereof for businesses. We focus on four main areas: the broader scope of application, cybersecurity requirements, reporting obligations, and supervision and enforcement.
NIS 2 applies to a much larger group of entities compared to NIS 1, which primarily applied to operators of essential infrastructures such as energy providers or airports. Under NIS 2, harmonised rules are introduced for medium sized and large entities, categorized as either “important” or “essential”. New sectors and services that are now within scope include, among others, manufacturers of certain products and digital services. Both essential and important entities are subject to the same cybersecurity management and reporting requirements, but different supervisory and penalty regimes apply.
To give an overview, we include the table below. All bold marked entities are new compared to NIS 1.
- Energy (electricity incl. e.g. district heating and cooling, also: oil, gas, hydrogen
- Transport (air, rail, water road)
- Financial market infrastructures
- Health (healthcare providers, EU reference laboratories, drug research and development, basic pharmaceutical products and preparations, emergency medical devices)
- Drinking water
- Waste water
- Digital infrastructure
- ICT Service management
- Public administration
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacturing of medical devices; computer, electronic, and optical products; electrical equipment; machinery and equipment; motor vehicles, trailers, and semi-trailers; other transport equipment
- Digital providers (online marketplaces, online search engines, social networking services platforms)
NIS 2 allows Member States to go beyond the scope of the NIS 2, or to specify certain types of entities. Member States could for example decide that the requirements under NIS 2 would also apply to public administrations at local level. It will therefore remain important to monitor the scope of application of the transposition of NIS 2 in national legislation.
Cybersecurity requirements, management accountability and supply chain due diligence
NIS 2 contains more comprehensive and explicit cybersecurity requirements than NIS 1. First, NIS 2 directly addresses management bodies of the entities in scope with new governance and accountability obligations. Such management bodies must approve the cybersecurity risk-management measures taken, oversee its implementation and can be held liable if the entity fails to comply with security obligations. In addition, NIS 2 requires members of the management bodies to follow training to gain skills to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
Second, NIS 2 also provides a minimum of appropriate technical and organisational measures that the entities in scope need to implement. To this end, NIS 2 contains key measures that all essential and important entities must take in order to manage cybersecurity-risks when providing their services. These include for example policies on risk analysis and information system security; incident handling; backup management and crisis management; cyber hygiene practices; policies and procedures regarding the use of cryptography and encryption; and the use of multi-factor authentication.
Finally, NIS 2 requires entities to mitigate cybersecurity risks within the IT supply chain. Entities in scope are required to undertake due diligence when assessing the level of cybersecurity of suppliers. In practice, this provision therefore broadens the scope of NIS 2 to organisations that are outside its direct scope.
NIS 2 expands the existing reporting obligations under NIS 1. Any "significant incident" must be reported to the member state’s computer security incident response teams (“CSIRT”) or the relevant supervisory authority. An incident is significant if it can cause severe operational disruption of the entity’s services or financial loss for the entity, or if it can affect other natural or legal persons by causing considerable (non-)material damages.
Entities will have to (i) notify the relevant supervisory authority or the CSIRT within 24 hours, (ii) submit an incident notification within 72 hours, and (iii) submit a final report no later than after one month with a detailed description of the incident, type of threat or root cause, mitigation measures, and cross-border impact.
Notably, NIS 2 goes far beyond NIS I by also requiring entities to notify the recipients of their services of significant incidents that are likely to adversely affect the provision of those services. Entities in scope therefore are no longer allowed to hide the existence of significant incidents and must be fully transparent. This mirrors the existing obligations under the General Data Protection Regulation (“GDPR”) for data controllers to inform data subjects of certain data breaches. The notification under NIS 2 must also include communication of any measures or remedies that those recipients are able to take in response to the threat.
Supervision and enforcement
NIS 2 also contains stricter and more extensive provisions relating to monitoring and enforcement. It further introduces a fining mechanism that has become more apparent in European legislation since the GDPR and can also be found in the recent Digital Markets Act and the Digital Services Act.
Member States must ensure that competent authorities effectively supervise and take the measures necessary to ensure compliance. To do so, supervisory authorities must for example be empowered to conduct on-site inspections and targeted security audits, and request for information, to access data or to request evidence of implementation of cybersecurity policies. When enforcement measures are ineffective, supervisory authorities can take follow-up measures, including the suspension of a certification or authorisation and, upon obtaining a court order, the prohibition for the CEO or legal representative to perform certain duties.
Supervisory authorities must be able to impose effective, proportionate and dissuasive measures. This can include fines up to EUR 10 million or 2% of annual global turnover for essential entities and EUR 7 million or 1.4% of annual global turnover for important entities.
Under NIS 2, more entities are required to take cyber security measures. Moreover, NIS 2 puts more responsibilities on management bodies with explicit provisions on governance and liability. It further introduces more extensive reporting obligations, which may even require an increased level of transparency towards customers. Finally, NIS 2 aims to ensure compliance by, among others, greater enforcement powers of national supervisory authorities, as well as the possibility for entities to receive substantial fines. These aspects should result in a high common level of cybersecurity to improve the functioning of the internal market.
NIS 2 undoubtedly represents an important step in the EU's digital strategy. By expanding the scope, tightening security requirement and extending enforcement powers, the EU is showing that cybersecurity is a high priority. A joint approach is necessary to raise the common level of cybersecurity in the EU. In doing so, NIS 2 clearly shifts responsibility for cybersecurity upwards towards the boardroom.
Member States now have until 17 October 2024 to transpose NIS 2 into national legislation. While this may seem plenty of time for the job at hand, lessons should be learned from the difficult transposition of NIS I in the past. Entities in scope of NIS 2 therefore equally have time to prepare. Yet, it is better to be safe than sorry by examining the consequences for your organisations in due time.