NIS 2 Directive: reinforcing cyber security across the EU

September 2024  |  SPECIAL REPORT: DIGITAL TRANSFORMATION

Financier Worldwide Magazine

September 2024 Issue

Ensuring a high level of cyber security across the European Union (EU) has been a key goal of the European strategic vision, with numerous legal initiatives adopted in recent years.

These include the Cyber Solidarity Act (strengthening capacities in the EU to detect, prepare for and respond to significant and large-scale cyber security threats and attacks), the Cyber Resilience Act (safeguarding consumers and businesses buying or using products or software with a digital component) and the Digital Operational Resilience Act (reinforcing the cyber security level of financial entities such as banks, insurance companies and investment firms).

In 2016, the Network and Information Security Directive (NIS 1 Directive) established the foundations for a cross-cutting approach on cyber security law, raising the level of cyber security across the EU. However, the fast-paced evolution of cyber threats, the growing complexity of digital infrastructures and the fragmentation of member states’ law following local transposition of the text, required an adaptation of the regulatory framework to these new challenges leading to the adoption of Directive 2022/2555 of 14 December 2022 (NIS 2 Directive).

The 2016 NIS 1 Directive was a pioneering step in the establishment of European cyber security law. Despite its fundamental role, the directive had certain limitations, such as variable levels of implementation across member states and sectors, leading to uneven cyber security resilience across the EU.

Yet the frequency and sophistication of cyber attacks have increased dramatically, targeting critical sectors such as healthcare, finance and energy, which are essential to national security and the functioning of societies. Moreover, fast-changing technologies and the sophistication of the techniques used by cyber criminals have expanded the scope of cyber attacks, making it necessary to extend the scope of the cyber security enforcement framework introduced in 2016.

In addition, the fragmented implementation of the NIS 1 Directive has highlighted the need for a more uniform approach to cyber security across the EU, ensuring that all member states adhere to the same high standards.

Therefore, the main goal of the NIS 2 Directive is to improve the security and resilience level of information systems across the EU. This involves broadening the scope of the NIS 1 Directive to cover a wider range of sectors and services, including medium-sized and large entities that play a crucial role in the economy and society.

The NIS 2 Directive also aims to enforce higher security standards on entities under its scope. Another key objective is to improve cooperation and information-sharing mechanisms between member states. The directive emphasises the importance of a collaborative approach to cyber security, recognising that cyber threats often transcend national borders. Enhanced cooperation ensures a more coordinated and effective response to cyber incidents, reducing their impact and mitigating risks.

Scope of application of the NIS 2 Directive

A broader range of sectors. One of the most significant changes introduced by the NIS 2 Directive is the extension of the scope initially set out by the NIS 1 Directive. By its expanded scope, the NIS 2 Directive ensures that more entities adopt robust cyber security measures, thereby raising the overall level of cyber security in the EU.

The new provisions apply to companies that provide services in a high criticality sector (annex I) or in other critical sectors (annex II), and that: (i) are medium-sized, employing less than 250 persons and have an annual turnover not exceeding €50m or an annual balance sheet total not exceeding €43m; (ii) exceed the ceilings for medium-size companies; or (iii) regardless of their size, fulfil certain criteria (e.g., where the entity is the sole provider of a service essential to the maintenance of critical societal and economic activities in a member state, or where disruption of the service provided could have a significant impact on national security or could induce a significant systemic risk).

It is worth highlighting that the text now covers 18 different critical or highly critical sectors, whereas the NIS 1 Directive only covered 10, thus integrating new sectors such as social networking platforms, telecommunications, data centres, space or public administration and authorities.

An extraterritorial scope. From a territorial point of view, the NIS 2 Directive will apply to companies that provide their services or carry out their activities within the EU. In this respect, the text has an extraterritorial reach as companies within the scope of the directive will be considered as falling under the jurisdiction of the member state in which they are established.

This is except for certain service providers which will be considered as falling within the jurisdiction of the member state: (i) in which they provide their services (e.g., providers of public electronic communications networks); (ii) in which they have their main establishment in the union (e.g., DNS service providers, providers of online marketplaces or social networking services platforms); or (iii) which established them (e.g., public administration entities).

The introduction of a proportionality principle. Under the NIS 2 Directive, in-scope companies will be classified into two categories: essential entities and important entities, to ensure a balance between cyber security requirements and the administrative burden that compliance monitoring entails for these entities. The directive in turn creates two different supervisory and enforcement regimes for these categories with essential entities being subject to more stringent obligations. By 17 April 2025, each member state will have to establish a list of these essential and important entities (as well as entities providing domain name registration services), according to the criteria provided for by the directive.

The NIS 2 Directive also provides useful guidance on how to address the issue of the application of the directive to a group of companies. Indeed, to avoid a situation in which a company is linked to another that is considered an essential or important entity but would not in itself be considered as such, the directive allows member states to consider that an entity does not qualify as essential or important taking into account the fact that such entity is independent from its partner or linked company in terms of network and information systems that entity uses to provide services or in terms of the services it provides.

Reinforced cyber security and cooperation obligations

The NIS 2 Directive introduces several key obligations designed to strengthen the EU’s cyber security framework, as outlined below.

Strengthen national crisis management capabilities. The directive aims at ensuring that member states have the institutional and organisational capabilities to manage cyber security incidents and crises. As such, member states will have to adopt a national cyber security strategy, designate authorities for the supervision and enforcement of this directive, as well as one or more computer security incident response teams (CSIRT). A CSIRT coordinator will also be designated and will cooperate at the national, European and international level within the newly created cooperation group and the European cyber crisis liaison organisation network.

Adoption of risk management measures. The directive requires that essential and important entities adopt cyber security risk management measures that must be approved by their managing bodies, which must oversee their implementation and may be held liable in the event of failure to do so. These measures must guarantee the cyber resilience of these entities (i.e., their ability to protect themselves, and respond to and recover from a cyber incident). In order to demonstrate compliance with such requirements, the directive provides that member states can require entities to use particular information and communication technologies products certified under the Cybersecurity Act (2019/881).

Detailed incident reporting procedures. Most significantly, under the directive, in the case of a “significant incident”, entities must provide an early warning to the competent authorities or CSIRT within 24 hours of becoming aware of it, before notifying the incident to the competent authority within 72 hours, as well as providing a final report within one month of the incident. This ensures a prompt, coordinated response to cyber attacks, minimising their impact and enabling well-timed mitigation efforts.

It is to be noted that the obligation to report is aimed at “significant incidents”, meaning those which cause or are likely to cause serious disruption to services or financial losses for the entity concerned, but also those which affect or are likely to affect third parties by causing material, physical or moral damage.

The adoption of measures covering the entire supply chain. Similar to the General Data Protection Regulation (GDPR) regime under which processors must ensure that any sub-processors engaged comply with data protection obligations, even if they are not themselves subject to the GDPR, the directive specifies that these risk management measures must cover supply chains, and therefore suppliers, which may not fall within the scope of the directive. To determine these measures, entities must focus on the specific vulnerabilities of each supplier and the overall quality of the cyber security practices of their suppliers and service providers. The aim is to ensure that the level of security is maintained throughout the entities’ supply chain.

Training and awareness-raising. The directive also introduces obligations relating to cyber security training and awareness. For instance, it requires that management bodies of essential and important entities are provided specialised cyber security training. In addition, security measures must include training to enable employees to understand and assess cyber security risks and their impact on the organisation.

Penalties, enforcement and application date

To ensure compliance, the NIS 2 Directive introduces a more robust supervisory framework. Competent authorities are empowered to carry out audits, inspections, request information and impose fines in the event of non-compliance. The directive provides that member states can impose dissuasive penalties for non-compliance with certain provisions of up to €10m for essential entities and €7m for important entities or 2 percent for essential entities and 1.4 percent for important entities of the total worldwide annual turnover in the preceding financial year of the undertaking to which the entity belongs, whichever is higher.

It is specified that in the event of an infringement giving rise to a personal data breach, cumulation with the administrative fine likely to be imposed under the GDPR is excluded when arising from the same conduct, although enforcement measures pursuant to the directive may be imposed in addition to the GDPR fine.

Member states have the obligation to transpose the directive into local law by 17 October 2024, and these measures will apply from 18 October 2024, which is also the day on which the NIS 1 Directive will be repealed.

In the meantime, companies must anticipate the implementation of the NIS 2 Directives’ principles and identify whether they are within scope of the directive, assess the security measures, processes and governance already in place to draft a roadmap detailing the main steps to be completed ensure full compliance, identify key cyber security service providers and progressively implement key measures.

 

Ahmed Baladi is a partner at Gibson, Dunn & Crutcher LLP. He can be contacted on +33 (1) 5643 1300 or by email: abaladi@gibsondunn.com.

© Financier Worldwide

BY

Ahmed Baladi

Gibson, Dunn & Crutcher LLP

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.