What is the background to NIS2? (Network and Information Security 2)
The increasing rise of cybersecurity incidents led the European Union (“EU”) to consider industries and suppliers that if targeted and compromised, could be detrimental to the critical infrastructure of societies. Industries such as energy, transport, and finance were far-sighted concerns when the NIS Directive was introduced in 2016.
NIS2 is an update to the EU’s original NIS cybersecurity Directive and updates NIS in line with modern and relevant cyber security practices. Organisations must put NIS2 requirements in place by 17 October 2024. It aims to further strengthen the resilience and incident response capacities of private and public critical sectors by:
- Broadening the scope of the sectors covered by the Directive
- Introducing specific cybersecurity risk and incident management requirements
- Penalising organisations that fail to comply with its requirements
- Introducing accountability of C-Suite management for non-compliance with cybersecurity obligations
- Incorporating stricter and more prescriptive reporting requirements for cybersecurity incidents
- Attempting to further harmonise cybersecurity requirements and sanction regimes across EU Member States.
Are there penalties for failure to comply with NIS2?
NIS2 builds on the foundations laid by the original NIS Directive. All entities shall be automatically considered “essential” or “important” entities if they employ more than 250 people and have an annual turnover of more than 50 million euros and/or an annual balance sheet above 43 million euros. Essential and important entities face the same obligations, but important entities face a lighter enforcement regime. Fines for failure to comply with the regulation shall be:
- up to €10m or 2% of total global annual revenue for essential entities; or
- up to €7m or 1.4% of total global annual revenue for important entities (whichever figure is higher).
Organisational management and executives can be found personally liable following a cybersecurity incident.
Which organisations must be aware of NIS2?
Traditional sectors are covered - energy infrastructure, airports, railways, healthcare, water and banks. There is also a broader list including data centres, managed service providers, postal services, cloud providers, public electronic communications networks, food production, wastewater, waste management, chemical manufacturing, the space sector and others. NIS2 additionally covers public administration bodies at central and regional levels but excludes Parliaments and central banks.
What are an organisation’s responsibilities under NIS2?
Primary responsibilities under NIS2 will revolve around:
- Cybersecurity incident response and management
- Testing of cybersecurity controls
- Data protection through cybersecurity measures
- Incident reporting practices
- Vulnerability management and disclosure parameters.
Businesses across all sectors will be impacted by the legislation. Supply chain security in connection with vendors must be considered including vulnerabilities specific to each direct supplier or service provider. Specifically, the quality of products used and the cybersecurity practices of suppliers and service providers will be scrutinised.
Fresh cybersecurity incident reporting rules will also be implemented - an incident deemed to have had a significant impact is defined as: “incidents that have caused or are capable of causing severe operational disruption of the services or financial loss for the entity concerned…or are capable of affecting other natural or legal persons by causing considerable material or non-material damage.” Such incidents must be notified to national computer security incident response teams or NIS regulators that are to be set up by EU Member States.
A staged approach to incident notification is provided for:
- An early warning, indicating if the incident is suspected of having a cross-border impact or has been caused by unlawful or malicious acts, shall be notified without undue delay and within 24 hours of awareness of the incident at the latest
- A second report must be submitted without undue delay and in any event within 72 hours which includes an update on the early warning and details an initial assessment of the incident.
How will the NIS2 legislation relate to UK based organisations?
The EU and the UK are both amending their laws around network and information security to strengthen security against cyber risks in an increased range of sectors. The UK Government confirmed on 30 November 2022 their intention to update the NIS regulations to improve the UK’s cyber resilience by:
- Bringing managed service providers (MSPs) into scope of the regulations to keep digital supply chains secure
- Improving cyber incident reporting to regulators
- Establishing a cost recovery system for enforcing current NIS regulations
- Giving the government the power to amend the NIS regulations in future to ensure they remain effective
- Enabling the UK Information Commissioner to take a more risk-based approach to regulating digital services.
It is expected that there will be synergy between NIS2 and the eventual UK legislation produced in response to it. UK officials have hinted there will be differences going forward in the way the cybersecurity of critical infrastructure will be regulated. An example of this are considerations to expand incident reporting duties to include incidents that do not affect the continuity of the service directly, but still pose a significant risk to the security and resilience of the entities in question.
For UK entities that do not directly fall within the eventual scope of NIS2, the application of NIS2 to the entity’s supply chains may mean that an organisation finds itself indirectly impacted by the legislation in a way which is almost as significant as being directly in scope. This will apply to organisations in the UK who may not provide services within the EU but are part of the supply chain of businesses who do.
What steps can be taken by organisations?
With the deadline of 17 October 2024 less than a year away, organisations should start by considering the following steps:
- Understand your regulatory landscape - consider if your organisation is within the scope of NIS2. If so, will you be subject to essential entities or important entities regulatory measures
- Assess your ability to comply with NIS2 - assess your organisation’s current levels of compliance with NIS2 measures. Look to establish a compliance baseline and guide efforts to seal compliance gaps that exist
- Test the incident response processes and resilience of the human element of your organisation - all members of your organisation, from C-Suite executives to third parties, should understand their responsibilities to enable a safe and quick recovery from an incident. Internal cooperation is critical for your organisation to respond efficiently to cyber incidents. Stress the implications of the new incident reporting process under NIS2 and the penalties the organisation could potentially face
- Develop a cyber threat and vulnerability management programme - regular vulnerability scanning and manual penetration tests should be conducted by certified cybersecurity professionals on your organisation’s key systems. Transparency about the volume and criticality of issues should be shared appropriately throughout the organisation to create a culture of awareness and accountability for the organisation’s cybersecurity
- Create comprehensive internal risk management policies and procedures – this will include input and expertise from a variety of functions including but not limited to Information Systems/Information Technology, cybersecurity, privacy legal, corporate legal, compliance and finance.
- Updating your existing cyber insurance policy – if your organisation holds a cyber insurance policy, look to discuss the upcoming implications of NIS2 upon your policy, with your insurance provider. If you do not hold a global cyber insurance policy, consider acquiring one that will be attuned to NIS measures.
Considerations for multi-national organisations with EU entities in their group of companies
Article 26 of NIS2 states that entities falling within the scope of the Directive, shall be considered to fall under the jurisdiction of the Member State within which they are established. EU entities of multi-national organisations are therefore likely to be governed by NIS2 and will need to demonstrate compliance with the regulation.
In addition to the points mentioned above (‘What Steps Can be Taken by Organisations?’), fines faced by the EU subsidiary could extend to the parent company based in a non-EU jurisdiction. It is sensible for the parent company to consider the financial risk posed by large fines and to take early steps to ensure your organisation will be compliant globally, with NIS2.
Other considerations include the need to consider appointing an EU-based representative if you operate in the region without an EU entity. Finally, consider an analysis for any additional IT and cybersecurity costs that may arise to ensure compliance with NIS2.
How 3CS can help
Our corporate and commercial lawyers have distinguished domestic and international expertise in cybersecurity and data privacy matters and offer an extensive range of cybersecurity legal services. For further information on matters connected to NIS2 and how they may affect your organisation, or for help with any cybersecurity legal matter please get in touch with your usual 3CS contact.