By Tim Rollins
Drafted in 2021, the revised Directive on security of network and information systems (also known as NIS2) has been agreed to in principle by the European Council and the European Parliament. In a press release on May 13, 2022, the Council states that these new measures will promote a higher level of cybersecurity across the EU and will “further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.”
NIS2 replaces the existing directive, adopted in 2016, which was the first piece of EU-wide legislation on cybersecurity. While it aimed to achieve a high level of cybersecurity across EU Member States, its implementation was difficult, resulting in fragmented and largely insufficient security levels. Since cyberattacks have only increased since then, NIS2 raises standards, provides stronger oversight, and gives greater powers for enforcement.
NIS2 defines minimum rules for a regulatory framework, as well as mechanisms to enhance collaboration between authorities in member states. It updates both the sectors and activities governed by cybersecurity obligations and provides remedies and sanctions to ensure compliance by regulated entities. To facilitate adoption and collaboration, it establishes a committee to support the coordinated management of large-scale cybersecurity incidents.
Who It Applies To
NIS2 sets obligations for organizations in essential fields, such as energy, transportation, health, and digital infrastructure, public administration, and the space sector. It will catch manufacturers of certain products considered critical, including medical devices, computer, electronic and optical products, certain equipment and machinery, vehicles and transport equipment. It will also extend to postal services, waste management, food production and processing, and further digital services such as public electronic communications services, data center services, CDNs and social networking services.
Unlike under the preceding standards, member states do not have sole authority to determine which entities are governed by the regulations. Rather, a size-cap rule means that medium- to large-sized organizations operating in these fields must comply. The directive does not apply to entities carrying out activities in areas such as defense or national security, public security, law enforcement, the judiciary, parliaments, or central banks.
What It Covers
The requirements include tougher obligations regarding security risk management measures, with specific focus on supply chain cybersecurity, encryption and vulnerability disclosure, and incident response and reporting, among other provisions. Stronger obligations will apply to "essential" vs. "important" entities.
Member states have 21 months from adoption to incorporate the requirements of NIS2 into their national laws. The Parliament's and Commission's proposal is that authorities can impose administrative fines.
Expert Analysis from Nick Graham, Partner, Global Co-Chair, Privacy and Cybersecurity Group, Denton’s
NIS2 reflects a general trend: the UK previously tightened its similar requirements, and proposes yet greater expansion. NIS2 will catch more organisations, in many more sectors. Accordingly, given the risk of potentially high fines and the relatively short timescale (perhaps 2 years after official publication), organisations should, as soon as possible, start work to:
- Verify whether they are in scope, as what type of entity and where (in some cases "one stop shop" applies, allowing supervision by one Member State's authorities rather than all Member States)
- Update their systems and processes to enable compliance with NIS2's security and incident reporting obligations, e.g. incident reporting within 24 hours
- Check and address any possible overlaps with sector-specific security-related laws (e.g., the EU Digital Operational Resilience Act for financial services), despite NIS2 being intended to align with sectoral laws, and similarly with any non-EU laws applicable to the organisation.
Data Privacy Tip
Link your data management engine with multiple privacy, legal and business regulatory obligations to substantiate your decisions based on rich, contextual data insights.